Overview

overview

10

Static

static

10

54f07b825f...in.exe

windows7-x64

10

54f07b825f...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54f07b825fd662618e1142ee47ef5c988c08ae59c60209bef250fc68bfd3826c.bin.exe

  • Size

    121KB

  • MD5

    cfff09d3936962f72fcee2a50e3fc2c4

  • SHA1

    92c64935bda4b9c4d5609b5f3a2555f2527f4c9f

  • SHA256

    54f07b825fd662618e1142ee47ef5c988c08ae59c60209bef250fc68bfd3826c

  • SHA512

    d4913f96bed96b5cb2f24e34a9597cffe948f9bf475b946605d6dfed2b11f0b1683145beecfbcdc487be1591a831b1255324e53dba50a3a04a962ff189512d98

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZsc2gzuI51cLX:J1MZwlLk9Bm3uWcbHLc8PVg

Score
10/10
sodinokibicredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\p96z88x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension p96z88x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/98F49F9E76FF4AB5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/98F49F9E76FF4AB5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BmLVcegWwSC4tZl//gF/VxT8isXyz1yn9tInPCgoPDA9cffIauUvINuxK/JFvBIU 9fwuQUTLtQp4MbM262JW7xOwd4hPoBEv/mv0keoQZFm+seswwcTZk57jWZfFEbAC kbO2dMa2cIzTZ1Z7reBL7f0YI7g5ynWOwoawfGJlldZ2sAku3SR+356C8K2QCX0H zkC0lwFsAYvYETbBjlNBAV9lvO6TlNnZGotaPgvVhv0gMv34VxV2ktldhiWlPZzS LQmznd4lvfI117y3J5xtgyJEZ2UAkJxcTl5J3nWEgUDeI/SlSiiwcNfRUicRVhUH ibmh/QSygPYYtIEFOUZcfdFg38i1yWvibvJMkHBlbmw4huPV4vhb9hZseD/H1oxA BnYO12EAt2ak2/9mRQd/RTHfcJ4LEg+gIOCSZAjuKEIc8nn81z/dkfXgcYgGwIUF NkGHElW5y7ibLmc+jIt59nGXeGoEMtAimNhjR9uDUUWV9pzpykSL/M0jN3m5V6jM IrWOTZFegjKJ5yB4hgvRthNg/TDrcY9FHi/8z/ffVxI8IdVu3OwiQUbrYwAfKjSN pYGzKHN11VC6PiTqOZsJUwAE7dXrbS+xyVrphLuMSRox5gAhi1Gw6vrEdXFrZDkZ Gn2gjbcsus6lAPsb2zi2rMrAvmVWLkrP3yJPx5K5iixC/haUupqzBLfPgmK/OVWZ 05KB167jFnYBrVF/eDNCuuY5POiu/iw5a+HIXSApLs1EM7IwlsKlOkCsAInvKm7b twiTfnGz7VOhw3F09eQj4Es7RsfRb25Tmu39wByNSLXqGhpDDDfUglwBPl4gp7yD S3atkE5QuueVXY0ewGruYgLuMdjsu/pr1kVQHskuDUC3dtAB/jMQIZ7tD93gjPB/ hNiOsScrJjHJBexRTEy/RLOEiPdoJS053pDg5JkwWg1HD5qq4/A65Rzjhl2iuYIp tbAxvWe7LGpgcHWTECjmGg0DHdXpTY3685JDLfKtTyvT6dbxH7Ss6/fJ+HmoQr9q N1dzcbk6uH50XLXcN9tJ1a2hOcGRhSzJdVuc2cushc35ZAxAdNoYaPTi8VF3Oa1O SjOk3D3nfvJ1zhxangjcLWmx40efhHCp+znExboxPqU3mDqX9RrMgk3bZrVfZ9LK XpYWYin2kAa2IJbwOFl0jsjxTZ0g7bO4AVspazgM1/5MNSav0d8lCboFzzZIoBGx hUAJFeXKmKOm52O3QWm2bWLp7DT7924AfEeCO9Nf7uKNygcNxgyRVDx2JbI7XQ9C GX3pkRZoHAtL7n8WC3ivmlFVw/BZp4TsCw0WWfTYjeAoA1vUJq2+s+9qNWGr+3ib NdA+eaf6x7kycBYo3iVNM5K8EK17KOon ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/98F49F9E76FF4AB5

http://decoder.re/98F49F9E76FF4AB5

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\54f07b825fd662618e1142ee47ef5c988c08ae59c60209bef250fc68bfd3826c.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\54f07b825fd662618e1142ee47ef5c988c08ae59c60209bef250fc68bfd3826c.bin.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2536
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\p96z88x-readme.txt
      Filesize

      6KB

      MD5

      e0790a8d2d0e9daa3e646e85e9d7ba58

      SHA1

      fea4dd609db8102eb0dae51bef862269088e4017

      SHA256

      cfdd347697c371e7050844c51620acf3dea3f96ba18bf16897db1a59a9bb7b56

      SHA512

      2e46c1ac97ad54980dc6ab891365fce3d6e160fcf9829bf3a91d69e3d805102d87831312f358d3d529827289f2d5b5837b41548880e17567802011b5f5b6163e

      Download Submit