General

  • Target

    e12e9ff0a4cf29714bed618d69ff121b8a8d269d741cc1dbc8d92b9a405716a0.bin

  • Size

    116KB

  • Sample

    201120-zdcnzgsa1s

  • MD5

    eba2b670e171d2efc8e72f023c47150a

  • SHA1

    427aeaa865a38cf66e798b2f10c2c68a8cb5322a

  • SHA256

    e12e9ff0a4cf29714bed618d69ff121b8a8d269d741cc1dbc8d92b9a405716a0

  • SHA512

    67adf5763a6fcf7212b823e3f6e8f5b5461e9c3b3c38f580c13e438cda66f64d66759b090034bcd512f8bab78bc1d164a1e05334b07de0c618531a43ba448ebc

Malware Config

Extracted

Path

C:\t3b8vw-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t3b8vw. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4FA6721AC13E9BE8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4FA6721AC13E9BE8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jgDT/i68oofxFU47Q4TQqzsYe28qm/bTYU+zdyWkfSiDllOduHD3UdJoY56TbzvZ PwuKQ9/V1vCaB8uO6eB+qRp/tbMcF12mReyKdAqRrQiYS/be57BSx0BU071XjVAX 8jO4qJcRH8W3ajpMvLTTSbiUmuhkX1dI+bZRQeIRS0OlBlBc+lRVc2gWnUxDpO1z TezP3VUChNId7/7LbO64iPTus0h/K+e5e6ZB4FwH2PKbFIOqNybyx3S8i2BGUkX/ oeDT/Qqq7Vo4JbD00a0GI8qol/NW3tvXCFduhrnawPBAnavGeoCrgoFomDwKMgyv 36dEqGnSVv2V8js3hs0ttM52niDCZE+uSM6FsiS9V6N7fjQt7PPQdCwa8jr8P34E af33S7V+BBtfUb2Ac6OwiKyyuhN0Z8PVR6Su5q/yN8VhwKvIr4pgJIOMmURglb1t eWG+rVhqSUHFbSpChwAKdQrFv5pcyeNHtngWGcYKKoJ3GLrpUknpR1PdlhuW0NCP hECfzDS4zMzuYxGOe5AnX+oLt3uTGho8YGn6IVx0hUuH4cHJBU2MMZSFqDQytkKU Uzxh6qgqeQULsY4HJcphuh41evyS9vfFcGef9LwQ3HQ4uTWZekBrNFmS2ITvahSC bAzBzGw7NWWm0gx17tW1UTFmgzhtZoU5x4RHU2sFD+y0T1uUL6Y3OBfE5wNtqXJw MY419z7OGVGJJce5O0gfSncwovkyaP2DCUxOQvjq9btHDvfdxeBJNzMSXaGCHLR8 E7S1PWTy02EFB057jCMEj2Hw6FlAKwErwNArCT+hTwerU6mJgoG94Mt8dXVKa/oU xtRWGsin8MtxblRnXjISWChAlryuQ/XrfocLSxmg9JyrTuC5PhA6gqY8quDlB/4X ft1bFEWDNyB4vKt+9uCp765VVp3zDLLpn/pkNgJMlMEIVpxLYqQxfODGtLCojpgF 3PVZuJZxQp8MY0BPiR56HiSAOqUkyoirc4nFfwgDkmIES5gB+pmMGs6PaDBrX1/u W4CwocHfLIBlo7t8N7qK4Zlh2f48MPeIwo6RZi0aNBDaLKEa0e/cgdsAUH3EDiVg GclbGhxdWQsdFcNMnlkE2I8fLw+0/X1hOClvzA35IF9Qh5CFtU3nNed/oOmEsydn jud3bFxZoJ1SWoFHxFEjJR37z3DQ37P6KyV3E9nGRVsaU3uiEl5rs+XfBHAP1w8Z dboBf4eriZlQBbWGr4gX+JPCC9GWBU8eig6cMQTTZKtk+stKeT8wNat4YgFfAsUr XYXnJuQrdd71Zr/OljfdkA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4FA6721AC13E9BE8

http://decryptor.cc/4FA6721AC13E9BE8

Targets

    • Target

      e12e9ff0a4cf29714bed618d69ff121b8a8d269d741cc1dbc8d92b9a405716a0.bin

    • Size

      116KB

    • MD5

      eba2b670e171d2efc8e72f023c47150a

    • SHA1

      427aeaa865a38cf66e798b2f10c2c68a8cb5322a

    • SHA256

      e12e9ff0a4cf29714bed618d69ff121b8a8d269d741cc1dbc8d92b9a405716a0

    • SHA512

      67adf5763a6fcf7212b823e3f6e8f5b5461e9c3b3c38f580c13e438cda66f64d66759b090034bcd512f8bab78bc1d164a1e05334b07de0c618531a43ba448ebc

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Blacklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks