Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

04-12-2019 13:21

191204-vcj2bx45de 10

02-12-2019 16:56

191202-4g8res8d2s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • Size

    157KB

  • Sample

    191202-4g8res8d2s

  • MD5

    b488bdeeaeda94a273e4746db0082841

  • SHA1

    5dac89d5ecc2794b3fc084416a78c965c2be0d2a

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • SHA512

    2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score
10/10
sodinokibievasionransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Recovery\89i132.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 89i132 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0F651AA11A98240F Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/0F651AA11A98240F Page will ask you for the key, here it is: OPiEhXpFKwCXgyd4/3h/91dm1BPv90h70YqRqWbkSIDXoS+v7yOWSWkIAo0oBa2o /UHkvfbN02LHttpjTcY4Ucrv6bH84ved/tnX3Z821Ug1NUHOsZRKydqP01jzMedP 380+VxB8YPMC+HCD+u/rK7Mr8Ygh+5tmyZnNOVEQuh1iImhGWain7WqaWlW4GWkU 88lr4SBJOrXLh/7kmvarb0DO8sCE0kcrIBbgvFQTp5LB0y1LJzhA1jkhWsaYQmjs XaApVw2KsPoUANVuFrbT3PtpvviUTFYJGfxZlYGdExmcx8+IverFc5fUAinrowMv ZEPoTUOyXpb45frvO1SH8Fkd6zDT4HSR/PSS8PXu/Zh9hzTm8K3ttsEUH5kOZCqz j9AIA1sE3uJ50fYXwH0sLn0C5ZjpnbneYAN4JYX8TUvFxTab2qfpGAaZRWh0jF93 sX5VNdx7IlG0jaZAZ+rPbakxd4H42szd10QoOYLfwmJan58JREou9Avp5Bqosz/R 40eOOY0v+IbcTxS+sqvGdbT/AnONxqdAfgIsmhVDyjgQ7RMYJb18XpqSpMRB9Ypm v0PYp0/nzIbMz+UNaCudc/o+E9wydLvwuj41SWMBPOG1cfNqROhcQdRXzC0RiLEM +bxytTbU2fPL4SbOdH92vpsRCkTar9YknHsEfzCQamBnukyS3XmgfapYbbqamqa7 tJbrXudaz02dvHmRu0iZTZGOFUoe5g2JANZe9yn0Q4jk0XQCsrv5yroj/HBMzFeD mQwO47DbMEDVtOxKreBuKfrHZCQC0rXyY1L6gE0Kobt+FOpbz4gJNsNsC2ooBilt 20bWELn/6Y/tGwEQ6fFGoB/WnXqkFDD29HSuzBoz92uuZZrEVfJGLeMzL9S4O3dr xsE/l46Yun9L4S00G0SV0zAOledVDZcPqv/upN1UPZIyWpigyEmox+6+mZO73y6l qE6rTHvdXax7l4ehO5SYNL2S2YzhQ95FkurTEu61vUFJX3BCcfc9PzPovgyPG+0L uDOxDXcII2cpn/VP5m5M7mPOZG5L6/BeryYEoB+iAJwvo5g14SyfQpCYXrFQ3t3k uYO9UpQZpuX5E7RZol9vP6oGDv8tFxxf
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0F651AA11A98240F

http://decryptor.top/0F651AA11A98240F

Extracted

Path

C:\odt\ktq28.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got ktq28 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4180005EB49F822A Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/4180005EB49F822A Page will ask you for the key, here it is: AgAxMd6++EfPzX4cYwg2m8KbEGOyTQfIbM+DA7Dgk/nt9M2fa/DFgZjQDO7hc7wk 8Ze2dxt9OMMHtOcxmFrHkn85tWv7iXxbV/Ui+A+pLPnvaeOsvMaN+P8AtYqvreoj MsBV6A/BiFiVyyQDYZEDhNDPpCr0XE9M9DNH8NtkE+wIePpiXcXBFAOyosxLuPDx IiBORHiLXd9VQa2IzOTjWpBk53hXp4H1CW90+b0UwQP7W2gSg5IYzeOh2oLFDUbx o177vuKRXPZ8lQFXFcNcsF0Hqy1GfEp4h7M0sae62KfZFXZDsJfMaxstj2fn8UnJ MQxHy/I6ixAB7JdMxHWejjF3lqIpbOmTM2g3k5zT8cFeAPRVpY/R+c39n0o0QxAw cmwXzdOfFbTuU0aIbdV0BRYVM+4TwRRzvSlZvUw5J6DOg4EoDkPoOHkMppfFEPxf Jn7uCMy/TIO9+WRvfzs/ZxnAOioBxu4vYY/KOMCYL7j9UDTQsu4dz1oznM6XKSxk QXJ11TGxNTagKX6ZctNwndwlmO7nKPefXNaAJ5cjQvTXhZyCdgpP4ZyLTYyFPxCe W852jug4KRqStybqoWXfJChPbhTJoKn7o/I+fg65dkAOFF5LWzej3+QlkRHfIJKX CAhIv2k0Bi++jZqiK6lC5JyCmHtNHzOEYyGzqHxS5L1E8QDFdQUS7egcUSXsF2ZF lJKLt/zppKMff2xzl0Sz856uFihZDdkLI4lJ6GpfBaAm6g9H/Ob02FsWhcvRvpJf XLhhHVYe3Y7Xfqu0kR+FVhcjo050lrCM1YWxORxOkjTksYjhuX7rjCkr9lwMMfs2 lmJuDWiOkAqt8epZcV8yqqo0x4kH/h7upwyrhiCAbFiZLU0MuTKQxyVcDIlD+hML 4Psppji/B5F6/10SDMjXjwsVRSOm2WZ2bN9R1gdSWIUMqVeLR/W5xwapzCt7oLyf XezXmqAdvnaHvC/HxpMYq8K3nz12QZMvUbHhc++orqBkCudwBOeL6w2Sdrm0WRpp bDUHFO4LXHW9d488USkIcrJoeKZMJ5rx/LEoVhHWHSHtquxLZf9aTVwo1JKn56nr AXUo2phZg58=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4180005EB49F822A

http://decryptor.top/4180005EB49F822A

Targets

    • Target

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • Size

      157KB

    • MD5

      b488bdeeaeda94a273e4746db0082841

    • SHA1

      5dac89d5ecc2794b3fc084416a78c965c2be0d2a

    • SHA256

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • SHA512

      2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

    Score
    10/10
    ransomwareevasionspywaretrojansodinokibi

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality

      ransomwaresodinokibi

    • Deletes shadow copies

      ransomware

    • Windows security modification

      evasiontrojan

    • Discovering connected drives

      ransomware

    • Modifies system certificate store

      evasionspywaretrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    task1task2

MITRE ATT&CK Enterprise v6

Tasks