General

  • Target

    6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970.bin

  • Size

    244KB

  • Sample

    200718-7f8n9pq52a

  • MD5

    f82f4f596705763a3c0124a4675d484e

  • SHA1

    df1e8b4522bc439d338848f9a4d09d5b1c26f5da

  • SHA256

    6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970

  • SHA512

    6a0183c211b53cbaf470bd1ab26c347222850dde0fd529aec544ecdf6ab881f06ea7e3a7432497083ac515fec6c07ffcad89ad79f8687fc44dc60b54e3475dfd

Malware Config

Extracted

Path

C:\ha7zj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ha7zj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E1CBC3DBF05C027 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9E1CBC3DBF05C027 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VGGW/+mY1XmRXRJgytr0TLqT6G0fOEFyq6yG/2GC2oYckMEBI06UqzT/4CBAWHJH v0/sp1ZGY2PlYW5BzzkUTx/DpmKRF1cbuxzCtc6qTEMzG4YVagYL0ZLitICS29XR L1zv8/FSmM8ntqykwNv5a/kgkc4ewy6RJUxATPkh3E/c92yUol+NtG03BYO1wvLP N/fh84U+eG9K7d7V1/sLY/YSVXUan9TUeW4PObRcwmj10WqBNliKwGOozpKtAxA+ KPu+nY21wMdvnqpmwUr2MNzzkZIPEPa8RYMT5rgY1KRWT8NvjI7ef+pGYIGOuSve fVJGvjUvF3GGLbdKk+GdjJRHEycI6jEDFgeDigLEnsgit1LNcYqfey1ouqJOg3Wc PtzcyhTdzEalQygWSNpJcwC3z+LvKgM5q0sOYM4rn9F60tvF84VrLxqn5LXdNi3/ UtGjlM6fAaklWSm6UIHpBTPIXsG//aZfxtPpAjuuavYMdFM/9uT6z4MB9orxLZNN 0wj7JJiWEV8Ut6jgteSlL10rPeEvMGP8d3Q8K+TKBozHOAQo8t9sNMYyQ5KPoVSR O9RmIXE4xx8sstE8CgE00uK+2Gw5GYn7LuSbjKKFdVlRVIt4NNyDE14P4bMYYsN4 YFTnwr764+nXyEWIBuffdbfNIxKViP6cBvAGGetJTnlEwhWMYdBoxHG4EnfHHpNM NBYRKoUys7TMPb6VsWeTA/na9enNpY2jHxGfq5RhnutNs7dw4aLDBml4VF7zhBCl yWmc7v1S10sE5Xs8Wr6Yn7C3RnO+kj0dK2b5TPP+3ggboW2VU83ywFij0ZkmD2gZ JMBSUpSDo21YHTmH0AakoG+8KvPbfLRcyo3j1Qc8Y22zyyZqr7rDIq8SOVvx144m j/8D8JZy2MdXEKDEqM8KvTUxL9RJzkEkUWLykiPfzX7eY19dMToQwOxKV+BZMyaW bXmStvCxlDprj3/kyj6W/rewHxhwhZrIipGeeCW4znSZfzhgVIRQ29NkgEjdbap/ 1MMBJennNcru6EpH2poYQt1AZZyQyCYNYTLiJure8N4Iaz5tYbu5mOD+ObfUasLR VoduL4p6jGC8oVqVfIQVHQla3y9xYNMCKIdKEEaXwrPL8spbm9P1RS4o0dXTufZS cvhtnMt3TTS3Sm9xd+YZNl60f9Dr0iyi8Iag+Ea1aXEO4mkste9N1uH9rNq/NX6j caxtsIEtUz0MuwFCGcFq43QK+N5p7V5ayxFxuK9xWgOILqFLX0Bi0MozGzWlo32X 9mEiAb9l9LHbBNdsQ3F4/hC+gDIted3rVG/Rd5Xr ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E1CBC3DBF05C027

http://decryptor.cc/9E1CBC3DBF05C027

Extracted

Path

C:\w5vhls-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w5vhls. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2D93158E4D06F3D1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2D93158E4D06F3D1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: J107cgikUoblxr/X8LA+pQzXRsDkPIIvd2iSc6q5IWCqj2YXPm8n6MC1gGf25BOm Cud6yO2dKhONVyydYUwaEmZzvx4P7zKuHOVDQkiXaehNAKlw6MXMywKzCknzm+Zl 5oKLXn+zJPtRXMOw6/ona7wTZRibQj9RKDFbsEekolETFcdwxGmuv49FB0vPr59/ sXGOnZkliUmID728TwnHlfITVHHvnw7zy0pBj6VP44jcowqouSU/jbak4hbKB4RR NnnytQiLW1A9tx3+r9oDyRlewX07bWl2JsTQtebrFZH8uXLtRrpcpKRSaerTinG5 oaAviZQjMqgtJkXBvs2Wi2cDSukCXDElb06BwYItiPs1YVB1eHP/reQxIHjHZ5Ea xXZu8LjyQqgpWosVsXDLFDzZqxsKncTXrqTlV3raIQ+OdyNQHiEUmdJ7u5luDnxw VpaJkEi3MLft9r3cdHfPvy6MAQyoGVOZfUFNyVzQXVCCmJGWv2VOIgTfiZpluIGv 5Zk9d1gqtNGUNeo/mmy2YaJki2rGTzEg83drGkmHVraBaETDU6KlXVzxG5ffXl66 8h4Ai4D3CNSka1yFasIixcB5faTQz0dATZowCh9imeHe+12bfj3csxubGjiMDMk7 wAdMnVDA+IpJfUtTByEgbITruQiGpzczuaOZHVKfIfk9I64X+Zj7KJALBl/KeZBF yCWre//b1xgRy7+jJH9lsJuO6hvOoLCKUc4GtATRSu9OcyI8xaNHQW71Gzpid164 3ZG51TfS1+d4zB6thfveRT9JadMdkM3AiEQ9QLQlm953mQiBb78IKwGl9eMyHk+a dGA0prI2NeuNYdk7yjmE7+3kgW6ZtXCOfofkMdmNDpE+6qqSbHvj5mDfJ6q9yXtJ SA3CF3hdTkobKSeQu+q4KBf4vfiTk+9LeLUtTy4sPUhA4YyEtN4M/nrYMjqws2Xo oGe5eJjQ3a7rPOedQMbXxYpQF2l/VMSfiqUMOtYtGG4MyATIQptbaPnBh7iHYk22 /BcrM8YEIMJW+s91Hpt9hum/Y/NMrsbWzFVqn9yKeAw4Cpyav1h9HCbbl74F+pZc noeuKD5VSN2mLKEt9eOCCan0nR/lgpp9aOpVosjQ+VeqoBivchQxq+3cqCBhT72g RaLyqEfV1qxy26nd9HH+5/sSMejZHqUxzOR05BMPmOMEp1Pekbs1A+TizkyDDdDh t5HIsmhahsolxoCcCkFYGahyUFGdSFXdsMW5DYc/ZzMAd5WChdUB6m1EZgBnwc59 OGaDdF6sM+ZptbpVCpnTLA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2D93158E4D06F3D1

http://decryptor.cc/2D93158E4D06F3D1

Targets

    • Target

      6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970.bin

    • Size

      244KB

    • MD5

      f82f4f596705763a3c0124a4675d484e

    • SHA1

      df1e8b4522bc439d338848f9a4d09d5b1c26f5da

    • SHA256

      6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970

    • SHA512

      6a0183c211b53cbaf470bd1ab26c347222850dde0fd529aec544ecdf6ab881f06ea7e3a7432497083ac515fec6c07ffcad89ad79f8687fc44dc60b54e3475dfd

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Enumerates connected drives

    • Modifies service

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks