Overview

overview

10

Static

static

10

martinhal.exe

windows7_x64

1

martinhal.exe

windows10_x64

10

Resubmissions

06-07-2021 11:36

210706-czh1m88q4a 10

02-07-2021 21:10

210702-71mjgfl1kx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    martinhal.exe

  • Size

    122KB

  • Sample

    210702-71mjgfl1kx

  • MD5

    c3afcdffa4aeeee56b80cf2fd3c9758c

  • SHA1

    e405c212107696a579494a67531ca5877956fac0

  • SHA256

    9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1

  • SHA512

    3a984d836176b14d16ac0106c11ebd37f8d7343668e8156d33d74fc721e4224efadd1cc2ae22b3630bcf181eb077a55c571d9f670dd1552905e1fc4605b51346

Score
10/10
sodinokibi$2a$12$wbj/jjsirdrxydahiiwyae.9jy8aqwe/s.jxkf0rabaim8pd52u3g8309evasionransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$wbJ/jJsirdrxyDAHiIWYae.9jY8aqWe/s.JXkf0rAbaiM8Pd52U3G

Campaign

8309

C2

arteservicefabbro.com

answerstest.ru

geisterradler.de

embracinghiscall.com

haremnick.com

bodyforwife.com

dareckleyministries.com

marathonerpaolo.com

servicegsm.net

marketingsulweb.com

DupontSellsHomes.com

handi-jack-llc.com

naswrrg.org

amerikansktgodis.se

dlc.berlin

schoellhammer.com

caribbeansunpoker.com

houseofplus.com

moveonnews.com

grupocarvalhoerodrigues.com.br
Attributes
  • net

    false

  • pid

    $2a$12$wbJ/jJsirdrxyDAHiIWYae.9jY8aqWe/s.JXkf0rAbaiM8Pd52U3G

  • prc

    winword

    xfssvccon

    outlook

    firefox

    msaccess

    ocssd

    tbirdconfig

    oracle

    thunderbird

    excel

    dbsnmp

    ocautoupds

    mydesktopqos

    sql

    onenote

    sqbcoreservice

    infopath

    isqlplussvc

    mspub

    mydesktopservice

    agntsvc

    encsvc

    dbeng50

    synctime

    visio

    steam

    powerpnt

    wordpad

    ocomm

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8309

  • svc

    sophos

    backup

    vss

    svc$

    veeam

    mepocs

    sql

    memtas

Extracted

Path

C:\spk4n3021-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension spk4n3021. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E18E5A89CD614942 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/E18E5A89CD614942 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: oIkSMUNsLFn24z/g6O6NKTvZrs1aTDXyG3V4HloY4oSBvNGUjIy4mIS/kjb2rOTI HXQy/ykPJyGM/VPbF39bEwmv4VySevLvVPtHd3170hCdeWTUQf/LXHbbigW4b2xn EuvHgrsuS9q09mzXxy7FZKmtVyaon3O4WMECGR+0ymrYOPeH66XnKsWdyRwDKUVG hcDju70ibYU3Rz7UoJiJtaJ6pwoIICCDhO1dp63f1hgar22tzm+MfkXWg7/LKghV RWo3wz24Zs5cLSSYlJsU5brM8WlxetGrYdGCrE9xDox+Zok3QAe85NVDvSMVlXLA zzeqf0quAldfh7w21hNBh+RBI3lyh4sNdf1q1zi3f0hyDD83q6SZISVB46WhKZOJ 5LlQKPRkMEf7VOpRDFxbAU9HwG0Q0PTz4LEItoZjSLwjvWP6/R2U83XFdmCCz5RH yE+NBZqt45FRWekMXiMIWCC7bB2Y7qLLbH7b/I3nvqUx8Rpk0nwgxagpLFLQp5kv K+JsQxAf8m1mcKoNT5Yj4Jd1WA8P+OKtUoNP5WHvMMasEU0owZR6hRK+QVxnEqSg FIupJv8C8jkY6NyjMxAlE5VlBrNrAU2Dq5HZBOEI+/4KPTXNiGheEsC5L7S5Jmks iRqk4wOC2ReaQ/AOf09sKWi0zK9FLs2FGprDuYx/ErVeD112dBHbFoTPSLuQ6kwX gXujQkgBBJfAQH3Wc29+afdkWGSh+37cswSN0mr3PtUT6Om6ayhjtj6oAh+iEQ7S wHR3N1E5CmQk7UOIETQ2nvVgkFOFIVBk2/1qEv+YPgkzXcWgg4CPVJ9e/Y5SSfxX JYNg0LKsWrK/3Ur6MTEtAZatZLLiAgdFx1s0iOJJnMmG7Lrd5c9xzhwBNflxMezc WbtA49bOUKmWsZooUSFcbPEs6g4pXjP3gNbEf1ylje/zSKVQ6BAb8Ebih5O55eyW PFb5pMZUFfeUGdlNy8ykwcOl3UCOskCx3X+a7WjaE5uiBP33ArZoXx4kF7HNlwm+ B6HftZw0fqOldiVlDaZnZLNvZsk58In6F27rWeVjQwdMDvsvMxXn4mdXiaMd/i/k C8fsq5eZd+ofC8jIVrMiEn03Jesf30XwP1ueH8Cd70VoE2two0x1wyJ0sCaSsPSn qoCbTKsDKjFq/cnIPey3GaTZjndQSWULel3rY2fDcr4oNQPrSrdTodCpowgBC8mC PKMenG37L/B8n3iqnI5br0fA6Xpu86PekjYwFRZ8PRfOWJ7qt5i/M8jyLymZmNCf dwVt2F2uIzJSR2PS ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E18E5A89CD614942

http://decoder.re/E18E5A89CD614942

Targets

    • Target

      martinhal.exe

    • Size

      122KB

    • MD5

      c3afcdffa4aeeee56b80cf2fd3c9758c

    • SHA1

      e405c212107696a579494a67531ca5877956fac0

    • SHA256

      9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1

    • SHA512

      3a984d836176b14d16ac0106c11ebd37f8d7343668e8156d33d74fc721e4224efadd1cc2ae22b3630bcf181eb077a55c571d9f670dd1552905e1fc4605b51346

    Score
    10/10
    evasionransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks