Overview

overview

10

Static

static

10

Counter Fuck.exe

windows7_x64

10

Counter Fuck.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Counter Fuck.exe

  • Size

    166KB

  • Sample

    220123-d28tpsefdk

  • MD5

    9ecca170d0515fb14c8b78302b8053e7

  • SHA1

    2b498759c83f05beda20adc991be476934ea0fa8

  • SHA256

    ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe

  • SHA512

    fa433c9712a8a247825d85c950f9754ec83dbf82fa5f86a2b637727362f22fcdc68cd59bb3845e1d6020d7ce5133a1916b5af0b1ed716bd6d3a696353d2df8bb

Score
10/10
sodinokibi$2a$10$muwxrvizcswly6hvwvjpgexwfnzjt9blxkoeabhnqp0pyli.hwbxm2655persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MUwxRViZCSwLY6HvwvjpGeXWfnZJt9BLxkoeaBHnqp0pYli.hwBXm

Campaign

2655

C2

teresianmedia.org

solinegraphic.com

executiveairllc.com

devlaur.com

abitur-undwieweiter.de

transportesycementoshidalgo.es

triggi.de

mymoneyforex.com

jameskibbie.com

mousepad-direkt.de

finde-deine-marke.de

garage-lecompte-rouen.fr

jakekozmor.com

littlebird.salon

cuppacap.com

bricotienda.com

kingfamily.construction

4youbeautysalon.com

artige.com

kevinjodea.com
Attributes
  • net

    true

  • pid

    $2a$10$MUwxRViZCSwLY6HvwvjpGeXWfnZJt9BLxkoeaBHnqp0pYli.hwBXm

  • prc

    mspub

    synctime

    sql

    vss

    winword

    ocomm

    wordpa

    xfssvccon

    powerpnt

    msaccess

    outlook

    dbsnmp

    sqbcoreservice

    thebat

    steam

    visio

    onenote

    mydesktopqos

    infopath

    oracle

    encsvc

    dbeng50

    thunderbird

    ocssd

    excel

    mydesktopservice

    tbirdconfig

    isqlplussvc

    agntsvc

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find how to decrypt {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2655

  • svc

    mepocs

    backup

    svc$

    vss

    sql

    sophos

    veeam

    memtas

Extracted

Path

C:\How to decrypt e7p080fz-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension e7p080fz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ADF03A5D1C57C605 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/ADF03A5D1C57C605 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Dhl0mOckPCWsBAI6U760n/1XFenFM/oFyUqDz0QMGHRr2JiUmICEEAME7fGr6Y2D kUCM5plJwSLtApuolAPobIY9x1xACvsO08ZBqztUOgFBBJFT/m0TQ6DxkxLD4zN0 EJIZaoP1UytvEQPzPTkM/XHSNNfe7sVRkJDEYYBjE9vyVNUJpH9Z5nLpTj9JBNdz zxs5AjAow7L0LBctlSJnsPej7M5yFoew40Z3Mv6mHOZdV/kgWBg65zgW/CYbGJrg 5O3ffdLUSWu5KLWkAJojiC7U9EpvO8Hvg4/UNM9hM2kNqwiFX82KZ/KWwpdlJ2Sc UqUmPcthHZJD/VYa9dBmEekEcLOePXBVVm6X8CFl+2ygskA9LAcA/WFA5dArYDE2 D6+C7Y7mLAhXlXTTWBWx20RaH/tGj7LBA2LKHUtevNKoH3gGOm+s+fAdEbfcJUWi 4IrtifL6JzpjoBEiYeVBxAQL3U2cmZM07IJ+RCKqqu1CA4YzEGRGcp9mLKmAjsD9 RmeDfJDNJ8o9SHfuWtzyyPJGoQ/cAl8F9Lx2MbTBw+OmrhQ+sRWJLz8NBKysm4qV 9P5UxHP8U+RDdlRqnF6qnL8Xi3sdV/jXvBJCWvGrGIQ0hVkaS+4dJZlfHZkLoTtt P1xywwFrFyrkUkhImbOQwfxNhv9kIUgKZP2JS0QATxk9Kv+IVnREXFI+jCNLkPNu F5eILW+5ish82B4H6dpl1tNyiGcFuqvXGHJ4CjQrZOEKGVdwg8IwVi/R1kQlKy8X gBavsIjG7orlVy7H47tF75H20tGFjyX457glK+zgX9CwLcur+uZYxEdUvw/k6yND 20QXcKlIcWrf6nRK4fQDOaKPIfL4fGDdQobEUcs7YBIQ3Z/2T30O8xZORS1WVXpR dJs+WPfeWcRtAyLii/cFwgL3da+AmP4V8/ow6pQegZ6D/2neJ0f/M5JPhPdf4fHx bMP49ZamBILAVVLK4fc0ILTG515OGpITLDQCkirXkqDYjQxRMcVEFB7NA93Dwhcu OQ2ihkBYtFAXqVsurEvWNxZshgUpuQwzjpT8ieX/1uyFLGuPyZD27BxXxeCz4V8e 2IGJzsdc+WfSs3o6N12CjeIip5sI5NNwXOqt3nmD9bSI4u4lFhiXsYfOxYrHASwf 6+EvayaYuG94ume0ot9Hi/47v7D76c02pJ9eWRbUfX+m8Uuu749T/awoklV4OGnJ k1xq6Tuhn9EE+YHNk3fao5DDeIOiwGcFmwpBJbv8H6qo6CbZOmOiQ5BCtlY/F3Jq 3vfEUiB7CEkL0m9FfsEZu4z6fuHsWbVFlk5gnA== Extension name: e7p080fz ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ADF03A5D1C57C605

