Overview

overview

10

Static

static

3

WF.dll

windows7-x64

10

WF.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WF.dll

  • Size

    488KB

  • MD5

    b66989cd4ed1b8915fb86ae17c5cf547

  • SHA1

    927781c3a6810666a633681790f0da904f2d5f61

  • SHA256

    404aa25835d452767bc081c37f36c417813f6db3cd661398220e2775de5957e6

  • SHA512

    d122dce1b6f9eda8ec0adf6f6b823cf2457e42d6464b6fb14ed81276ea3618f2c08eb6fc02fde70f150d3984f006c13125a052032240f404188877c4c78a7024

  • SSDEEP

    3072:soaZ8xC9ql4IzKW39oATm2MNp5fW/m4rySoC1+ur75omw0nKTC:3aZ8xC9ql4IzKW3VMn5GOSdqmFnKTC

Score
10/10
sodinokibi$2a$12$owgvxzgciiwq5kwvorskyocqwgdh1bfvxroi42ibibiwbgclflvyu7341credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$oWgVXZGCIIWQ5kWvoRskyOCqwgdh1BFvxROi42IBiBIwbgclfLvyu

Campaign

7341

Decoy

cactusthebrand.com

dnepr-beskid.com.ua

michaelsmeriglioracing.com

monark.com

koken-voor-baby.nl

harpershologram.wordpress.com

bauertree.com

cranleighscoutgroup.org

alhashem.net

dirittosanitario.biz

oldschoolfun.net

highimpactoutdoors.net

pv-design.de

parkcf.nl

proudground.org

remcakram.com

modestmanagement.com

antiaginghealthbenefits.com

zimmerei-deboer.de

nurturingwisdom.com
Attributes
  • net

    false

  • pid

    $2a$12$oWgVXZGCIIWQ5kWvoRskyOCqwgdh1BFvxROi42IBiBIwbgclfLvyu

  • prc

    Sage.NA.AT_AU.SysTray

    winword

    visio

    tbirdconfig

    SPBBCSvc

    lmibackupvssservice

    ccSvcHst

    CarboniteUI

    encsvc

    mspub

    dlomaintsvcu

    BackupUpdater

    TSSchBkpService

    Microsoft.exchange.store.worker.exe

    excel

    avgadmsv

    msaccess

    Smc

    powerpnt

    mydesktopservice

    ShadowProtectSvc

    dbsnmp

    synctime

    oracle

    Rtvscan

    sql

    sqbcoreservice

    NSCTOP

    thunderbird

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7341

  • svc

    ofcservice

    kaseyaagentendpoint

    storagecraft

    savadminservice

    teamviewer

    amsp

    klnagent

    mfevtp

    azurea

    altivrm

    vipreaapsvc

    msdtsserver

    kaendchips

    viprepplsvc

    bedbg

    veeam

    kaseyaagent

    mfewc

    memtas

    huntressupdater

    psqlwge

    sppsvc

    threadlocker

    mepocs

    code42service

    auservice

    tmbmserver

    sbamsvc

    swi_filter

    savservice

Extracted

Path

