Overview

overview

10

Static

static

8f9ff3aa47...bc.bat

windows7_x64

10

8f9ff3aa47...bc.bat

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f9ff3aa474fa163cb2753cdce6a9abc.bat

  • Size

    214B

  • Sample

    200709-efy5lg4gne

  • MD5

    6583fe9275827519cd2bad15c56e349c

  • SHA1

    134d9f2a3be2ede4777cd9216538f582570c21e5

  • SHA256

    65aca88b78d41c561c3ab4b732484deb7ba50a7a3b9499406faf938ee12085b8

  • SHA512

    c96021e32ec898f32c0de82016c899052d36358d1e57512c4b4b0875e1507a7862b5837cb4e5e98b2a5726a059a1593749b0839fac788db9c70bfcdd07dea48b

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/8f9ff3aa474fa163cb2753cdce6a9abc

Extracted

Path

C:\70f99a3q4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 70f99a3q4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C7E8AD28D2AAA5B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7C7E8AD28D2AAA5B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3Ci/NTh60t/tcO/Hge+LLmmvE3fj1xv+kTCmC6Mzlrv/X1wxMNaTZJpoVtDY9LFo enY69ocHummnY1fc08JMBSqQawzeehfrlOSBU+zC53ZcCCMXbqbKS065ycJjnceb USBZtpN0j+WWcmRYMHvl3o8RmLWFlcPlaQP9L68hwl7hY9N4ODl/yaGMS3i1zMnP JeUDK4B0+VFlUfd7nnbVI76FKhbT69XLbJtesJnj6AqJqJllU4AzZF4WGFErN1K8 3mdZvJ2pzFEWsBK/q8qmt2ZjXmnfN09FdpqJW0nvypcLiW5mkJSU3GVjTL5FbEn6 nitOPwj8WjDmEFdmk75zWVZLdtCp8QgkTnS9sslMxVY/A4iK0jbHGFnZLkgDtJOx 9AmTmeRZZvEMOqoD5J8AFpp1MdJbVXn0QQDJAifpbwpyfchXF46M8PLewqW9eosJ AHRgo7Wrkgjj0lQRTPpWd/v4BQtmMCglMzTtRIrGGUGNVpCXsmDEw7H6I6Tt1t/O wznjxt+K0w4TAQXA+eoDlbom7ivOmMEDLlOrRqiel6DFARFfNgXkbDDsQWVVL7Vc B8ocgNLkEqiecXHBGzTXZeakzW/LVPWObH8RUW3Yjb1gNLLjA8kbNUoWwghfQA6P HrksZUuh1mIfRZLJgXEQyJrCEgOduyQw76gbMvoGnkbaFOsSetALYpXJIBrHHvPe BxyKz2/YixsjbYLXl9WPR8Bcp/me5x3n/xR2fmS2uBxA5CY9Ad59ULIR7d1ldgz4 /RXbEYudCsiARJUskzNx8IfRx73pJ1kx1OlbC+KJEZmonvPhkfT9xa18aP8aexU5 Cr9nv1bzLjuB+WrCI8fZndcPTsqC8t7WsNCbRuwuFu+QLe3qvlPVKjl/ZNLkFCgb clJfdFi6jhNuS9koKCU8wJ6a8UfhuC3GV99bYkAYMpy2ru8N0aNSTBx+boRvSyLf Fj6S/nrTY0tLI/4dln78+XrBvvtPIilIalN0h1dAXSVsQ98Q8jL2trdRfY/JcCE9 0FY/dmQNqzzyx/rKgDGtrs6POmnXcBQdIIgT2YLiBr1kVLy0L0TdhEaRGOFR0oLf PiH/3FpCiyY0MwNC95bsPpjjCqdVIw7rmfKBSAsSDKOV9BJWwbGS5iEPygbW0j9u oBGYHFuU7QsYwdMu084NRBY7Z/3UrNKk+0qjlejPBqkFAQ56PXE4LadKDxO4cx27 Mp69HhHQBnnYrKuIGFawqRk+suo5ulK+Q0HThxJnybRQCujn01KMrZyFGSkVicmf kUh/1HrSigTSl/l84KTzCb1J1PhrUuVwxScdFTRATlgrL3kWdeQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C7E8AD28D2AAA5B

http://decryptor.cc/7C7E8AD28D2AAA5B

Targets

    • Target

      8f9ff3aa474fa163cb2753cdce6a9abc.bat

    • Size

      214B

    • MD5

      6583fe9275827519cd2bad15c56e349c

    • SHA1

      134d9f2a3be2ede4777cd9216538f582570c21e5

    • SHA256

      65aca88b78d41c561c3ab4b732484deb7ba50a7a3b9499406faf938ee12085b8

    • SHA512

      c96021e32ec898f32c0de82016c899052d36358d1e57512c4b4b0875e1507a7862b5837cb4e5e98b2a5726a059a1593749b0839fac788db9c70bfcdd07dea48b

    Score
    10/10
    ransomwaresodinokibipersistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Blacklisted process makes network request

    • Enumerates connected drives

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks