ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

General
Target

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

Size

219KB

Sample

220124-a3333aghcn

Score
10 /10
MD5

3d57a5f5b5cf01b8ff1867d8a004090f

SHA1

5cc7fc1da338ec10ae1d59b0296697d57cbc21b6

SHA256

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

SHA512

8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

Malware Config

Extracted

Path C:\ol215ll-readme.txt
Family sodinokibi
Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ol215ll. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8A3362DC28EB2F3A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Md00XppC313bRFkPTNxrwcwDuLNuLaM0N/mTGJtBAJVxUdjMaO6kiXP6Sirn19Zy N242YKf90MlCujkjg3mGSkC4jj6pCo7gKjZfN+v4v3hLoL3FtY6TW1fKFbwy3QYB gTIMbxrNNV+9hwfOXI7NnzWRJDIZRYHI4fE1l1/T9978dpkq/sTU5b5wpAzp/9TI Eb7RM0c9U+tf5eP9OE9iAo5l+/1Zr0FUSeYuTnPEqswBc5mVFG49m1VH9GrpdT0n ll5wU3HR/mSWZbndTuPoXMrHHfl9nbsOB0iui4SNMMzrET8tGUF3bsJIbIgv3hrj mZPIRbvsiLnaZVjAa6kfDwdE7CCSVD8dJmOGIv8GsqAjpfxCq/eiSRSYoG1NwcQy zBIETxWWwP0e2vZyy3Gmr5jBGTRiWqAbNZwC2GOi2TcOiQkjwHiJ6y1rbRjfhAm4 DAi+vVj8uT2+AsZNKx/9dWwDkkXiKLPxGpeaqCQ1jVSai9GfgbVH4h61y/3BRLCr wofgWxRKJJc44P30+k7BWzNRCpjEvLBcLd0CmJxrVFysBbfgBVRMYfjcEyzLxppI y0QqrjJcrRrSPWFeopgVWMyYfr4HIHxlpQ0IIPc+SbWQ6WJ0KzusjXaEUHIAg7UP C9tcEmza8fHsfBWE2dhr1adBl7BIsvUHnd/1StLd2puRv9eeY4xDZalU4MlLt6pb xSl0ou1rQlTgrUcLRCjCfQr9wkqLk34Zr9Dq/D/Aacj1o1NWR2I6E57Q3WAP56NU Qk9p9GIRPhyCoWl24OxV2/lGvREIdly83ZVbMGQS8MoedTselbUGlbC0C1GkjH3G OxuOiK31qC7L4bS1wIr1sLG1bI4jz5y1Jeb+M8UQH8WPnYUi/QKddEf2XurRkqXv Z01sdSNmW5bfQqOlXOVFTyRlZJqy/TcQDI7q9Jy2HtEHQHRPt3Z23xTTSW1ctwmT 0ILg58Y33byoXFrMVl3fdElS1vyqHrELR5dC5WJM3ZlK5g9txH2CMMDgBiu5utnO gg6+nUKQhxy3Z8NkysIKQKIpuTY3GnhBYZNmQGRigJ1Z9fW266BdoCQZg27XXVNz dC8vAeljZKnHlIgbRR9AfFYsyuRLmToyemNO+qhfXdOkHrAPxq0HOGkXq/Y+teCZ 5Kw= Extension name: ol215ll ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A

http://decryptor.top/8A3362DC28EB2F3A

Extracted

Family sodinokibi
Botnet 19
Campaign 96
C2

speiserei-hannover.de

delegationhub.com

subyard.com

martha-frets-ceramics.nl

hostastay.com

luvbec.com

dayenne-styling.nl

111firstdelray.com

lidkopingsnytt.nu

fbmagazine.ru

peppergreenfarmcatering.com.au

ya-elka.ru

mundo-pieces-auto.fr

mediabolmong.com

yuanshenghotel.com

fidelitytitleoregon.com

penumbuhrambutkeiskei.com

2020hindsight.info

aslog.fr

teethinadaydentalimplants.com

baumfinancialservices.com

business-basic.de

awaitspain.com

apiarista.de

moira-cristescu.com

reizenmetkinderen.be

min-virksomhed.dk

altocontatto.net

etgdogz.de

beandrivingschool.com.au

kvetymichalovce.sk

breathebettertolivebetter.com

fla.se

rentingwell.com

iron-mine.ru

hinotruckwreckers.com.au

endlessrealms.net

matteoruzzaofficial.com

signamedia.de

dreamvoiceclub.org

parksideseniorliving.net

redpebblephotography.com

palmenhaus-erfurt.de

omnicademy.com

spartamovers.com

catering.com

from02pro.com

kryddersnapsen.dk

rvside.com

mike.matthies.de

Attributes
net
true
pid
19
prc
tbirdconfig
onenote
sqlbrowser
firefoxconfig
ocautoupds
ocssd
thebat
winword
mspub
dbeng50
steam
sqlwriter
sqlservr
msftesql
encsvc
infopath
mysqld_nt
sqlagent
mydesktopqos
synctime
wordpad
powerpnt
outlook
dbsnmp
isqlplussvc
ocomm
sqbcoreservice
oracle
thunderbird
xfssvccon
excel
mydesktopservice
msaccess
mysqld_opt
mysqld
agntsvc
thebat64
visio
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
96
svc
veeam
backup
sql
mepocs
sophos
svc$
vss
memtas

Extracted

Path C:\9xnclf6w84-readme.txt
Family sodinokibi
Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9xnclf6w84. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E655CC87A1E5C655 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E655CC87A1E5C655 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6CLit9AOj7mOMAF4u17qk4DAaffM1jwr/ddCQ3BvK6MPVf//EFu0NGfErxPLPVUE ZrdyxFWP6tJX2ku1ISJQql6zV9qAmLTYGffsVbugsw6lmZ8IKlA982Mu3PSg5zXH /SGp/7hZjwiYNn81L6KRbGaRVcITNWimavfSoVFLRdgl7cwWWdCEKoNZkrJIuFZi +hMda9Q5A2+srH0BoIUUxONawVTVIGlH1xuO9Dw74h3Z8TT8MZR+NthEoPJZyvzY iUOyagdIpRueaOw7PE7+quFrgSyBeGNWGxc6U7alNkx6G2oBafoPZsDgifySJf5O i0ynAbMHyqFZkBN7Qsfm+4FvDpcia56B41I0WHLyCyxAnoiGZmEIB8IIH6TGcmQl Vwx8kd+k0QKyhHtcGq9Tls1LE6/MV6qrfFBmLxR0wOCYZcZ29BTGel5B9WOLchwN c6V2cKzKHFxTwmvG5beK8cwYcWz83Hcw/j71amu6yyEhp68Yo0MZs5VUkSF16LWH e7hSNx+jmmMGqbZF1euE9IEhFax6qEPA1RYuR0HEJioi0clm9B7MBOS7chwD5QZg 9iINdZvnUrUkEiDwDZfsnPTpnwgAS89HQwojtLC7GROUTgSfjeS9biDxB13lQ4wm VBApMl5iF5eQH5CMmPvUYgP2dySF4GIsuQ4mXzLWd3Eqd4w6cNGAB1w2Sm48N4YH ad9M6ZiDBaHAlh0MewLztwfWoxbX2Vuu74udqkKWoLIX8BmwMnsBjWh/amuhjbGN qdEcSSuzxwN2aNQHaSSJxh0bNyeS7rgoQ2ON6d/XXVX2+vCh2ULhvV1vn9RHcTGV F1IcJuy6hLdRGd18kg6kK1XVioMtrq+JyHd8znTL6rp955msRQQVtmWs+2SSdX1i Z103ZDWZQF0OiZLYNW4FqvqInzVwg9FzhPUF+DaR1Az4pmcu2F0h8P20GO6EtTF7 YV+jFNvCRk7WMLKHmQ3vfDhPl1MX9/l3N8XSYmsAJER1Jd7FIUc6NxFDE+YpqdXy XMCeH0mSvoWGglsPCIRU5D+XN1aRLn+x/VF7U3axnfIcyKcrslfmenxKJHpng6pp 4deS8TgX6r9WcvdgpBm39X1Hw/UJDH3XqlONaBR2H8dJPJeJqmaO3/DcYAUYemV1 Extension name: 9xnclf6w84 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E655CC87A1E5C655

http://decryptor.top/E655CC87A1E5C655

Targets
Target

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

MD5

3d57a5f5b5cf01b8ff1867d8a004090f

Filesize

219KB

Score
10/10
SHA1

5cc7fc1da338ec10ae1d59b0296697d57cbc21b6

SHA256

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

SHA512

8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

Tags

Signatures

  • Detect Neshta Payload

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify RegistryChange Default File Association
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    Tags

  • Sodinokibi/Revil sample

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation