Overview

overview

10

Static

static

10

bf7114f025...CY.exe

windows10-2004-x64

10

bf7114f025...CY.exe

windows7-x64

10

bf7114f025...CY.exe

windows10-2004-x64

10

bf7114f025...CY.exe

windows10-ltsc_2021-x64

10

bf7114f025...CY.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 13:59

250325-rak58a1jt5 10

05/02/2025, 10:49

250205-mw3j6stjc1 10

16/12/2024, 16:58

241216-vgwgbawpbp 10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2025, 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9_00920000_dump_SCY.exe

  • Size

    143KB

  • MD5

    e0804d33bf33a666a688938d1294e377

  • SHA1

    12a7c268d40647a5450c975b1fda242b70357c20

  • SHA256

    5202c8d4e62fa1f8f0c31bbd8bf0c78cda1fe8048fdf9c5542aec932c5738142

  • SHA512

    8d379c5695d7b907c716bebb13bd0cf4df93d777c0d2286843d0dab0bbd0a60fc9d4618b9bcef5cfc23e9ba9eea0baddeec613dec5c262a9b57285d0161f3654

  • SSDEEP

    3072:ap5c2kNWZgLbi4eTMlwDCnu/IGB96W/y1cL:arrcW2bnWJ/hB9wcL

Score
10/10
sodinokibi5367discoveryransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

5

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua
Attributes
  • net

    true

  • pid

    5

  • prc

    wordpad.exe

    outlook.exe

    tbirdconfig.exe

    agntsvc.exe

    thebat.exe

    mydesktopservice.exe

    sqbcoreservice.exe

    thunderbird.exe

    ocomm.exe

    excel.exe

    thebat64.exe

    steam.exe

    xfssvccon.exe

    firefoxconfig.exe

    sqlagent.exe

    ocssd.exe

    mydesktopqos.exe

    msaccess.exe

    isqlplussvc.exe

    mspub.exe

    winword.exe

    sqlbrowser.exe

    dbeng50.exe

    sqlservr.exe

    oracle.exe

    encsvc.exe

    powerpnt.exe

    dbsnmp.exe

    infopath.exe

    ocautoupds.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    367

Extracted

Path

C:\Program Files (x86)\6nfv488-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 6nfv488. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D292F82F208654F0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D292F82F208654F0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: x63JR4pPrwEBM12QRaY0aoyNp7S9mXt8rtpKqjGf7qe3zNAkepqzDXCjYGQcXO5Y 5SIXU0TG2WZmoqh2tSMj4jNIJF+e/BGVwrgHG4vO1RJa1Z2kyxSL/537bILejqU4 CmiOyrbm2R+bB3RgXBTjOKsmBtVxGqYE+mzpFwpEafAG9urM2ZYoSn9Y74XCSs10 hwid4Hwx19av70x3zZqG2JXLPPItcPspoBGxriVasZlt80gb0JsqmazhQfbKR7ux KkyhcpmDXwmK07HL7UfCcqtOqrBn895EJcKR9hU1/q/4OZyewI9VZbo0OIeQyHOq LjQaPe5AjKgwzkGqCvjuehDKji8KVN6hnG4OJ0LsL+BYTSM7uQANVDx+qMaOU/dR SFZWTgp17kEnhV9Zh827cfAXZabqdo0h6eQJqc4BMkAPikdJswtbFO6cvvD23JHa s1vpmQ369zMCpR/yNriR1O/m9FCIt6k8SxYbeFn9/yLb7Tb8cbl5mGy6waLk1GKv V8Jb43ZjEzjE8Qbxj4yRIsd8zCHpOVvnOJa2QlCU0/2J/xE7RfOvBaFxs6mDqedb kQqUQ0l4ugpnJvXuJELfp4t3R+E0Vx7l2+NSokQQS+OlGxCRhGDXKB7QolsamyQi 1mdpyAvoUwbj8YW2RnX3cOpOfV1xGIEx86gf/xH5OFydTAqNYuzTVS80q/yL5QLB BX/1fgGw8/pvp6uDQ6P6Aj0VxUoKysjMGphlzB0tPJMXFOPqxYOtvDk06EwN60H1 GkWhJoxgQh0JhRTZ2KoheUDh9Dx3o5GeLsHK5UN0lMWLnI4oGyco+7nB1thEOMzX JCZgGUTlnNSDcaneO9E6vFf4WW97F+uPz2mB8xXBN2TZqDLPnNUHiyZrjHd21A3t 1aK1OLoPsqSGlGgIeA+QSohQQ963O9Z6E7252UnBuVyhbhF4YKee+1cYaX5xQwjs t+zvhl0QlLkgXEyEMwXJiyneZruykdAuq2rEqN61yX3aDWKzh6mM49iAm9hyTlMY XfWsgjvvvIMr5i1ZF8+J1IWq3gxDioxRGcKmaeOCx0plIsS3TFDEpN7XUN0cs3n/ tZyhF6rcLlboxHN60+R1JVRjTvz6mVVcrquTsIbxy9njFy+bYx8F7sIHa9mSJPah ktVQHbGKtyGTl2ZNYyIYsp5Dqr2HKp/BokseDMcACkVb4nHJBFpT8OlHExMu53fZ Joq9gOYnx9NkiBkz4rPMAA== Extension name: 6nfv488 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D292F82F208654F0

http://decryptor.top/D292F82F208654F0

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9_00920000_dump_SCY.exe
    C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9_00920000_dump_SCY.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\6nfv488-readme.txt
    Filesize

    6KB

    MD5

    8a3f831e5829a137bb6afa1d078c6c6f

    SHA1

    d9005109d3ffbf4bc742b540a9bb352846ea7a8f

    SHA256

    ff889f61e91f669bb502d6f6266b019e290f2707a05741ab16a127384a8f5d44

    SHA512

    ebf6cb3c19fb6bad76507d73414ac660831ec1a1a5cd469c5c0a296ba66ee31692f1b87bdfaead07add2b6b8f5953053943c6e7b6ee383d86542a037dbf456ca

    Download Submit

  • memory/3224-0-0x0000000000190000-0x00000000001BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3224-1-0x0000000000190000-0x00000000001BE000-memory.dmp

    Filesize

    184KB

    Download