Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 18:11

General

  • Target

    b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe

  • Size

    122KB

  • MD5

    f2ad75f1f945cf18e2f903fa645d62b0

  • SHA1

    c99f6b459e4bfe77a0c37def0d6bc933fc4a1447

  • SHA256

    b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205

  • SHA512

    0416aed927e99600059548d5e7b9b2f02cb1ec69cf692833da8851f8f03e4ef6fa06772b0798d483461ea8c05a5adeae355fc624b17cf74041b9e700a88eb6be

  • SSDEEP

    1536:RxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6Udoah5Dta66GDReUUz:RMhQNDEtb3AioaheW8NR

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

Campaign

7029

Decoy

cuspdental.com

humanityplus.org

sportsmassoren.com

adoptioperheet.fi

kafu.ch

innote.fi

polychromelabs.com

milanonotai.it

logopaedie-blomberg.de

theletter.company

conexa4papers.trade

tampaallen.com

patrickfoundation.net

visiativ-industry.fr

idemblogs.com

copystar.co.uk

paulisdogshop.de

atozdistribution.co.uk

sinal.org

purposeadvisorsolutions.com

Attributes
  • net

    true

  • pid

    $2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

  • prc

    oracle

    synctime

    mspub

    sql

    outlook

    sqbcoreservice

    thebat

    agntsvc

    isqlplussvc

    mydesktopservice

    tbirdconfig

    ocomm

    visio

    powerpnt

    dbsnmp

    encsvc

    onenote

    firefox

    excel

    ocautoupds

    mydesktopqos

    wordpad

    steam

    ocssd

    winword

    xfssvccon

    dbeng50

    thunderbird

    msaccess

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7029

  • svc

    mepocs

    vss

    sql

    sophos

    svc$

    veeam

    backup

    memtas

Extracted

Path

C:\Users\67ny35-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 67ny35. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9457AD543F88C7FA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/9457AD543F88C7FA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: YQqLX24hNoLL7QezIi9twVse6/Vk8QuKwvC+mOQgbvUQr9+hdJFLGNGimAPxp1Hx hq2FN1i2q/Qx0qdGgupL3iF1GDTYmYn8tUX1CX3EGeY8qYACKbA/1fLhE++pSwDL qtatV+76XVpiBAZKj1X20xJ3HgWx1lR+DQCD5DMYrnPtExhVWaTAde2Z0aIeZV7T E5Ujm7YTgWs5zajTGJnd2eqsSA97IfRhHi9qxH/K34YMBrvbufSLui0wqwRiUD+b bNLFVAwxKWyLyRPB9VfQ0z3L4x9uTkJ2FtSm5EQxvbSa39lNHRxoyQz4BnX2OE8l eRSsUj7l+pCtSJaFykMheitBKnoNHlx9cz5C7WUrgLNYAqug3tFPTgIZ4jzZvGMO mixCd7D01CYdrG8er2gzX9erAiSLoULQ0TnMNFU8uE8K/pKedeZPunN3jtkSaoUk 5OkORU5nYTeuD1T9c7bnz2JrL4t3r9MqsOCh9Eh5GbetCrYbNExYTQdqJD8yogMl P8GwqlRiDOz6aZ+UfFkGRfAw5WHIJUxxL3VVC5b68W9b3Xrvp4VmF3FPY1RifVoh 3apxf/tDkUfSC/nFtwHyfAlyNAnIgS/kDeMGm9Z3iGTtJLuZfykYHDRgmPqOOrbp 4C/8QrJKP5NvI7Z3sMYWtfQOK6hQqAnfWw+qjQWKcp/IemZjOiUejOyZKujTcC3A WY3iqan+n8kT8LrGLMHNAnt20ObKkhDXzjsx7ZkvhCs3mQ+vSQtoVUCJReE5xQlU VOwAk03s01uniMaR+pGzm629O9BixafMAD45tqBdttCeU8ABi5IDSARJ5sxP7bZh eFeY6te/gQ3gunCdcY2YDiYcj+UnMlOC6qeUD4/wsvIqP7xpWOzzYZ64pTSToZL4 5iOVwpDQjbW5xI9gucXBUes3qIfS12iMyGRZL5Iql6DumMU2QeU7VHmcBmVrUgUE 9rTUkNF0+9+r5CrXtaQbem/MCxM0atraULgi6V6Dwz6tbGos3OZqQHoaMfcXOq8q dWDcGpeqtJLswrfZ1zqnUSIPG1N8aCtxeewinVloUJKDrWYOF2/6ryP+UPGYSsg1 DLN8nunatX+OrxTvou7yNbI6ugDVqdaTNBJVLHutdgjKDuMl4FwkwIZILsIBshYO G9z9QdBSMm67RQ+YmvxVyl+KK157QjU9JNJsvEjsffHKm09AfuGsQP3LnepliAFD sJnZYz5sZoysh5IkQJ8SxaKptNPlIdCNLpW6pziYOZE7HA0wEZ6OqgELVf+RY3Df XiImncik1TrDDndw1K3Qky0cApyMTuBdVvb8eJrQwvVE75JY66HZPwpvaPFPM7MR 3kiDUWrTZwTYESune3FnHcmuATw/9A== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9457AD543F88C7FA

http://decoder.re/9457AD543F88C7FA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe
    "C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2828
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1184
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:768
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:796
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\67ny35-readme.txt

      Filesize

      6KB

      MD5

      60939ce5d16926d93289f3118430cd10

      SHA1

      88163a2a654d6f8d5e5cb728abf8d6fa718f0a0e

      SHA256

      3b49c2505a2644f840019e41d51647988765250bf055e0c0c96938030fa7d6b9

      SHA512

      c41f15d40c4ccbc004ec505646b8bf922555e539bacd9009de27952f13ab45dba8635c6d7d8342cb490e8ab60ef4ba9877b678d248235eb5a96b8a7baf983c0d

    • C:\Users\Admin\AppData\Local\Temp\Cab45E8.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar460A.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • memory/2496-0-0x00000000012D0000-0x00000000012F2000-memory.dmp

      Filesize

      136KB

    • memory/2496-566-0x00000000012D0000-0x00000000012F2000-memory.dmp

      Filesize

      136KB