General

  • Target

    seu.exe

  • Size

    6.4MB

  • Sample

    210506-hyr8xpbnks

  • MD5

    bd3c693ecd17dcd9e60b08ab963121de

  • SHA1

    3480a1dbc4bcc1bb06a7fbdc82e892ec5ba3d6ab

  • SHA256

    8bd2067d088dad4df24e11244f5b72ce1fd22b686e2ce9ba6ee8711f8f6a836d

  • SHA512

    88a6cdd1435c85b288cc37bd6f15b82fe8619e00f439a0bf5f3411fd171a4c84a0e1e7c34261f7510dc2f92af3c14323b97e2efc47fc78e61b6db4d3865eed46

Malware Config

Extracted

Path

C:\8342kw-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8342kw. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C4EE920676CFAC51 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/C4EE920676CFAC51 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6np6+IWq/QdQlzdRCUpKVtiUxUEb5iPvumsTRFvanTGiRaZGOKGJRpuROu5lGL8F WKl87bo/FgNf76UqhXpTH/APuY6exSDJ1fKOr//uJvoAsAGkwdzc6umI208dje3s /dKz7KrDy4t0MIMjVT43ADcGBHWYQ/yHogQAqdzKQfkCo/nQY1g5F9ies+wXcvFH u9iCK/75ZHelz/MfLT7TzTnIMYQuKpyBpjxyzCb6OXFu+6E1djBpWLGfaaRLLfCh XxeNB8hd1o+Bfx7wfYji6t/X/zMdEnaoVvI8yxfR6e0Giy9sgZywfibktM6ID4nj cyc+Y5woqO1NzxqydRJGM2sArb5fhRY8rat0iHPHKTmxtWjQpdZD/6hh7JknwVbn JXiKgPSP/trC99Y76wyHy/tfs+u9V1T4eCQIDeZFeG+yQ28redDQeMbzQfIRUNLj L9Gx+q2JOAYoMupcPCO9BZAGTOPwvinuxj1RBiZQ38D1e2/D5xiADzDwsV5XNx6b uZtohhFqyH+NToC+VgvWlxhLNlc33tkkd7NTaNfwvnyFFC8OrA7DC3XrVeIkvEvS /bnizrBw37YiLapt4zJfqYsq4KxNDdedRDwVZe/AMazX8b0uFHauKU7KjqtodwPj 0VvEWEApO5rbfbVGkp2avfwv+zjwPvA0W6t0W/qfQqRijPv3d8C7LwL56IwEoZLC f9aX8mpe6AwAhuMzwE4S6RxXQGZ7iQtfjIsEO+urNw45UlgyiNTyFRPYXrukgqLO mPwPJm52OGpOYoUqQLKRL4ASJC7NZmwzeQNczOWUj2HRZCfYLpqrSgLCl8OZIrz2 C5vf55sAWl3kj0IkkQ/fYWqzR060cI3CRubFVMVOGwmynovSmReSD4ep2vln4j0R 4EYNm+vgZnxUCHwjoQiVx7rilGh10iIu24t2yovu6Qz9KNkL3HL+kmrPKkVikUll QELw5rqRbvIvBgpcfZxIPZhFk9Ssr7nMIqehLdBq9adanyh+g2B51GJnl6JQzw5d HdNW5aRk+mY6jTiLLC/M3V8s+FEuCBaaqivXT1H+WKJDeKPXz4Ijop9TeiXTfjHC iiGUpFkbaH1cJAth/qGLHDXlFQZBQPvlsI1se2X7EjguusU0fqJ6vahnbjiQpGKf rq+GfwAtfq+HkoEqJqZ3pqUE41kcy82UUxFz0hmGKUe5HF4rID3j+vSvbXBt+ND2 aTX+XNV6CB0gYgQ7kp26OFiDa4AatAU6QNy+9vVJIYpsBU79ISSgRjVC2JD0NTs2 EaaRR5+0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C4EE920676CFAC51

http://decoder.re/C4EE920676CFAC51

Targets

    • Target

      seu.exe

    • Size

      6.4MB

    • MD5

      bd3c693ecd17dcd9e60b08ab963121de

    • SHA1

      3480a1dbc4bcc1bb06a7fbdc82e892ec5ba3d6ab

    • SHA256

      8bd2067d088dad4df24e11244f5b72ce1fd22b686e2ce9ba6ee8711f8f6a836d

    • SHA512

      88a6cdd1435c85b288cc37bd6f15b82fe8619e00f439a0bf5f3411fd171a4c84a0e1e7c34261f7510dc2f92af3c14323b97e2efc47fc78e61b6db4d3865eed46

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks