Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

02-12-2019 10:20

191202-k7xrts92dx 10

14-11-2019 15:55

191114-lrhkzccm9n 0

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • Size

    157KB

  • Sample

    191202-k7xrts92dx

  • MD5

    b488bdeeaeda94a273e4746db0082841

  • SHA1

    5dac89d5ecc2794b3fc084416a78c965c2be0d2a

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • SHA512

    2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score
10/10
sodinokibievasionransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Recovery\2209y9.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 2209y9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C104846EF5A7DE33 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/C104846EF5A7DE33 Page will ask you for the key, here it is: x+Ch4+2zPRuVsGDVMG+eb7KqacUHvKNsA1zmGiWEccdJegjesbLsfbSPF22+g6Wh 8G+M/jZm123uKFZQRDIk8XhsCmeCWNsRVYzsXzNg4OC+M6f5WCW1wJ4TfJH2j+cy whaUKjoPwwTJkAXPc7eKgsbCw4ZuT8dGJjLPTOjO+UZ11+ZqCmZP+Ta1LzcJfwi4 sfA8W+pBICpwHDgUim8JDTtdgYsIxf1BfftAM5wVN2i+dD8BdD2BB6dp6m4jsDWy IlPxaVMjBVtjqNzrXPQ4lds6/bWaowCEP2f9T697lwsAUgq4fFe+EbTx7FcwYp3P EjSMObGS/o/IssvD/cZKyqvI53qqbxy3ABkIyxyTnlcw623V40da9HONH+gjFUta GQ3hmtbI6ln4eEJh63lYs0/jFJbUoYLC4/BlbOdyMGM3OziEKeKtogWwSyV9Moib jsKXohGPuZMkAk1lmeGOHWJ7aGfYUzq+2Z0rAFAMlbaWB5C1ML1TdKTPPjDSmA25 RZ8lFnd2IsqVAmvDzvCjjLto3sbBFpCTb+HGwmmotm83AKdegCiOlNqRWzEdJ1L5 dlG89S8fTCGTLyHnqW4Pd6EBlGKx8+NuwhVW7RJehh3LJOEy9OGEOPD8dWxxZtl9 9Rev71EgPZUZwUYPM6d+hE75PmBFk+fDx0Ze/TYoEGFwLZdA9Se2pm5T57QVBbXV 5/zRJO8FEyLmQEWMefCWVs8Mmyls7aBgYAb58qS8FfdB2VPu70liH2+WtE6Gsby3 MzuYWQVqlyM4vCXZ82ut8eSpeAhNVl2E+2aIG7/h6sxlhOu9XPfesJcV+EXnog5D aYrXpbaZ53vgxpHxEK9zOB2pGIoNMZnQnop73gDMQf+qwN2k1Dj1yGYWpdaqLS9h Fvg41D8ZWCslCLkKxr1ampDdKsqp+mmSrkjxsCt9Vo0RrRsr1P1vnGSnzsJSrlco VZtnifmueBG0qgrP7llFc9U3AFphi9amPOFcn0wtqow9ulz5xMGAFrqqyofwekkv XWkTazKkIuXFTCb4G5ZnTktQwrDrk3WnGBf5ln0tMh1I9RAP63n5uHVztq8BK8uk PnsHR50WGAa/NOvSrGw07zLokgULI4wT
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C104846EF5A7DE33

http://decryptor.top/C104846EF5A7DE33

Extracted

Path

C:\odt\b268804en.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got b268804en extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A621BAAA9957D5D1 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/A621BAAA9957D5D1 Page will ask you for the key, here it is: RzGRpmC8Y4O4ZCAXD20Yq3H+mnIjFayEsCbhCWkpjxarE2izIwsGQ4rQkkdwphS9 Qf9X89JatffDkeSQe0sMIlA+wCKfDSJejHvXnu+GVxXI4fAerQrnm3mRbmMMlWtV Je+X3G5y/onxu7xLNVhk4duZITaOpwoaObulWG2wYXaBId7Ay9sIdFfxUvrTtai7 VI+X8jc5Njf3nM5dqh6aMkswq6IAteVz8wdcygsj6bK4mIePJdPaT1yb+XTKJTnb 5DJq5CfZWUA8WRolcXxT/IwkdGTOf2B5DS3y7HSkesRcQtLmrbUBKavTB+Dswsei 1gzkalt94WMPMe1eAdRFa3imogSmVjCle+w6shqWp+Qw/t4M2IGvIGbnVDrkmJGM xprkmO6cw97qTQ8Lemf8ntdtaICaNkM5itaGN881XQjnP0lUgCTA5w8Ygb62NIog T3slHaOnxtGuNInhP+p+0mDTWspRzGClJ3kTLrx+Fo35Y3Bktn3yY5cEZRWSxtr7 7TBkvAOwGtWOrHNBUIeq9FKa/DtczHlBYthNOWiVGBSDoZshzsLtosCBlBpLTl+a yYCT6xEYDkVBb4SLdkXCTNy2FLDOHhyahEIKDZQwmFi0D0zmrrxpOyV9XKCEdxqJ xKvGGrNyjG8QenylUd0OvuEGe4tfgAKbzy5ysTmpclwJSJq25JMLfO42+GANSr05 MgdTWDKudIBP6gZJDYMIFZ4DfI+kJDiCTDX/+s3NM7hrAbVZy3RyN9kFzPrW2dH5 1SI2uCWTZQkyItULHZ5+QbrmIypBbAC7DQIjftTAkcRSWBkTSwlTndaoZjcR1ms4 O0EPFxHflMCI4G6ZubFauQSjW1vDFF+ZGYzBjfuEAnjE4mvZxdLDqBHlE70S+XRA 82yhKZxel9+7aux55ts6s8EBTcA9bnIM9yaHxiNAau7x1tFtUWp70ONvqxZHUG/U 4kDs25YaPFAIecNcF8FAocEdOAQuKzRmtvkQOzbEHm3ckM1VwBKUjz0q++HJb/wT tjgiQBzmVUjZAwi4xtnHYK8d5ONNHdmEO6uHZ9JgiY+7/BFeJb7ljE6Pwq9riJnv 5G1pPOYYZHk=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A621BAAA9957D5D1

http://decryptor.top/A621BAAA9957D5D1

Targets

    • Target

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • Size

      157KB

    • MD5

      b488bdeeaeda94a273e4746db0082841

    • SHA1

      5dac89d5ecc2794b3fc084416a78c965c2be0d2a

    • SHA256

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • SHA512

      2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

    Score
    10/10
    ransomwareevasionspywaretrojansodinokibi

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality

      ransomwaresodinokibi

    • Deletes shadow copies

      ransomware

    • Windows security modification

      evasiontrojan

    • Discovering connected drives

      ransomware

    • Modifies system certificate store

      evasionspywaretrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    task1task2

MITRE ATT&CK Enterprise v6

Tasks