Overview

overview

10

Static

static

u3CD1fs9.bat

windows7_x64

10

u3CD1fs9.bat

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    u3CD1fs9.bat

  • Size

    192B

  • Sample

    200418-wef9ejxn8j

  • MD5

    775b9f9c687e640c4e5a65c9512ef573

  • SHA1

    920bb3ec6c979520acefcb233670b18446ed09e9

  • SHA256

    97b4b68e56ffee83aa062e9f016df1f5c2e280b6df581deec97ced89667e8d1b

  • SHA512

    e41e431075bf6869cfa5b1e90c267545f30bf7548fb91e7d729292b2a20b376553807ff45970250bf53e568cdc894e4482c77e82b98ac8c84403cd31d73b2a69

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/u3CD1fs9

Extracted

Path

C:\609k8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 609k8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/03A8D9BCBC7CE987 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/03A8D9BCBC7CE987 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iVcyVzSOds6fGl86uvlxucmBEiZ4/7SyK4SHAUguYfINSDiJhn7eUZ6iAv5scV5r EyRasoZYSnNKV8cXjElLoSGvwXu9wQNJfYWGn8BOWEw7j09iA1ZII3wOsx9dvw/4 OfuIy2T49E0Mr7rdaPheRVuyl3N4utjjLeWIKVywvLt6pex6aDdx+DpzYBnm9XPL JPwnxT0FMnjDtx2rrDASKYU57LYqftY9IwtSBLXlEwpyuGtNUd3cB7e2g0d6MvCB rgxl5J1xC3vaQyJD4CWWikKfjmcKjamENqEsyuJpZN3XZvZrbQ4Hlv8Mid/jY30Z Poz+7bR0v9HigURqT1LpZGqA0iq1m9x5K5ocghk6ihtH5X+YEAPgoYX6Wjf74vem jSB+bTqFhYoDcAkijIv3PjqHouVViidzAPPvEZx8iDNiK38D3cMTnqVu6YLTgvDr 1JeRGYS/mKbSIPTRRmG/vS8id0fq07qwyHx/o4K6YogzLke+DqMD23lN94FRU8AN GOv3Zv9HGnY3OjBi+oz46GzObiCQ218UKOnz4i7otmwGsPqtG0mWnZR9UP/0Xj8s I41wo6tl5FY/FWvoyY0qyumvKGpzCD0Y0UskbrrEQEMNi8hn4oSigqsu/5VTBCNT GjRXtSGJRsGCJFQjjMNmT/eEu3DAD4y+XOPLntFzEZub2uZQQqPqgj24TJ1MmZ39 0NsbCHZhk2BZ8hOxRQ2QfbpHUSPRu4jkWALD/MwgNGk9FvFT5Plf552PZZSlKY+x m4gvAhOdAzHdWZV1gYaQfH/0FRBBuq5Wvh+grg9x92zXQcabdl14Aqh0QYZgoO6G ynON5yEcfaU2HZaTARe6juoxY+Wq36ATO1UUx+NncOjLH0ZJCKfC3iiviq2HDxKG T7LA11AaIOZe12Zs3E7DuQAXUGd/J9Qg53QcQOoeCJEW6ef54+K31IY2/fv5TytK 8RW+vo28y7NjKsWeEsiwcTsNIfcx4SyEENvWtxhPFQuOvEYYb/W6JvGBRlg/kyRw 0qIDc7g+wd0xY1P3tLWpUMeCZOibEjyqSs6uGFbsr23NtWvypD1IDNDh+HTVBB/9 36lKn+faX+QqXjwICQwcGiAGm1YtxmF2SLBtc0ZqrPyMntCO+CCpxQOGs00Tu6O2 AR52Hgtc32xC2/05VJCwFdWQSQ9fPJ5F+7676l7vC2SBmqBoul32AMw0Q7OqHH87 vidYvBSLhvtl9xf5jYcMiGiy7MdJQKFLdqRFJa0qeQWoG4pxfEAhCnp0tBGs3zUj eAM5pUfD4JD8chZ9aL2wkYwTZqSAAuoJwS5mXUDE ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/03A8D9BCBC7CE987

http://decryptor.cc/03A8D9BCBC7CE987

Targets

    • Target

      u3CD1fs9.bat

    • Size

      192B

    • MD5

      775b9f9c687e640c4e5a65c9512ef573

    • SHA1

      920bb3ec6c979520acefcb233670b18446ed09e9

    • SHA256

      97b4b68e56ffee83aa062e9f016df1f5c2e280b6df581deec97ced89667e8d1b

    • SHA512

      e41e431075bf6869cfa5b1e90c267545f30bf7548fb91e7d729292b2a20b376553807ff45970250bf53e568cdc894e4482c77e82b98ac8c84403cd31d73b2a69

    Score
    10/10
    persistenceransomwaresodinokibi

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Blacklisted process makes network request

    • Enumerates connected drives

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks