General

  • Target

    file

  • Size

    166KB

  • Sample

    201109-mcfjpaw9zj

  • MD5

    8d50eacadd7b377722828227a3d30350

  • SHA1

    cbe1881838871f1fa3672b97cec29955b786aba3

  • SHA256

    353ddd0a20aa154923d91052d8ef6c94a32fe9cb1293cde6b8d05b032a79237d

  • SHA512

    8ae9aa227b92c18d8dbb8882d6ee097537f69e8e5700ca25506ca9d3a1d7559b20b27a53ab6aff0812e20201256f5cea8aa008a82861f27d334df638695d9ef8

Malware Config

Extracted

Family

sodinokibi

C2

wari.com.pe

d2marketing.co.uk

effortlesspromo.com

vietlawconsultancy.com

hugoversichert.de

ausair.com.au

campus2day.de

cheminpsy.fr

oemands.dk

epwritescom.wordpress.com

monark.com

theshungiteexperience.com.au

leda-ukraine.com.ua

sahalstore.com

girlillamarketing.com

iviaggisonciliegie.it

bradynursery.com

katketytaanet.fi

pelorus.group

abogadosadomicilio.es

Attributes
  • net

    false

  • pid

    $2a$10$ng1ayVWEBuIbegblmZ4XYO6olyzUDDpSXTeKaogNyZv9nMOrleGWC

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3292

Extracted

Path

C:\emb4eipc46-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension emb4eipc46. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B51EC1B88DF0027E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B51EC1B88DF0027E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kTq6ZTDYZ+Nx9z8lEY3bQQ9UDf2wE9LIlGSTFUm5COe72MZ4YIUr3gEX5leJaHNf ScVxgF8n/OoxtwdN0Y9oreZzRkQR1fOIm/iwec1qJtByh008E0QDKHPotl1diFY8 JI06y68lvwTvc+gBneseohMHIRRbDFEOShjb1q/yIuwIbHHn+Z+KC3SDr4XqOpRC 6VBJKf/B2Msbi/msHM6yTyAMu9yLxXQqG9LuW5fWQTod4esmB3yHlumshbMoMv2e 49n1wStmK0RLZsQDYrd4ef8Hmo/zq10uno0FrseziaJaAefa3aekoUNzNVItRGs8 7AYqMckwUc2noJwfX67ylw0+m1PnmAJ6GWwvJJhLNmTuO1N0/GqPeqvxJD9aP9WT 89bIwXCUiJkW/t5Ue7iORa6Jf0dylNkVQMgFV+7+aaOjvk3RX0EFfGduLmtWAEid N1u4OgCSVJcW6ol/Y6LseZXb6C8UGdm2JXWx4WcW4GMQZWexTr6unJhgbVY2UD+z E9Cy2+jzljBEASdxIGehYEuech5MPbWiK/MVPJk03beoIaTV86dwrnDnW7vDcu3l ZtWBfMZDJ2IuNJAknD0TnYCFtj/5KENm9mgnjofhkYrVLCct/TIU8rNK2VYJcBU9 ta4zgKlSFukjovjnLRd6R0Lo34fioDvu7V3TaJkNo5+0QE2mfr5ZMNMcbfI4+V3e Rsgcrl7MyXDj70QUfNf0lxfnhq+Sn6t6+snNPz/M3ahAhnuKEAkDNjYP8gfLXpb4 Qlw/e7ndP41VKlv89NUWDJX5rscRW+LtBEMyLVkWDX2f9JBjD8lPZ7jAj72aDOwi Dsct7CwofnLWVl0K4ScQdIJxU6gKUvC7eoJZ2RKeqvtIp6SEywoqHsMC4NAesO94 HZLM1I0Lc1cQqc/P0u+EfO5aIH/eRlkcVpeAw5kdrojPG09r9AH8LJpxQLlKxKGO Fid7ab20b/mr0ihpzmxZrYAFRsWsDl99yZBvbls9CjDa1SQlEMzWoZR0skpRwzH5 kAQMxlye+c92mTAo22ngCQBaiOSQJUhf/+ur6rySWInkgNmZoiHDy3pvYapVtMJH LtJRgSuJnuo5PjBMSV+qH4SBz+gO6aysHr5jb1aaS6BIc8RxzRBH358YYZaRlNiB Ma4GaVtgKIMZgle8QbnPLtimodYo3ZMlHSdDozHUYoNaL8juhnEQSEdO1MXyVMw8 fuW5ISXNU8ZYSFf4JBMs7n2SvH4e5BWT8iMUwbg8EWAKef/P7yzIKGo+gyck5Te/ ZT6IIN78jqXUxsVjcbnH9DJkhCxFUOWD ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B51EC1B88DF0027E

http://decryptor.cc/B51EC1B88DF0027E

Targets

    • Target

      file

    • Size

      166KB

    • MD5

      8d50eacadd7b377722828227a3d30350

    • SHA1

      cbe1881838871f1fa3672b97cec29955b786aba3

    • SHA256

      353ddd0a20aa154923d91052d8ef6c94a32fe9cb1293cde6b8d05b032a79237d

    • SHA512

      8ae9aa227b92c18d8dbb8882d6ee097537f69e8e5700ca25506ca9d3a1d7559b20b27a53ab6aff0812e20201256f5cea8aa008a82861f27d334df638695d9ef8

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Blacklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks