Overview

overview

10

Static

static

10

745da56327...5f.exe

windows7-x64

10

745da56327...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe

  • Size

    1.9MB

  • MD5

    6f0f0f10532bcc6abaf04afd99811e4b

  • SHA1

    97f2891294853ccf9693d487f4fe11eea0dcb9d7

  • SHA256

    745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f

  • SHA512

    41a80f301a47e39c5eda4e444418143a8b320c1876970c2d9054c4d2c6f584e944f2a6bf1fd61c9c2a028a746eaa7b85c907a91aabb3a726e3693d96f90e90c2

  • SSDEEP

    49152:DIUWGS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S:bWGS3S3S3S3S3S3S3S3S3S3S3S3S3S3m

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\8yo0ez39o6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8yo0ez39o6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCB155FB051425BE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/BCB155FB051425BE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: N4sTPMx9AGdu3/NOYjaFj2hdWIlsGJUEYurui6ZeTCXghjOLB2766ElfAJDWLbSE tnfABSuKgPdvtzf3Xj41rEeZ2RvhjsBT2qM61WZn1CK+Iox6nud+jw3+ZppHcAUk TOLeP3ZBst/6EJPbKnz/4W5L2QYgIbqQSf++TRfcMF1jeEbfoJzCZrhh6R4Njyvs IedGVHEVrAUE4+i7DUUZdLJ1IQDF9+fATDjhizKqCjk7pth42Z348kubu891pKsW IrwE7ffQcBS4vgRZOA2RjYVQkzntGQtENBnCX+vcyJRvvOnbYWMOLT6VL1B7wYj4 aNrg+LRL3fHOhhKYeX5FdWIScnh+0b6LTdgNa1kBaFCisY+RZ94g3S52VFUPgxOK fXeFyn2bhB1v76httciogYi4q+ZvzjteQj0NKHh99s4qDsP4DHo0BUgU3KLOanY6 2/dGCzF6np4hynj0ROFgZh5xA+9F0XPpzxc35KyYQ2iezGgwplfVeb4ojhSuFnJM VIZN+/goST+Uu8E71QrALUwMU1mQwh/K3yO4Xlq8TQmNXctAJsQ3kKM35x1nQIIm OoVk6SP0S4MDCItS1sL/ku+R+0JpfZJPKKRcKTcPICtB2Ptrmj+R8xw6g8vaw/Uw xEERM9Xktxq+oKqs6VOVmoxqUP8h1OJL5tM7Q2vZlq1EC4pQQN/rkzcTvMRi/Xxi BZoi2iT/4stfBJPIRxYYHDONkh9KyVtjW3pzsjTIXtNkA4pdSv7y0/V2mCnEl+rZ yRZ60xEHSGuJs7tjdc6HNQdO6lDBrymnb13F0wZWqLySDIwpm2s166T+bQc+0uJ/ LhxA8nlgYrnJuBWVgojgoTKAWdCDaaD4k3gHgYJW0yQhcdrovvCuVXikdtqKk4RO c8iyzVG6SkChKWHSePZZxGNmHxB6S2pLO29k/6VIpi4Tumb/+FQCX+N+ipIm6wbN /e2saQYb1fM0OUjl+ltfg5WE1kUQMw/C36TnIOr1tubT6MhWSbsTuEocCs0epcjx L4j7lStukiwVERLunQ4JrvkHs27j8wKKMWBSVZvg/nuBk5AybW0N0SI9MOgjIGlh GO6lgGi4MWYhqDediU8FdrO6lH5uv3nV2O6ZXKtNuWghfXDLtDdiqiiQ8ynnbQsM ZX1SqRqnSpQqVZEr+X5qdFlJsjEmvNBh6Ar8xWwY0kY= Extension name: 8yo0ez39o6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCB155FB051425BE

http://decryptor.top/BCB155FB051425BE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Renames multiple (150) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe
    "C:\Users\Admin\AppData\Local\Temp\745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\8yo0ez39o6-readme.txt
    Filesize

    6KB

    MD5

    d9a8212c8ebb32a2ab9526b6fa466017

    SHA1

    47fcb26ef47dce784f41519e7f12313aefb7f793

    SHA256

    d2eebd4844fa85e0cc8887b9029b2eb21a7353ec21f2ea50eba4afa8796b8a50

    SHA512

    1d17ee5b8419c1997bf20526e992cec6c40166919653a06eb6bcda14f1362ca5e4688efd7a2250a07f55dcbb57a7f0a425fd63fcc14dfc39b24911272123029c

    Download Submit