Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 18:11

General

  • Target

    b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe

  • Size

    122KB

  • MD5

    f2ad75f1f945cf18e2f903fa645d62b0

  • SHA1

    c99f6b459e4bfe77a0c37def0d6bc933fc4a1447

  • SHA256

    b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205

  • SHA512

    0416aed927e99600059548d5e7b9b2f02cb1ec69cf692833da8851f8f03e4ef6fa06772b0798d483461ea8c05a5adeae355fc624b17cf74041b9e700a88eb6be

  • SSDEEP

    1536:RxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6Udoah5Dta66GDReUUz:RMhQNDEtb3AioaheW8NR

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

Campaign

7029

Decoy

cuspdental.com

humanityplus.org

sportsmassoren.com

adoptioperheet.fi

kafu.ch

innote.fi

polychromelabs.com

milanonotai.it

logopaedie-blomberg.de

theletter.company

conexa4papers.trade

tampaallen.com

patrickfoundation.net

visiativ-industry.fr

idemblogs.com

copystar.co.uk

paulisdogshop.de

atozdistribution.co.uk

sinal.org

purposeadvisorsolutions.com

Attributes
  • net

    true

  • pid

    $2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

  • prc

    oracle

    synctime

    mspub

    sql

    outlook

    sqbcoreservice

    thebat

    agntsvc

    isqlplussvc

    mydesktopservice

    tbirdconfig

    ocomm

    visio

    powerpnt

    dbsnmp

    encsvc

    onenote

    firefox

    excel

    ocautoupds

    mydesktopqos

    wordpad

    steam

    ocssd

    winword

    xfssvccon

    dbeng50

    thunderbird

    msaccess

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7029

  • svc

    mepocs

    vss

    sql

    sophos

    svc$

    veeam

    backup

    memtas

Extracted

Path

C:\Users\2u7c3r0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2u7c3r0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E7DFEBBCC1557AD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/9E7DFEBBCC1557AD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1/s06aDCkhMj1pRuAAlBGt782qsoE6pClapbXHMnAoEwLcNjU+CEFRkH9dbE1B/Y GYlQgEwgwgxwi1pcZh0nAyT6u1Kj65F5ebC+tU2jHRFwxIZ8PMpZWA7XQLeI3MK9 AClO7x068j3cCcysTrDXfp/9mNc1SVQamPKFapx9LOH4wrDTju89V2OmQopcgDQ6 ZWaR9NLor8G9uo+GbKNpnKj09Z1ST0TUiX71oqgvpDtm8F3FUlxKNB2bwYPFLMF6 wPGIng4VSx9ZP/6KFeeI7lsfLqhexPeLvbZ5yhg5LcJLgcDAd38ip4odeHBv84A+ pM04yCA7NuWSJNTI+PX6I+wAGWPJGO1Ht1wM1MHKlqKpv8FDgaPn4ksktM7iH44I DRXOD04n9hA12YVY0JcDFuBz6U/pHJvFdRe4fzNoTTk/qSMAW9ipB8SUTb1rs1oR 59acP3KW3kyzqWJ63CQJ3NB4/BxmKgk5Ct2LSNllJFkmOFWbC7SFjlze8beUNlHW ED4HMSvJ841VX9AV2KmhdiWONnvHMWXPsmXnc7UrPuzu8qTethr4feRO/fIII1ro QfY2DqaxwJOCKCpoNweu/SyoVCabea0OZVv0DOhIe/wlEcCYg+JOg6D5mlghYAhi 9o48qDeRL20LbpEcpUH/COUliFNhrsER8o+pcWbAC6ng09AiJbXLQ11PqfhnxQ+2 OwHm5VZBPvSP8NTEiEklBibhkYM5Eq/M53w9KkQZaq+YCWtzkasUyGTOCsfdM3yD 1nQAMT1oc9A0/nRlmvw/zqHC/gRtlUOfpFEKmT59L9PCK/yAzGtp9m6o4xukTGZI +e9GOev5iJTdqG3eq3Blo9Jheq/Oy4oVWLKLkbDqO44CDmlqgY7v+AOlPzMkTfL6 XIQxC4KV5KSjjzAEj+RL1zjQCP7i8c0yMxFHbGP/f6i0slkQ8Pwqu+kGwyVWnZr8 Ef9dKb+1z2rYfJCfvR5KeNU7VCkZU1AihjJdMSq/YxKp7R419jtlmNTGodMVUnKQ OouheUScYBJNC4hYWDb9Y7haQeCUrIEXe+I+tgK0fDdwQgtEAdXZzl8p82O1wA4i Z0KrvO2Hc32RJv2cg3TEFB+R3zvDAWDJC2BptBdA5w0IPjVKviiHKwfKvWPr9lmu 4SsQyZILJzg6j8mcWvQxx+Hqz+YkNwrBhpxYwcnzrRuMoKSvtC/79pVxemrhH9J2 N/aqbTyR+JSWaQnSfTHOtaQkLzFzKIwr/5hEc35kmxsZfFF1LTKsIBYuRaA5xkxB J1MlLm3y72wdg2ogAUBjB5U3ssXyLJmhnrMY9+6QzUhMG3w/ifo4AGzkyp7T2rD8 KfZYxfsJ/7iYUWNnvaZX5QuVsC4X90XlQ3iNO7g6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E7DFEBBCC1557AD

http://decoder.re/9E7DFEBBCC1557AD

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe
    "C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1808
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3996
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\2u7c3r0-readme.txt

      Filesize

      6KB

      MD5

      91c25d5b5fd286d19b026b8c4af97742

      SHA1

      ae5d14ba4a91a63d043ff1d07f7b6820686cdd14

      SHA256

      3387c33457c16c6893dfc86c8fd32dc8d5b0c2143f95ca9aee7c0787f9ea6e44

      SHA512

      da5e3e72c1db625481b56ba5ac072a1ba8bb69cbb6d6d10196f8123c7eef68e34070798d0e1c0266934f67e834a24506bf8ae122ff77d90176a9f481054e2e6a

    • memory/2348-0-0x0000000000FF0000-0x0000000001012000-memory.dmp

      Filesize

      136KB

    • memory/2348-514-0x0000000000FF0000-0x0000000001012000-memory.dmp

      Filesize

      136KB