http://decryptor.cc/ADF03A5D1C57C605

Extracted

Path

C:\How to decrypt 431d5a88ao-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 431d5a88ao. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5409A1A0DDD4308D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5409A1A0DDD4308D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: TjhQ1NjhiIVtpsYKAwMPXrLIHg/THnPbqRutRF5L5/fMjA+J2/4pR1pEMsjO6cVl bKq+P4oBMBTuqTiQUmRktF7A4/7oUHhH6kPy1WH1Ax1AH76Yt60yMjNpwHso2F6x 43uSD91t/G/hqq3wIEy8hDkP7Nb6C6gBk0OcdZpMLGyWmzhlQUW8561s33kQiyj6 m/c0EsIu8aVcUaLIzQ4uuVb5gMSWWd6ZB0xRsSjVaq3mWsHDbkaqQs7IaWUadQjL 1XkuHNVTrQ6dT2uKWmlhZUiFV/wtRHdCLfItM07tu6tflThl1EzV9tZDcPcfI9zi N0+/v/P+Lwodv8G4ZX8REKCnkp8L69qMCR7wOMLxKXj++OoK/IXKHzlLk6g7Rv5G qUQL4m2KxZZO7ZYEkVT57nWeYWDfjrHlQPdoIAwdySS2bloAB2dWp2puK6CNxXZW 7v0wai1P4QnQDBclNeAbp+klpsLvDjgCcvusoy7SLadw8QIsrglUXzMRCCbbxzvC aMCRj/qp9IQRqP+8NwmsYE0uTuguYbuYuM1kDEHktXYbqKBG85V61v81PnUI0faW l7Fqq6suNXYK0VYybpNYEz9iVbvwz65kmZ/tk1uM0Py7aTGpGd+xBuxsKXQ/Ilj/ IZeArO1K70lgxRt9/Fo2CGfAvs5CKN+tUXygKm6PIfdeoKrnkAeR+NUyLZeCfEyz w/yvJ2lDzpsge2eQWqNXzZqp3QAFlGAcSSLC34z87ApdQ/xxE5FAUVTc38Tw4RqA pIqNSued2oUANkbISbFaPqg0ppxcEjm4nAADRkKFnFukIKmoNhCe6rqNf2SLUYiM uoMfF2Rl03pE2i3dV4e7VCO5pL/jsZpo4XUv0wX01Uba9aBGrypDequ2++a4Tq56 T3ggqRapwE6nO7eEplrnigR18GsFehzyXNtrUiG/tfPAWuDWlBJcSH1Eyrw6DyVV 2XAvR9SdNJ8sKLeGozN5ZKX4k/YclCMz3hIC67DdQ1Z8N/VQWwJ1gq8xXomEfsWr 5kV+ORmcVdSTT7SEEb5CozDuNCtGILZ/GLJw92Ap/6GohAq9Uz26cU6f9Svjv1HY EAmJtE0aEu30SnV8zJ9brg4OYuK4GdK3FFEpWFOxJl2GEJgvlDMksslZFSs1BJl0 EN0PZfKIqloecU2kwE5RMvZI8GtGAZWltIrT+eaoPm9Hf6eqD14uSG1TROyF0zQf 6S/vTeclOjJxOOGANTSVfpaWRuEpa5akQC9ByXUl0DAKmjr+g/Upjne1nNDVBLWy j4wwTVgt/Buk2AsOsiRFovS3B6wEeD4a Extension name: 431d5a88ao ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5409A1A0DDD4308D

http://decryptor.cc/5409A1A0DDD4308D

Targets

    • Target

      Counter Fuck.exe

    • Size

      166KB

    • MD5

      9ecca170d0515fb14c8b78302b8053e7

    • SHA1

      2b498759c83f05beda20adc991be476934ea0fa8

    • SHA256

      ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe

    • SHA512

      fa433c9712a8a247825d85c950f9754ec83dbf82fa5f86a2b637727362f22fcdc68cd59bb3845e1d6020d7ce5133a1916b5af0b1ed716bd6d3a696353d2df8bb

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks