Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:25

General

  • Target

    DHL __.pdf(1).exe

  • Size

    555KB

  • MD5

    cd4a9b992171f893ae11fbff7d1b9252

  • SHA1

    7fcb6fa46300ee32d6abb30627e841a13e0269bf

  • SHA256

    578d694adb18d1dda0ee217c2c08e2e99f5d1bb9bafe6f3962844bbe6e6ebf12

  • SHA512

    24aed4844f20d9b025c8f8ee0429bb4f3432573cc08e86e8014cd82d56ed22c1caa7ac4bbaa95ff4790d5240d0641806f44104f65fa2541803d6552ae5745014

  • SSDEEP

    6144:thTFzbi0i83BJ5NraUGTRQrFc67uSCLc9aDYU07XbUAWAVf:DJq0i83B3la7GYDVaXDVf

Malware Config

Extracted

Family

sodinokibi

Botnet

30

Campaign

97

Decoy

sytzedevries.com

druktemakersheerenveen.nl

energosbit-rp.ru

business-basic.de

acibademmobil.com.tr

leansupremegarcinia.net

worldproskitour.com

shortsalemap.com

pansionatblago.ru

humanviruses.org

ya-elka.ru

block-optic.com

silkeight.com

carmel-york.com

unexplored.gr

hotjapaneselesbian.com

forextimes.ru

avisioninthedesert.com

agenceassemble.fr

keyboardjournal.com

Attributes
  • net

    true

  • pid

    30

  • prc

    mysqld_nt.exe

    dbsnmp.exe

    ocssd.exe

    sqlwriter.exe

    winword.exe

    oracle.exe

    thunderbird.exe

    mysqld_opt.exe

    agntsvc.exe

    excel.exe

    ocautoupds.exe

    encsvc.exe

    infopath.exe

    mspub.exe

    msaccess.exe

    steam.exe

    sqlservr.exe

    dbeng50.exe

    sqlbrowser.exe

    onenote.exe

    firefoxconfig.exe

    mydesktopqos.exe

    thebat64.exe

    xfssvccon.exe

    synctime.exe

    ocomm.exe

    powerpnt.exe

    tbirdconfig.exe

    sqbcoreservice.exe

    mysqld.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    97

Extracted

Path

C:\Users\iey029hmi-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion iey029hmi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B805D138AD2CF8B3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B805D138AD2CF8B3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: owmxjHEGREhcm3GOWYOlUmTbrZ3Ebyb2WlROhh+73oylvOklJGrQgZGDI6NN/5Xt b9+yT6fFo1vW2mJzOBNen3vgVyhvAWIq9lCuXcKNES8T2DY38w13vmQkjofOsm/C eaPNX+g/o8iuwCsAA7bt2VQigf18tFX4LEQuqNcbZNrSfrcvDYA8BbielqvSGuxc U0bX/wK+v06FCTKYTPjA5OrWeb3QQudc0qQUcKw1kXdw40SPh3t2s/1F51U4ot4J T9kWchHA14moSLr5PI0KGZL8XAO7bccaiRar9p5bfJwZ52UDqIh0/XsSCTqHzhEi 2oxAqQnR0FWl8tDXZOaUKXF7nYbeOtvrZs1T4ihTo2PSc0zQgYfmS5u0v2I9HTIW hgRa05+019uayzIhik+70cmZG+/7MRLczKhXaWplYFD5Y/L1X4cGhHwsIPogDKnr uv28ksf7+QlU+ToBiRrDF3eCTyPE25l8bImtLu8KBtYVeCQ7MgMYxhpWbMaIKfgn 94NpqsW9PMlEfclo0fXBbCH9pKCie/rYL/VT0vqBSHZaehPxo/r/ksGTZrjN0QsV ShXmwKQrfz47XCXDZx9v9AseuXFnqO4aW0oUDhKf5qZ2BC2iHf9GlbZZjhL8Uh40 XPRBkBMXx7WDte0nqUu0AKA7IInQ4FGlmrpBY5qgq2BgM+k4+8MWjSR9VtM+ZZj/ aFJ3t43UAo+CTt5KJeU0PwuneEQf3b4iAaRKQR+Rxdi3YjBAU7TFFbzuWhw3UYdg SxckiS25STwhYFGT59V32BOtsOifTJPVxDlzBf/BxdlWa6EQZpUyWlX2nq9Hik/u 803UWm40fiIs4EARO953R6791YyDcbkZgVPXbJoWMLGkpkBURGt0NG2HnmaRh3Tr 7Tjy7m2vOFJxNIU/5TOMtZH1r25RRnnXWzIb8GN/0cKBwwrz8MNYMV1FLUoILlXC KZp7zEJcbZd8GCo7tMzcbKNxn7sirVzv4Oo0Tyz9nlYj3ULPbIOfsbBUhakYYBW1 PwQC2ClkQ1qQoiHQ8/WJCMMTgOIS37Mw1Ql81oIpMXxfjmSIi1TMRw7NVAK1YKJ9 tJUgP4SrKHxPjeBLstHaEwo0fm9b8EesEZJc/5JN+vpQmkJLNo+onx476d7RLL4U CA92GCqA16DSDX6eTz2MhxKJ8uFSSh80XjjQymg5jjgorYufl9ls0IxPHrnrwfD/ mn1OrSovTWyfBy8Lji8= Extension name: iey029hmi ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B805D138AD2CF8B3

http://decryptor.top/B805D138AD2CF8B3

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 47 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(1).exe
    "C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(1).exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2796
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab67CA.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar67EC.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\iey029hmi-readme.txt

    Filesize

    6KB

    MD5

    8e4bff92f3880323cd25454a4687b2d1

    SHA1

    a98152d2c7f9c87bc418d5a316e0f14eee53a0e2

    SHA256

    efbed23cddf483c2b3a661e59d69a266863a87763f931698222fd6df60d92f1e

    SHA512

    4b61651abb6679aec4fda99442132042f92bc0040b831154c1698f398cc18ea12fbd8712196a9015b3b1a41059459e04aa8846e3178e1d1622c9fefdf425cdc7

  • memory/2188-547-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-587-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-4-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-3-0x00000000005D0000-0x00000000006D0000-memory.dmp

    Filesize

    1024KB

  • memory/2188-2-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2188-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

    Filesize

    1024KB

  • memory/2188-584-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-5-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2188-589-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-593-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-595-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-596-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-597-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-598-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2188-599-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB