Overview

overview

10

Static

static

10

139a7d6656...48.exe

windows7_x64

10

139a7d6656...48.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • Size

    157KB

  • Sample

    200309-e38sr5wka6

  • MD5

    b488bdeeaeda94a273e4746db0082841

  • SHA1

    5dac89d5ecc2794b3fc084416a78c965c2be0d2a

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • SHA512

    2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score
10/10
sodinokibievasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Family

sodinokibi

C2

lyricalduniya.com

theboardroomafrica.com

chris-anne.com

ownidentity.com

web865.com

paradigmlandscape.com

envomask.com

scentedlair.com

jlgraphisme.fr

andrealuchesi.it

mursall.de

letterscan.de

metcalfe.ca

dentourage.com

chomiksy.net

yayasanprimaunggul.org

opticahubertruiz.com

affligemsehondenschool.be

zealcon.ae

craftingalegacy.com
Attributes
  • net

    false

  • pid

    10

  • ransom_oneliner

    Your files are encrypted! Open {EXT}.info.txt!

  • ransom_template

    Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}

  • sub

    7

Extracted

Path

C:\Recovery\i7bsz6dkt9.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got i7bsz6dkt9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/581889A04001A92A Page will ask you for the key, here it is: 2lbJ6KFBGJKJNHbGXuUljGMb7IVDa4YavjFrIHnpSVr71b9KOVh7fGDrAZKsHBMn Vav6UZ4LaFm1yduWaee5whswDFjl4SUInTECxllXZq32X24EK6WoLpXgEe93eoD6 G77lK+8NTrI867b8eI8WrDYwpjjVvh0TADqAXLzwsJpdYIOzG2z9QGxfbUeVmCXg qvsrBvWI3R/WMWNg+hvJKpCKp7Kh6feYgNLNc4PY4varkELCuTe3MdKQqqedS0lE ZpVABVJSsEDXXPLEbWoUAQ4kmeqA6QtUxZkN+AocAgkzuaiUltXlbt7pLTBcD4k4 PxUq4FExZv0NIAXeZ4W/rpya3+t1D2MEC5SDfrfgC+ltykhvgR0yZgNX6K46+Qo6 nJdVfl23ZGTl4eTbovd1kAqx6J3e5MOr9+z1pEnnQLlvvRJAw7R0PhsdazHOOAMD JWC01yB9Ml4fFmvdKBMQ5OQZinwSddxbFrG3hHp9SepEqNBC+JOQLu7EiwLa1uj6 BvIfg5xAfWKdagUCSpmbU53qNyhkKAmZ504r0AiYcN6nr4PFjkCCl+RLq4ymVR9i R76m+XVi+xmi8PX5tcrUlszAaMRU28lVbri4DzGhQWDCO64kQPCI2A6kqcfDHx2G uCfr3/EGNMkBOKALZZcmezlkNZZXuOjgDIgYV6Ojys3E8iZ5ebDYsIs9m/eJkint eLhkq6si228mpxFfhj+coDOp4Ktp4ShVV0DYwLnpRpPUQP3ksvUKE8VL1yJ8jdvX wqEA/F+2W19PlHdO1K4n67uDFjYBIZsrlQSGjp7aHm768W4dDR5l3NejPKpJ6EVi JmVGkqMqjKAyskhi/Q5TPQ1ssRZSTfqyWlrTsW+e8v7XVCTvak6ZDfl4ZUNjt32H s8vsg20O3YRFsSeB5b3NxAv5LyuYw2s2FmcNc5XMGJy3E0oA4OnGCB3z53f8pMl0 MFdDlaUyyqx00nJwAVE8dakthl4iTbztj2LDHX7RHkeHvNUN0XFUO9tn/fHFuuEe TRXuKkSbSWLdf3gtNVyT5+L+rjOgxRmX3IiGuiFbXNA55uzwnY7uO2OM0HezzWFF Yei5DoxtUFQVpCCkyX59AwzeqsBYy+AZ
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A

http://decryptor.top/581889A04001A92A

Extracted

Path

C:\odt\gfi5j.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got gfi5j extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/6AFCB047A8F2D039 Page will ask you for the key, here it is: 8U56g0g8IYmS+SGHJfX0yn7BD+Sh/bHVX13KUljmpzoFkyPqZW3sk4TisZ7ZIP7M y4VL6geQihdrttX4Zhn+m9rO9iPZwT6j58RmPxjW87D+MJ7y4jGqJzWcm1MaQFoy kbRWqbT+8IXXiUR0lR6jU2zUFHhH4Lbx/BRXtDA7khioR38LZ8lmDkJt9QihPUPt 8beUodTzc/FBh0bYYRS15CRKaPvF7m1Y8OlYpVpzB9leN/YxF3wP75j9DlEuq+ZE H4sYP/hFt0QOsHrdB6yWnfSBiBDDDnOS9yZ40tYVJwiJjIs+kt6hwdrG0YDPa82g vBKCDhQfloplzKJzwivdF3AhrtUnNprw0zIZya4sMBTk28UJ5gdZrv0F5nO+xmt5 nI2ZW0Ri0VfNRl4nKBhhHO8CI9QTvu5BB3sNrtnSGLVXhCmndrdrtzCB3WA2qb1Y oBlTbGy30dWE+09VYHqDECDpMyp/AwmsJhfocFzEEdJ9xq5HFaqTGjCN6uN5hHqS thr7myFsZApzQmkSmjN0ja2FyxItFX0foTRDv43KSZwnRzrrQYuVesjvV3KAuZCQ lsKl3eYlG3LU90r02GS/Ms1AEoCqa0Y72gN4l17vF2H6CiQBq1Xpmte4iLpRtzg0 dU+UN/4KjTlc7EJFo+JGRXstHugbn6m+Vvny9vOoouEelX+tqqUevioNyChjSq82 XXTCkgsdnwp+4SJBXBbJTHlssHM7oMxlYvbrw80CLv/Lcnhkk+nja3x+MX9bwjdp klsFLtJx5HYy36ZTWIrmJT3Ik3XQPip764qx9Gsug8RKcKLHB/YY0V8muJrSSH+v rUDcK2XB08n3ZIrj4ipP+r7oVI8JKxZOV0YXMth73T+Q1u3fIAgjVQwmpl7IbqxK SqgxxxvH0dEwZDvfclwKJ8t7BY0m3eg6HeBvJj++GstVZmko6uk19/tPczckDPrL g7CPKMUozrAXB019yfOONjmDwsLcUMZ+/86Q3/1b/8iRyckAG9OT3Nv3X5LlGkdf HD8QdAeGriVR2HbcCA/BWP3uiaiLbCIf+TAma8rCrXZmMhdHMLed9CHd9tZa2760 G47hbiS/HzA=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039

http://decryptor.top/6AFCB047A8F2D039

Targets

    • Target

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • Size

      157KB

    • MD5

      b488bdeeaeda94a273e4746db0082841

    • SHA1

      5dac89d5ecc2794b3fc084416a78c965c2be0d2a

    • SHA256

      139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

    • SHA512

      2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

    Score
    10/10
    ransomwareevasionspywaretrojansodinokibipersistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Install Root Certificate

1
T1130

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks