Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 21:39

General

  • Target

    735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe

  • Size

    324KB

  • MD5

    20defcd42cabf5da27a21dd342e58068

  • SHA1

    408cfabc99c350ad28def5475cfff5dc2de02543

  • SHA256

    735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c

  • SHA512

    8a6a2f462b9e5ecccae13ecf176c8d2ec93e1c535f3541aa9a39151ea7874e730bdb627b422fbe2ba1c51c98c9c5a2b35da79433fbe9105038836ca33f31814d

  • SSDEEP

    6144:uhHmIZ1A3Lp5r8Xjv0PZNVhmN7r6PNkr1UT:iHdA3Lp5YzIH7mNyFqo

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$3aLOaggUASU5QrJ8Y1pYZeU93mMQzM6yVgD7yb83aT6O21pMW2lCu

Campaign

51

Decoy

woodleyacademy.org

bookspeopleplaces.com

despedidascostablanca.es

lapinvihreat.fi

drfoyle.com

carolinepenn.com

abuelos.com

groupe-frayssinet.fr

tecnojobsnet.com

deoudedorpskernnoordwijk.nl

siluet-decor.ru

smessier.com

calxplus.eu

julis-lsa.de

aminaboutique247.com

pier40forall.org

coding-machine.com

longislandelderlaw.com

expandet.dk

blogdecachorros.com

Attributes
  • net

    true

  • pid

    $2a$10$3aLOaggUASU5QrJ8Y1pYZeU93mMQzM6yVgD7yb83aT6O21pMW2lCu

  • prc

    mysql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! !!! !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    51

  • svc

    backup

    sql

    svc$

    mepocs

    vss

    memtas

    sophos

    veeam

Extracted

Path

C:\Users\hoc5p0yrb-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion hoc5p0yrb. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/99AC7F55857D1B6A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/99AC7F55857D1B6A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7+pk/JLMDJ4VhGrKmFZ1ZaTVHl913R+438omAha6MtskVaTFIQ2FvbyDbvvmSGnr yy2LmTNOpdR2H9eCpG6fNlVqMCgFY08VGLtQqcd4hClrzvilRUM9pvvNHBPuTtQs JVTlmB9NsYAxpqKKQof3J7gcUOSFShFpMfyX3a3a2QKOQ/5GuPHPCk2Mb6oTGyQd sanoTl6PWX5PjL7lkml1AEfELoiofZgQvtFQ0hlSeBGbSJlk8HGtLnN/4HfZlDux SGYsu75eYokZbc0mKO36KRazNeHo0pM8PrgGIcV4wQPaAtDUSlhzSMp7zzoL4wBx vcIfTmoveZW5/0I2TOUL1qbCSlFHuiqcmbkNKEOpclNSfelR9qcl9a8Q4IDenuyG KdeMZgtyUMjOTSU0aV4zjfbmC4iDtfic8kXuHPjf+7PnueO+jPcxAOen6FnabAx7 yFwmHhhWtPbfbGLWimt8cpBAoAXFCIXFJkxGnvQz2yQwXWQSXcEo1e3ifd9wJLTU dDfnTB4BO2rxhd0tUUbNxmfq/UC8wt7zgLf4OzUcMmsQNDwy2nWhRBlIKKwUUkSQ f9XW8ydOs02akgtHSoN4eHGMh+Burk6k9HLWzv6c48NpUbHTC6t8tg6Q2+HvY308 uhlwukelbd1SvxsAgl88I982YF2qEkm+uYiIAlmA6AhQHEIyHzkBXSRPInrZTcWk mXYmzwWiBokWtdkvXSLzhzKD8UbV85SiFZ/DMglUdKUB1p8TUhav5kBAMyRueiYa FL1pZYTaGTV13IL95+7YkQwLKTFmAMzIjmz4+Dutx5rLUOiGMLRW1W/Rg3TVRttu oTYaSLjh0dxDfw+t+NdLFqwEaWZtiyGnAYip+EJX+HA3hsSVoBeJ94WNZO5ZeTAv mOw0mzFGRhj8L8Tzu/8b8/mlCuJIvr6fuYA9XPRgc7upwoteBMKuFfx101bT18eB CNVSTA8qRcSjQIfLylk/d96CdMS/SX+DhDpVQjD6oshuYoZfraOk21RFsV3UYyAt YGQlkilEQ+KlD3fVSbQLdnHViGxxuNjkfmpZLpMrmS2R46lI8miuSFuHxJfZk7N/ sZK4l7+aF/h09ZJthmzlYQSXS1Gbf2uDPkk1iYPaR+igNUBrogrcUFssgU9rfzFr QjNGpydEvLQd+m5IerFqYK1HfhY/vtc/MndtAzuBXMbHxWzBWs8Qzs8X/v/2CYO2 2SdWZtum5bjepU9IJmTZj1pMPaa/RpE1cfNlZCXgOOvVFPFsTxhQA/sz1axpzUw4 ScDCjJUBl3Ox5K8fMvyTVydzfhnPbfHSojcgDwUylECNqI+8afijUD3ueB7HuuAO gPOr77FqK5gtq67miXqoFFBpBsarYHXyUxM9ai+FN6W4Ew== Extension name: hoc5p0yrb ----------------------------------------------------------------------------------------- !!! !!! !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/99AC7F55857D1B6A

http://decryptor.cc/99AC7F55857D1B6A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 33 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe
    "C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3008
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabCBAA.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarCBCC.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\hoc5p0yrb-readme.txt

      Filesize

      6KB

      MD5

      f0b831ac96514a4f2bcbf0a9f01af675

      SHA1

      e7a630da9ee1d8963435208f534bf52c93f86601

      SHA256

      962a8428138b6056cfa56fd917287332a95495c8dabfd048c475a582b1f09c19

      SHA512

      4f37c052db6f67781f6804512331fd3c728c32f258f94c82f321ee591c6c631d74b36291b9178ea7fad0958ab7d581e68fd942b8c7936ee61f4a7c433082c62f

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      194KB

      MD5

      ea33b6d8114f9afda771d14f7e83b842

      SHA1

      386b8a909eee9310c2d0508c8c27aa7f4a14a1d9

      SHA256

      d5a85e43659ee0e018a6e264485c31d6ad838089ad598093f1a146528a1d98bf

      SHA512

      6a209aa565e1ac779e86e4ede21288207a0d2c471ea8d41c3888e42ed34611f35dd35622b7a58fbd0ced3eb89ee42da2e627eb9d66f57c04e534e930f4f13e8b

    • memory/1600-1-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-8-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-6-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-4-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-32-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-18-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-10-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-12-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-2-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-14-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-519-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1600-165-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1600-16-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/2940-24-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

    • memory/2940-31-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-26-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-27-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-28-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-29-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-30-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

      Filesize

      9.6MB

    • memory/2940-25-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

    • memory/2940-23-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

      Filesize

      4KB