Overview

overview

10

Static

static

10

ee75b4b93e...f9.exe

windows7_x64

10

ee75b4b93e...f9.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

  • Size

    219KB

  • Sample

    220124-a3333aghcn

  • MD5

    3d57a5f5b5cf01b8ff1867d8a004090f

  • SHA1

    5cc7fc1da338ec10ae1d59b0296697d57cbc21b6

  • SHA256

    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

  • SHA512

    8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

Score
10/10
neshtasodinokibi1996persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ol215ll-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ol215ll. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8A3362DC28EB2F3A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Md00XppC313bRFkPTNxrwcwDuLNuLaM0N/mTGJtBAJVxUdjMaO6kiXP6Sirn19Zy N242YKf90MlCujkjg3mGSkC4jj6pCo7gKjZfN+v4v3hLoL3FtY6TW1fKFbwy3QYB gTIMbxrNNV+9hwfOXI7NnzWRJDIZRYHI4fE1l1/T9978dpkq/sTU5b5wpAzp/9TI Eb7RM0c9U+tf5eP9OE9iAo5l+/1Zr0FUSeYuTnPEqswBc5mVFG49m1VH9GrpdT0n ll5wU3HR/mSWZbndTuPoXMrHHfl9nbsOB0iui4SNMMzrET8tGUF3bsJIbIgv3hrj mZPIRbvsiLnaZVjAa6kfDwdE7CCSVD8dJmOGIv8GsqAjpfxCq/eiSRSYoG1NwcQy zBIETxWWwP0e2vZyy3Gmr5jBGTRiWqAbNZwC2GOi2TcOiQkjwHiJ6y1rbRjfhAm4 DAi+vVj8uT2+AsZNKx/9dWwDkkXiKLPxGpeaqCQ1jVSai9GfgbVH4h61y/3BRLCr wofgWxRKJJc44P30+k7BWzNRCpjEvLBcLd0CmJxrVFysBbfgBVRMYfjcEyzLxppI y0QqrjJcrRrSPWFeopgVWMyYfr4HIHxlpQ0IIPc+SbWQ6WJ0KzusjXaEUHIAg7UP C9tcEmza8fHsfBWE2dhr1adBl7BIsvUHnd/1StLd2puRv9eeY4xDZalU4MlLt6pb xSl0ou1rQlTgrUcLRCjCfQr9wkqLk34Zr9Dq/D/Aacj1o1NWR2I6E57Q3WAP56NU Qk9p9GIRPhyCoWl24OxV2/lGvREIdly83ZVbMGQS8MoedTselbUGlbC0C1GkjH3G OxuOiK31qC7L4bS1wIr1sLG1bI4jz5y1Jeb+M8UQH8WPnYUi/QKddEf2XurRkqXv Z01sdSNmW5bfQqOlXOVFTyRlZJqy/TcQDI7q9Jy2HtEHQHRPt3Z23xTTSW1ctwmT 0ILg58Y33byoXFrMVl3fdElS1vyqHrELR5dC5WJM3ZlK5g9txH2CMMDgBiu5utnO gg6+nUKQhxy3Z8NkysIKQKIpuTY3GnhBYZNmQGRigJ1Z9fW266BdoCQZg27XXVNz dC8vAeljZKnHlIgbRR9AfFYsyuRLmToyemNO+qhfXdOkHrAPxq0HOGkXq/Y+teCZ 5Kw= Extension name: ol215ll ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A

http://decryptor.top/8A3362DC28EB2F3A

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

C2

speiserei-hannover.de

delegationhub.com

subyard.com

martha-frets-ceramics.nl

hostastay.com

luvbec.com

dayenne-styling.nl

111firstdelray.com

lidkopingsnytt.nu

fbmagazine.ru

peppergreenfarmcatering.com.au

ya-elka.ru

mundo-pieces-auto.fr

mediabolmong.com

yuanshenghotel.com

fidelitytitleoregon.com

penumbuhrambutkeiskei.com

2020hindsight.info

aslog.fr

teethinadaydentalimplants.com
Attributes
  • net

    true

  • pid

    19

  • prc

    tbirdconfig

    onenote

    sqlbrowser

    firefoxconfig

    ocautoupds

    ocssd

    thebat

    winword

    mspub

    dbeng50

    steam

    sqlwriter

    sqlservr

    msftesql

    encsvc

    infopath

    mysqld_nt

    sqlagent

    mydesktopqos

    synctime

    wordpad

    powerpnt

    outlook

    dbsnmp

    isqlplussvc

    ocomm

    sqbcoreservice

    oracle

    thunderbird

    xfssvccon

    excel

    mydesktopservice

    msaccess

    mysqld_opt

    mysqld

    agntsvc

    thebat64

    visio

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    96

  • svc

    veeam

    backup

    sql

    mepocs

    sophos

    svc$

    vss

    memtas

Extracted

Path

C:\9xnclf6w84-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9xnclf6w84. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E655CC87A1E5C655 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E655CC87A1E5C655 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6CLit9AOj7mOMAF4u17qk4DAaffM1jwr/ddCQ3BvK6MPVf//EFu0NGfErxPLPVUE ZrdyxFWP6tJX2ku1ISJQql6zV9qAmLTYGffsVbugsw6lmZ8IKlA982Mu3PSg5zXH /SGp/7hZjwiYNn81L6KRbGaRVcITNWimavfSoVFLRdgl7cwWWdCEKoNZkrJIuFZi +hMda9Q5A2+srH0BoIUUxONawVTVIGlH1xuO9Dw74h3Z8TT8MZR+NthEoPJZyvzY iUOyagdIpRueaOw7PE7+quFrgSyBeGNWGxc6U7alNkx6G2oBafoPZsDgifySJf5O i0ynAbMHyqFZkBN7Qsfm+4FvDpcia56B41I0WHLyCyxAnoiGZmEIB8IIH6TGcmQl Vwx8kd+k0QKyhHtcGq9Tls1LE6/MV6qrfFBmLxR0wOCYZcZ29BTGel5B9WOLchwN c6V2cKzKHFxTwmvG5beK8cwYcWz83Hcw/j71amu6yyEhp68Yo0MZs5VUkSF16LWH e7hSNx+jmmMGqbZF1euE9IEhFax6qEPA1RYuR0HEJioi0clm9B7MBOS7chwD5QZg 9iINdZvnUrUkEiDwDZfsnPTpnwgAS89HQwojtLC7GROUTgSfjeS9biDxB13lQ4wm VBApMl5iF5eQH5CMmPvUYgP2dySF4GIsuQ4mXzLWd3Eqd4w6cNGAB1w2Sm48N4YH ad9M6ZiDBaHAlh0MewLztwfWoxbX2Vuu74udqkKWoLIX8BmwMnsBjWh/amuhjbGN qdEcSSuzxwN2aNQHaSSJxh0bNyeS7rgoQ2ON6d/XXVX2+vCh2ULhvV1vn9RHcTGV F1IcJuy6hLdRGd18kg6kK1XVioMtrq+JyHd8znTL6rp955msRQQVtmWs+2SSdX1i Z103ZDWZQF0OiZLYNW4FqvqInzVwg9FzhPUF+DaR1Az4pmcu2F0h8P20GO6EtTF7 YV+jFNvCRk7WMLKHmQ3vfDhPl1MX9/l3N8XSYmsAJER1Jd7FIUc6NxFDE+YpqdXy XMCeH0mSvoWGglsPCIRU5D+XN1aRLn+x/VF7U3axnfIcyKcrslfmenxKJHpng6pp 4deS8TgX6r9WcvdgpBm39X1Hw/UJDH3XqlONaBR2H8dJPJeJqmaO3/DcYAUYemV1 Extension name: 9xnclf6w84 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E655CC87A1E5C655

http://decryptor.top/E655CC87A1E5C655

Targets

    • Target

      ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

    • Size

      219KB

    • MD5

      3d57a5f5b5cf01b8ff1867d8a004090f

    • SHA1

      5cc7fc1da338ec10ae1d59b0296697d57cbc21b6

    • SHA256

      ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

    • SHA512

      8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

    Score
    10/10
    neshtasodinokibi1996persistenceransomwarespywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi/Revil sample

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Deletion

2
T1107

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks