Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 21:39

General

  • Target

    735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe

  • Size

    324KB

  • MD5

    20defcd42cabf5da27a21dd342e58068

  • SHA1

    408cfabc99c350ad28def5475cfff5dc2de02543

  • SHA256

    735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c

  • SHA512

    8a6a2f462b9e5ecccae13ecf176c8d2ec93e1c535f3541aa9a39151ea7874e730bdb627b422fbe2ba1c51c98c9c5a2b35da79433fbe9105038836ca33f31814d

  • SSDEEP

    6144:uhHmIZ1A3Lp5r8Xjv0PZNVhmN7r6PNkr1UT:iHdA3Lp5YzIH7mNyFqo

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$3aLOaggUASU5QrJ8Y1pYZeU93mMQzM6yVgD7yb83aT6O21pMW2lCu

Campaign

51

Decoy

woodleyacademy.org

bookspeopleplaces.com

despedidascostablanca.es

lapinvihreat.fi

drfoyle.com

carolinepenn.com

abuelos.com

groupe-frayssinet.fr

tecnojobsnet.com

deoudedorpskernnoordwijk.nl

siluet-decor.ru

smessier.com

calxplus.eu

julis-lsa.de

aminaboutique247.com

pier40forall.org

coding-machine.com

longislandelderlaw.com

expandet.dk

blogdecachorros.com

Attributes
  • net

    true

  • pid

    $2a$10$3aLOaggUASU5QrJ8Y1pYZeU93mMQzM6yVgD7yb83aT6O21pMW2lCu

  • prc

    mysql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! !!! !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    51

  • svc

    backup

    sql

    svc$

    mepocs

    vss

    memtas

    sophos

    veeam

Extracted

Path

C:\Users\w7ld957-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion w7ld957. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A47CE0FA1D542E07 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A47CE0FA1D542E07 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: m0FiSL39am8s1SvYPZXif8r/g55ISo3EekKXB/wW/ykyMvXSILtBFioCEPwuBZLa dJtrH8nMVYIfZQZj+XgoUVchgzkBAyPaUTZ7mhMz3WOPRln+lf/yWcYz6oufEroq jBndyRCcK+j3jpqDhTr6KZI7q/ZLrNqV4Qm8LGDHjxdkdMz6SciDpRxXqptv8ZRG psM/jQi7PuJE5CS2R4IliUc0I7LOQzJF13vXoIeozH6XCktHFNBtal/PTIsde6cQ jHy9FItd3nj532jWHVkvMAdU/eU/947vj5fDfeJhCBvtoK7XgZ2LVJPS3QUAV88H ekgrmv0sz54Ge5/XlkLzK3/c4DYniq0Ds9eZ39CXOwAukE5/uw9scpkXMlMAkYfp ImXqjHbQbuM6JgUdrpZ5+ThqDjQ5u1zLpMMY9lDJLneKojPKBK2iWGbu/LapXPYV NPDr+UDFRYvEaoZnLCCTKkNiEJQSrNl53tJ2EIzhigJ7vZH5ZDJhsZL6xJV159sC vzVPOI66RXzvqyqMSwZKJ7CHnGwbegeF8CG8TO+Id3+gIvFn7a1PxdL9EZcWVL6H 5t0l46Td0eZ6blm3BBp5xZ92+CwPcrvAn/G18jOBuZ42MuUYd5P6Or2gnF8mMXLs ecuUgi8c5jbPT7dXclgZKmIsVeaOOE2edNPuL88K33EJhcLAsHRVmf/zGYbpylfU vC9otwbpAQVygfWh8N2UUkuwHpkw5TGe8uV+HwVbOrXJnzWuSBLh6GXmx1lkFPKQ Ocuh2Mnze//KoNUC6LJMTXc3K0VqCP+NxdGkhSXZ/FwK2fbWR5wyxRHFVBQJzHng 9bipx7iP2a+DvQjECJHrWgSV3kMeGKHLePdMS9OWg2Yq5pWnLcuxkBhd4nKspInO evJkW+xvT5jGyAf+eL3ERtt3Ke1pK7dcKRxTk/nYxPng0j9vNQ8grwhZ0E9BMzPt YflFnU3JhXAs2405rGUS2M6ZozKH1CxgJ3WHk90BWuk8ppEV9hjMQaIYWSdQt3TL Hvv6UH6xMesgH9DSFZqvhaVxjJJVkOetut64Jd8wrD/Ol4bG7cXAPVwUG6e5jG0w SdIp3q+rFRdmGeIaDsIX4UsUicnFA62FgZt6nxpMGDQkn4OMRKX0xwWgufpj5ulm LOYYd+r6JJf1KPU/pEtCEDlXo39tBJiDXjXydOhEsqGXbQMIQxI8CJfGxpreZF0Y +Ne8109Ys0Pyuzr/D9OjiXXSMnYmKbTTrFZfSwdAWNJRGmSJabilS1tGXuzAA4Xn GlXF5Zps3dTXyrD00UoooUhy97lVOAoi8U6r22yq88Rtfg2L75aCowro02giLxLp bSXFLDlXzN+Tg0xSdI+uWNidRYOkvf45FcNJBv+Oun4Gfee0 Extension name: w7ld957 ----------------------------------------------------------------------------------------- !!! !!! !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A47CE0FA1D542E07

http://decryptor.cc/A47CE0FA1D542E07

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 38 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe
    "C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1728
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1hxdjrm.wbp.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\w7ld957-readme.txt

      Filesize

      6KB

      MD5

      a42276028ce4ad5c81c692d06ee361cb

      SHA1

      fbed8d404bdca891fa177daa8c5918ac7b82b8b7

      SHA256

      d9d210920a89d8e622d077a59920fc4c914ee90f724cb8085e7a1744a3c90109

      SHA512

      d3eb66eedeebe31e7370bd34a01b8082218e70f9c625ad12d6dbee13ba0165f8ee50f6b128a4d3a91f426e5b5057287de7953f8cf1e0ab3e34c8f7175bc7f6e5

    • memory/1648-6-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-12-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-10-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-8-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-35-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-16-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-1-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-18-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-2-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-458-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-14-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/1648-181-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1648-4-0x0000000000560000-0x0000000000580000-memory.dmp

      Filesize

      128KB

    • memory/3620-19-0x00007FFD6CD23000-0x00007FFD6CD25000-memory.dmp

      Filesize

      8KB

    • memory/3620-34-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

      Filesize

      10.8MB

    • memory/3620-31-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

      Filesize

      10.8MB

    • memory/3620-30-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

      Filesize

      10.8MB

    • memory/3620-20-0x00000251E17E0000-0x00000251E1802000-memory.dmp

      Filesize

      136KB