Overview

overview

10

task1

 

10

task2

 

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

  • Size

    290KB

  • Sample

    191209-xr9d11evle

  • MD5

    fb68a02333431394a9a0cdbff3717b24

  • SHA1

    1399bf98a509adb07663476dee7f9fee571e09f3

  • SHA256

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

  • SHA512

    e03b076d36374b263dbc63fc93e793210dc5fd809f783cda6524390590ec56b4fb5c0aa80a52650de60c31f2f6d451fee17c72256100ac7f2c15347c05ab6470

Score
10/10
sodinokibievasionransomwaretrojan

Malware Config

Extracted

Path

C:\Recovery\46u34-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 46u34 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E27DC6532B1C89E1 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/E27DC6532B1C89E1 Page will ask you for the key, here it is: QtdiV+EJ0Q8pCjtoc8GisPTVHE6RYjTvjaTy5HL5y5WseywTauMcra7C6ziHrdJ5 9gR+x6eoLSEaqpJ2zANRV9HctCknlabw4hQs+xi6YkMLvbL1+7PtO/MPEOIynRJD WX1xJ57KbB02Algy+KoTV1UnAL5nKJ9aTMIwHoSW9BMLWn1YsNty8ntbkBXOpIZd DZS60IoGBSK30/QM7uNydRgCINqEbdoJwItwNpaeAmq69RERUX5juiARrMGuaiur F+SqPb83p1HqGR7/5DP5j3Moj0xTLbV+CP7wIGPEl3v88H+clKuInW4ZGhO1iTF+ PPXIvrNnGwTMfWViIn1fKrHOfquLUUso17sGS9q0S4FhmqdB4oNb1pHr4YZFJpoy A8YicfKiFST0u1QBn0lh7htwG9FJSIkDDJM9/cRRDoyI3GpbTbcvdozW+r2qeGma 25zVhjpXe6/+HG0MXH/UMs2CmkIdvoTwRCUfalLgeUE2GMBJm6voRiUZGmalNrta fJpJGiEnvwmch0XwwjnI49+ZBedH8AsUD+5k+nuTaONhqFGFidkuP1XbBif/KHYQ caYHsmXZOMBhP14QIb7xCx6GuBiJWYxBssRYE3kxke5wnip5QmbZxun4sAh2ozte n1r/gbK4dUBuXQgiEhixM1NyEXefJ+nFkWBjZEc+lCvL6leT4zz0OBFDscAEPQ3A 7QjFyYB+xdg19AOx8IWC41vcWaaGvNbsNPqlt/YVXj5R72UUOIEDq+RwhqopUiaJ eKeVVMLWieS0amqpcdltJJqxNFUxKqZpnEuWmLtMy3yJwZ6En89pMdb87NGH/JJp b0Wk8lsE4ymXI2GIDInmu8ofiJlEP0x69ywAf8VdUtgJePWhDDlVOSfuANWPZNCY oQdf4mgRD/pjorFv34HhSKRk3/A2Oxlot0t+8xTS3lqCZfrPlZdrBM51b6TxVJM5 /pCQn+aBS+xouYyod1xYWvBvl9Dn/n8GpWmEfc3WfQQr7oUAIoC7OUw0rCHK+kJt s+GOQ6iH8Jo7yeTs/FhoU5ypikW28C4r/fmD0E8EVoQyB5t9ywCgGiBi50s2QNrc shKKJeXNiT8N0neO+WslCSLSnr0+ZQ==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E27DC6532B1C89E1

http://decryptor.top/E27DC6532B1C89E1

Extracted

Path

C:\odt\7hdd05b442-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 7hdd05b442 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56A62750F38ACD5F Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/56A62750F38ACD5F Page will ask you for the key, here it is: td1n57pF9/ZYiATjj9YIRWzEOk8xUQgXy8ZPXaG5Rqu4WsKr3t1LNO7ZaKMzWUB6 s8mZdWS/QAqXSSN9yWg1V8HE8zFXiMxB83qsZ/W/sm+BC+vBrS5ZYwN9GjsokY5B j2PP/Jfm0HD/stPsmiuVWcpedKwG6GeZH5aKg6qrNKdIoY0RyYWQNoq6Kk1+4ifL L5NERXXUl6cpzHa/pYzcK3YPVFabIwi0IWHr5gRbe7DFByaMNGYkfHpDxrWz/X6b SKjhAZvmr0VwYnYM53Bd1QM60qsRzeYUbK9SKWZV7cxAphwV62jgcE71zdy5aGtF Zb19L9JwA5B7xA5EQFPj20fcZJJcDnwq5RT5JmP9J+e9yJELV5lJ9ZgBn3ILWMKU jf8FAGGVorw61ncrZYuclx8XzOOJvBDg/4FKuEEuNbgCP87ZSXGIgSel/G5OwCqA ngrg9T6DkKo3/Ylx/GqlNgghmaYV1A7N1OXtpj2nfJNhgxEAVUhDZ5TMuy3a8A9r 8JFrNldf/JiQl6c76a4fuKtXluDZ4AXqC2QkRQo6dpANq0GISYKhyIdpDWHI09sS 1IRBgVEhAgvRHqwC97R85pAU1DuI1wx7XNStJeLmDRi5mla7cMdTrPCAXIHpk0m7 Qt7O0Fs6l5g5leMwuix80dNGF4VtI0m8xrKENDbURiiu/CMFIWsS4uruIHQWUFqX OKSMW3iyWwIjRjt7GBt3zeRB+42ykg+SlIp5ssqxqVAx5lVDtUvEX2JJJSW91/ZK pzDreeZLhbhvNgitGA8IqtA4+xLSBdxTJiT6I3wrLSNquONNhQBvjLfGxO4/nqeK 7RHxtLG2TQsb7T7umL9OQv52cxYRCrHoALRB3u5D+81V7c1cUz1nVmgbWikTREEx 374w/bQquMnNVvLDAT65OOgke61zSJZn72yyGwjb1xmhLLCB6qSYB9ng7NwF19kI h/OgypMxlJRN9/KiYu5Ys5x9fI3JNG9ACyO/uVFijTOFFIT8pjSWl3g8Li6SWi0+ ubPLHw7FdiF1Ot3JmwCNyalNTezTWXmK8FuIZMnrGyLgJd19VmwkyjvifsZfZsn4 OadcIW2m
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56A62750F38ACD5F

http://decryptor.top/56A62750F38ACD5F

Targets

    • Target

      0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

    • Size

      290KB

    • MD5

      fb68a02333431394a9a0cdbff3717b24

    • SHA1

      1399bf98a509adb07663476dee7f9fee571e09f3

    • SHA256

      0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

    • SHA512

      e03b076d36374b263dbc63fc93e793210dc5fd809f783cda6524390590ec56b4fb5c0aa80a52650de60c31f2f6d451fee17c72256100ac7f2c15347c05ab6470

    Score
    10/10
    ransomwaresodinokibievasiontrojan

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality

      ransomwaresodinokibi

    • Deletes shadow copies

      ransomware

    • Windows security modification

      evasiontrojan

    • Discovering connected drives

      ransomware

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    task1task2

MITRE ATT&CK Enterprise v6

Tasks