Overview

overview

10

Static

static

3

WF.dll

windows7-x64

10

WF.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WF.dll

  • Size

    488KB

  • MD5

    b66989cd4ed1b8915fb86ae17c5cf547

  • SHA1

    927781c3a6810666a633681790f0da904f2d5f61

  • SHA256

    404aa25835d452767bc081c37f36c417813f6db3cd661398220e2775de5957e6

  • SHA512

    d122dce1b6f9eda8ec0adf6f6b823cf2457e42d6464b6fb14ed81276ea3618f2c08eb6fc02fde70f150d3984f006c13125a052032240f404188877c4c78a7024

  • SSDEEP

    3072:soaZ8xC9ql4IzKW39oATm2MNp5fW/m4rySoC1+ur75omw0nKTC:3aZ8xC9ql4IzKW3VMn5GOSdqmFnKTC

Score
10/10
sodinokibi$2a$12$owgvxzgciiwq5kwvorskyocqwgdh1bfvxroi42ibibiwbgclflvyu7341credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$oWgVXZGCIIWQ5kWvoRskyOCqwgdh1BFvxROi42IBiBIwbgclfLvyu

Campaign

7341

Decoy

cactusthebrand.com

dnepr-beskid.com.ua

michaelsmeriglioracing.com

monark.com

koken-voor-baby.nl

harpershologram.wordpress.com

bauertree.com

cranleighscoutgroup.org

alhashem.net

dirittosanitario.biz

oldschoolfun.net

highimpactoutdoors.net

pv-design.de

parkcf.nl

proudground.org

remcakram.com

modestmanagement.com

antiaginghealthbenefits.com

zimmerei-deboer.de

nurturingwisdom.com
Attributes
  • net

    false

  • pid

    $2a$12$oWgVXZGCIIWQ5kWvoRskyOCqwgdh1BFvxROi42IBiBIwbgclfLvyu

  • prc

    Sage.NA.AT_AU.SysTray

    winword

    visio

    tbirdconfig

    SPBBCSvc

    lmibackupvssservice

    ccSvcHst

    CarboniteUI

    encsvc

    mspub

    dlomaintsvcu

    BackupUpdater

    TSSchBkpService

    Microsoft.exchange.store.worker.exe

    excel

    avgadmsv

    msaccess

    Smc

    powerpnt

    mydesktopservice

    ShadowProtectSvc

    dbsnmp

    synctime

    oracle

    Rtvscan

    sql

    sqbcoreservice

    NSCTOP

    thunderbird

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7341

  • svc

    ofcservice

    kaseyaagentendpoint

    storagecraft

    savadminservice

    teamviewer

    amsp

    klnagent

    mfevtp

    azurea

    altivrm

    vipreaapsvc

    msdtsserver

    kaendchips

    viprepplsvc

    bedbg

    veeam

    kaseyaagent

    mfewc

    memtas

    huntressupdater

    psqlwge

    sppsvc

    threadlocker

    mepocs

    code42service

    auservice

    tmbmserver

    sbamsvc

    swi_filter

    savservice

Extracted

Path

C:\Users\t55o185-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t55o185. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3DC2A1877D6AAFA1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/3DC2A1877D6AAFA1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: OvGfnnro/CkNXkWZQzNk7Naxa+DgSWXYnf8b3xuHkZNfHpA0YFvs9FRzW8nEFMMR SGeZqtlvXVzdBIxswF51Ly0GlrjDj8YfIWEB+gYvZb6o4P+WmTy7F11mXjVu7VXr tatRoTciO7v08qJP/BS6F74urYqEex6JOW0Ecg5yfvTaQ1lT7KIw0hVnSF2/zMHt r+NQjO8SOcl2orG1rN1wmEiZ56vpjZ5n6g9KeUKhzbBGlOgWLF7WTMEwM9ZQlWKl 1nOWDx/9zdeQz6fn2/Lq/lsvVTp4ItUttQcqlXYxRK1KfSh4E6AquGNMhsR+fAO0 ZRiPScNMM5UE9sZSdJ5sdL34kJ0n7ewez/Pf0TMxEKCLBfFJD05pm3sGeKGpAaJH D4WFlUlWoDP96nPM/6k18xyFGaWXsqiAYS30Jq62k68cOF3zhESGmjqiTYn9d+gO O4WOLT//wFusD+VvJdQIxlTU9dDvfrEXP6vVGKpBD1ZYmQ/tmTktRJLq6XsS6SDI lzqnP67XXLESH5xqrZB7uG1fAxE2SYp1wkabJU2j3oAUJXw/nY0FdZ7V/0nxpNPE yecLf1u+thQ9xHDLIVqLlBsgfBRdrxrDXc/MZTUVW+pe/97MaH/xovBXoMziDiTK y/hdzawvMhmHCo1kRxHglysOKuDmVsJGPpSaWrpHWYyhPMty5S70RfJxzkCEYjYk CTWB7QPXVidI/Qy0rydfjobUxMZ5/1IbrnlfeHwDHTZo6wD4sCa6xIePtI2HMMU0 lBT2J3jqC3Ogr/ALax8CFhZJbAQDFruOmSLrXu2coWTjos72DWDzLdS8faZu1qpr gQWv0fO+AK4V8sSHzvPNdd6YKruCzOlRSAQMjdFeSKuwa74cMPc/KvpWwpCdAiZ7 BfxG49VM1zyi/jSf7b3Xa3rBsZ1hSFpGoiOirYpMWHJ0NWGkehUjNkkTF5b5b6od 0kwV+Xl3FNnFRmWSDCzyWSG338tkyBzDA4N57mZ0I6m2mZ8B81Kdyksu4AUPow8V Fapzx2eGFFvxvEWESjzSS4BcKYr6yHu/lM2xFQnNk3Dt9Yz2kUSs4hwjjtHB8lsr 4IVU0pRYT5P2U9NclYaO/878f1gXnJvu7EkMJxYYxUHWRGJsL/iby0NivOrZ2P5q SfyGDqSY70uofi1VOiduN9AZkgNxwIWuRFx6POlr3VhlWvuQenQ6FpVCNY+55HlV GuMxvryJGZmXrYWdJA/ZO+w1pa0M9tN2Vqh7Bk/jaOURDJFjvAd/led1RwpK381V 4KBjkYbCOo224KVpNRfpurYpJS1vIo93IXf0OSYYW1Pmkj6rqWRqhrj3ykLgIexa ai8VLacc+Ay2t3orneLrRSIcG2XDxgwp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3DC2A1877D6AAFA1

http://decoder.re/3DC2A1877D6AAFA1

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\WF.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\WF.dll,#1
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2884
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\t55o185-readme.txt
      Filesize

      7KB

      MD5

      f53331c0df4a82abd8b6c454ed5a8cb4

      SHA1

      eadfe1e0189ba032cfd5f7017b167a43edc13b5f

      SHA256

      09b1fc2da625e2c4c31fdf4d0e714a7fccdc42f6173bc2fd78c8ea5408e6dcc5

      SHA512

      90bae9cd42767daa495c8803a72fd462c5108781dc15f06c620b985c4267b0db6586d37542e68d62c869ea0fabfa837fcc9598e0a6a7923a06346ba24d9583ed

      Download Submit

    • memory/2156-0-0x0000000000210000-0x0000000000248000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2156-1-0x0000000010000000-0x0000000010038000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2156-437-0x0000000000210000-0x0000000000248000-memory.dmp

      Filesize

      224KB

      Download