C:\Users\aj1a4q1t-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension aj1a4q1t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBCCCDCE3DE2C976 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/BBCCCDCE3DE2C976 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: u+/OCBTEBtuunRObTs5JBySdTLoVgkMWeJK7nAjp4PZoVNVSINtilUi+eU+Qp05i iFCcWjnXR35hgMJr8tGVMJABDAREqJmXqIRuSyC0Pn8G+lbJfHJJETKWhxOTZOqJ ynggTSeF5ykS49l1O4r2i8CRBldesdbc5RdBCs5Nb7WRO0UVb4VqQmfyPNwlvYIx 6vuvEKPZcUWxbjNh7tgxIiXdkAopdNcENtGJGi9vWiLhj6/nlSXhwjjJrl8/1ZRp 7yswSvZnB6hemnXRtF5WFk9KooeUebTEUUjbLTDNc/Q8yjLONVDI6rjAbXb9vsLW hirr4JI+NcFjb+JNnKLkcuy/Kq9cNs0d+pL21aFU4+NXEhfTdH4ryH3/4Hj6m/wa KOpm3Cl3XG29r2pfNoZM1Nus4C5z4zQYvg+WyxSCJkw1HUBplxoZ3TWRrUKRUb5f fu2HYAKofooIr8YgkeA8HxHqbBWAg27rXbXAW488SfvjH5CGh2KbRtHM120kYlmx nLLcSUc1a+9NLI90Pz3Oo6hQ2AMv+cFgrUoWyVEmM5whKtnn1XhivD+T+t8pbz7w fJZJtOjvScppU2fLaq9TacIFey2ZYW1pekpDa+LI6HBjKSWCcqHBLngCs2ksvzx2 B5cHr/h1leqTsmhLIfRUrCeSle5DNGUweQHNTvyVZMYcdL61G1tusZX0dLsjW5ia H4bdXuFjNUsT32pi6frX2RCPC5JR4TYIlk8/XvKOZfzgCtYlaiGwiXIuVqq22/yS ohLEfdTHNnSO2sxKU1HZf0xvqhKNc3+gEIEBYZ3ZBgnl5yWKL6bicY0zIijCQCN8 5ovte8UaoUkUYAY1q2HssxD8UsRpjo4wanXFaJ870Yh2vbvx7UF1NO/cBs4B1Vqq yvddzQCeGiyN4sNaUzaRKBruJbIzXoiuz7wGaKvgRMdAfiWwQRR8yW+HHRkOewmw DZoFpqLHHMt23HKv66GTnp6K7YnOqihiEdflyY3bIobdpmBGp9zQTI0wSA8A4qpn tDv2NC/CvVKT9c/zS3RFDx5fZIstkEJoYKvSfJr/lOJWtZqwfsjkqDnDwFDfn8kZ 3O63YSw9mhHUp3GvNmiNINrC4eZ1/lBRmdCaaZpVOWgPnVa3va7CeBbX2W2tSQL0 Wb62n9FOIShGgaF3F0cc2/GYNTVSErXo7qGGz70SZquCgxboGBUfBp5b0NI3msn3 ZPdpdzKIuW7viwWAIAucuqg6koPPW4rnNKQV9UowwW2lmeIplg2q7dQQwmbVu9cC y8Y+n3NRnulHe+QGdBcJVNksxffbkkKOIaFpXsHDx6G2ys+mv7hkstB3RCna5/1U ioELDlw+5iZgtklINnIJKgra6cl/6axgABR4Ce5TiIw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBCCCDCE3DE2C976

http://decoder.re/BBCCCDCE3DE2C976

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 26 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\WF.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\WF.dll,#1
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3872
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2484
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\aj1a4q1t-readme.txt
      Filesize

      7KB

      MD5

      72d71b10aa03e0e33c95e9c3efc903e6

      SHA1

      d519504f07b53fbdd4cd8d94f838447180c4fd93

      SHA256

      4b7f80ab623b703e805e25ffa4b5121733b25cc76e0820541a6dc5109cd3e927

      SHA512

      260093ece9b08bc8f3c6b0f76fb2cc890568770c65a2ab995db9123cf29b555e25bee46f2fbf2636e34afa6bd261895100b327def9f8256f3ff68ddad885ebff

      Download Submit

    • memory/3872-0-0x0000000002500000-0x0000000002538000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3872-1-0x0000000010000000-0x0000000010038000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3872-4-0x0000000002500000-0x0000000002538000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3872-89-0x0000000010000000-0x000000001007D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3872-90-0x0000000010000000-0x0000000010038000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3872-443-0x0000000010000000-0x000000001007D000-memory.dmp

      Filesize

      500KB

      Download