Resubmissions

12-02-2024 05:45

240212-gf6zrsdh5t 10

12-02-2024 05:39

240212-gb9vvsdf9z 10

23-11-2020 11:03

201123-a8azhvlqmn 10

General

  • Target

    d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95.bin

  • Size

    118KB

  • Sample

    201123-a8azhvlqmn

  • MD5

    0e285f30f30dedd812295d2408f4b84c

  • SHA1

    24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244

  • SHA256

    d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95

  • SHA512

    0e89d41a5bd1389d74e661e8f9d3efedff589c2e64f444971e349436a9b6f191f0a0d6017a1e7c28d33be382600b08d00f9496ebdfcf839943d559d1a10a8503

Malware Config

Extracted

Path

C:\85510mi72-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 85510mi72. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA7E20E22FD39CE9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DA7E20E22FD39CE9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BIYnuMne4/rjJvJ9sskQnqjUcfywBzLh5/oEwuX1ulV1gdcVcnRGmoEo8OAItYdv 4z9bLwHUXnBS/Awl+SzYHx5i+os286of9/deJlRq5CJ/kyZTKNzNZEnKUdX+DJOC nItU6pABxnBrpnB9G9uDPpQyIVPSdGmjVgYrGjw3lunefs97FjQvRxxIZqVQwtn3 Nn4AM6q9vtm0Nk0yVU/EKh9DI1bTR+X+sEIFj/bB0ngM543Cv9ZP1BKKtExWWr9Z ZgUSPTfBxvzarinKAeSQ7QcEmhMpCuO2UpnH1wKH9LpcjlBBIXf9P/yiJMfrGuij xLiKwmYvjPpg5yLusr41jcQSkp6XBXslAsIpv3zsfRGpJuoi/rq3Etm9vS20kXfN 3Rqt8CHT2mWAjCpRYFIRMFSA9eL9lQ+pwhu6WhmCmS7dqf6EAWzk9LK7EY7cJXOR V5u7IjWSN0fJ0DVGqq4LkPrG6T3JmGKaskcqHMP3DPsKKrQ57FROWCl4J/03oO2b R6G3PWMuumWhexjEF18Fq/zYQnIQFqZGnsBrlgFS7qI/ypONnW02BZJ91HwT5kqp caSxBtgMdC3rW05HPkiJBV6NVXg7FhzN0SILu4Vdh/r/LwtLpZv62FacYMqPa1FC x7AUjQLIIyfergnrLBfTDAvv001sxfwBlrqiHlEJi37OdFhrCp/g+ukk1t+UCrJv 7+JcDVxxV/N5gnKBpbO5/LaIddjuSVeTzWHxhyljxP3jTLvvmBlZZGYORmF2ePOk FLUKHyXdJkxNa419eR22X9Txgpdfci9U1tfvOnzb0Gh/Y2htR/pKUZ2j9ETsM251 /2Zk1l57vaF62qPlyI2nojozsgkA8l3AM/i85oFkn9X2grl8CYxGrQRCm8FXtCa3 ty+ovbnxZmjWHB3REKgRT5B2moj5ktZWdsHUx09l55QjyRYrDGccrCVkyB4Rl18U rWfmz0QB4iMhFIm8Tjnwy5dzf5TP1nriptimqGJt4pwdPWVTq4uw5+JOzEZ/or8C p7sFLnhG/6X9mHrNrLnMdc1RGN+sTCaFRYCrGUQgU93clQEcnyRfcRbv7WTWuddF +KXrld2tReaRDGyxrNd6DyaCAyQEIhX78CWfcAD68rm41w8X5v8aGVXVgTT1O6ug 4A18QLAW50eWaijrMJa7QcSDB6auR3+5MbGWCKa0xvBlRBOwhl3e/nkE2B79hsAC 4Wr6H9pjWAlWIx2KEIVtOLIX6HyiumZ1JX5FlsIkmJ6LTe13GLz4g7d1nRYSUbOx 2W3r6uAOhK2zNHsEMduuYahjl0NVtQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA7E20E22FD39CE9

http://decryptor.cc/DA7E20E22FD39CE9

Targets

    • Target

      d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95.bin

    • Size

      118KB

    • MD5

      0e285f30f30dedd812295d2408f4b84c

    • SHA1

      24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244

    • SHA256

      d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95

    • SHA512

      0e89d41a5bd1389d74e661e8f9d3efedff589c2e64f444971e349436a9b6f191f0a0d6017a1e7c28d33be382600b08d00f9496ebdfcf839943d559d1a10a8503

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks