Overview

overview

10

Static

static

10

c9d1ef33ca...51.exe

windows7_x64

10

c9d1ef33ca...51.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

  • Size

    247KB

  • Sample

    220124-bfannshbfm

  • MD5

    04d97184729b092f1d795778caec8927

  • SHA1

    ee0a24536a64ed0803502501d6d6a1e336213063

  • SHA256

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

  • SHA512

    c7cc2ec811f73c8b844281d689bfad03c89df321478e2cf2b4c3f0b46371bebf430349f1bfd8572d2588681189344b5b90e8a8b168ac3ac7c0d84521db1b23ec

Score
10/10
neshtasodinokibi$2a$10$zgqiy89jar0dy9/9hnp6ku0nkqxp6fzh6tuf1uc0s2.qefdpij9ls2866persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\96u871fz-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 96u871fz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/349C731D2845E903 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/349C731D2845E903 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ASf1Q1dh94sz0k+kW0fy6v5KZV8UUPtagk4znL1yBbfhn4AmI17CxF6XAuL/cB0l PBDmsx0nDwND5gvlBh+qvDVR3MoIz4ps+1EGnbZrH+NkBpM6IfnBTutxrJ43nMD2 3amIyPydHu5Z7WVr69sn7lg3O1scKNnco7uOujnv9etlHL89XR52cJfZV4Iv+g7T y0oT2MOdrTgndoG7EluhsnTGbtVlx4itXoCmbIBby4R/B00HU7cUOe8IB68y/xIV iuGAf+E1UKKLApXDWyQ0nNdUz1MtQo/Jf1yq3sYYyvMBRnPLKZKuUKzcO6DQjKjA x3929jbp3CdaXZStNxT5JXP93HlbhJlyODbtEevYQ+s9wuQBRqf+ktEQGHcJI1TB EooFICZO5YXaqMl96e8mn+O3oVgk141lSA+dq43VbiDZW3krxmP8eE/W3MLPY70H LbtWiYSyzNdtPpSn2jc2awVAYqZsgfdNLdcyS4rIiaBkfp9q2g7fmXtfxZLOG1dP AZwf8rXCArWeBIhpxptiRdA9v1AQVIVA7Dx4e5qMtSESdthPEp9ciJLQSSPm0uei 2iFD3M2EGw3LrPwb50hynGNBPB9InJPTcUzi9IY3+moWZBSJxOwCSkFr6TggSEI2 +lXMI6G17c3HQRC0s5kV2WSxbuuV8J7FeITz6kDPpclIULh0OwahII8FQzjLNKQq /XE6QyLicozf10j9sqCo/b1qEua/AONk/LS88iP/rcIRZlWAyagwe9EH5lDenOgx 7vyv0lPNpZhoTpZJnGPIpxoKOIJSkj8EIpYpDf/eeKFUXr9QY2FRH91+qc7Nf5bv anvs5Hulhnvm/U1m0KLaDbe3nsvTJZ0SjuC1t2rJqOwF1+yfoJVbFyhYSAOvRGwe O3KYwByXtgesV5XGKP9t6JsUaUyFmpoMaAICU+77PsoejOjUPQGY+BcIyMaMdgLO q68kdPq1ufeIs7Ma2gPmLNu/P2slzOwol1iOy80uUsQKJL78iHObqZQmOy/Rwvza jQO40Wpq/ex5KahFJiEJWt+HoIkbhEbNU7yXDjvGDKmrsKxdNweA65Nup0KdYxI4 zsUh58h6xWE84Yr9ix80g8CeHJb5vukoZflcQmERjKMzdMdSWZE2J6e/ARZUSCcY iSJThRSQ2vqoqHV0H+R53LSc322d6QXC1qDhYoZCNNdY5aF7qySdfCb6iZ95YMO7 W3TXEi7AdQxUdP2gMvK2J4CV8LIvoW6fbBQPf33AkpOM9k5hn8Kd/azzoIMBDUqr Di2vT/eYg3VCHov8nVfzLXAZA474G2O8deeVCw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/349C731D2845E903

http://decryptor.cc/349C731D2845E903

Extracted

Family

sodinokibi

Botnet

$2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

Campaign

2866

C2

spargel-kochen.de

bloggyboulga.net

huehnerauge-entfernen.de

ravensnesthomegoods.com

highlinesouthasc.com

delawarecorporatelaw.com

campus2day.de

gopackapp.com

lubetkinmediacompanies.com

leda-ukraine.com.ua

kaminscy.com

ecoledansemulhouse.fr

oslomf.no

southeasternacademyofprosthodontics.org

kuntokeskusrok.fi

sloverse.com

tuuliautio.fi

coffreo.biz

testcoreprohealthuk.com

ulyssemarketing.com
Attributes
  • net

    true

  • pid

    $2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

  • prc

    isqlplussvc

    mydesktopqos

    ocautoupds

    thebat

    dbeng50

    firefox

    tbirdconfig

    thunderbird

    synctime

    powerpnt

    winword

    mspub

    steam

    sqbcoreservice

    encsvc

    onenote

    oracle

    visio

    dbsnmp

    agntsvc

    sql

    infopath

    xfssvccon

    msaccess

    ocssd

    wordpad

    excel

    mydesktopservice

    outlook

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2866

  • svc

    memtas

    mepocs

    svc$

    vss

    backup

    sql

    veeam

    sophos

Extracted

Path

C:\t0qrpg42-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t0qrpg42. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1020560E2095C69E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1020560E2095C69E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: vapYXqEwOSZa0z6oHPUwDpUuwVatYAvu4JA/ueYOuHX2RusVEBwQpiVeixFR1RzE CWRb19paBHCxNjZ2tYIryn0nmKd9zYq5wT/dpQR6Jjl373fgeXWGnTzlNmVSlBaO uir3bFUR+QK+EWCmCSCrq0PKyabz5O0oBtkqyA+yz4qc7dWrsK6ODaloLL3rBxEE lDcPuicx5Jm/cbyFWye2bFEyc1pGtX58FIaOfbkZRlZQV+JOELZ0PMi3yNBHVWBd op4zHXjOqb/jjalbBhDQrTdxWG9sDaVfDbo6o5KxQBT0+WZ4jLX509THPFNx23Nb g4ZIagVpjIb0efQ3E5KRGA1YZjftamUJ5+Jmoj2bUugwb1IFcDyFX4WJgXpMMa6C McZHI3u2kov+VwJg1mIMV6Ji7TyAI90MAWxgf3oN/hox+8ZzwOkUJKvmZbIgSPN7 Fhv06R+EaYuP2T6NEcMJEMiuMXct8oqKVBqUub3y8fKl5ITW+avicZE+JgVORC1v 08LfRMpIhtDg+ytqT8KCF1l+3oMN09o5KIUCWJ2QZ/KSDW2i5unnHpHUprja9ZJL WyPPrAPQHdARg2aOxroOSY+JazIT4HSQnN1prBTjhD6GLWX29CRvdct8dZLbK1zu cK+3+ffKhzVVHt/rJAqIOOIK0pth5XRFb8MB90/NcMcGxklUh//NZIXJ7kOl+VGn 5Ee6KC6R8P1pwGpP5TC7NUfJLvHnC17dgl1ddVgtsXD5t8LfjpssuQ8amrYw0zx4 6EnATpp8Gx+XGIU84mFOyzMzo8WRiRLJHE2Ho43Z/e3akGvc2kLHBup8hGhHFA6q OlUbxjaFhYdMkWP4QVHiDT1JtScS1UEdnR24HnAfm2dAZMd8w0OHLBNtEs+J5o08 7D5YNAgIuqRDTd0nEHiHG9yePcc8ZGmQuGNmGKOBNcbDAsoTLtPzAC4mNKFU2tpu NIjE2Msum1EqYz1d+qF0XYa3OCiKlS3kfuQZI92nPQ9+gMuLRU/yPbr5HZuGIDRf 8BhAjvuJEtABxiWzplbMRw2hSbpK4E7tlGep2TWJnDrnTPU7C//68w3PR7nJkiKU i/1uXagYxefQtb5WBgPdnCWyTNhpSHBljDlbXNEq780Goa/rWReGR5EkBuD1XorG nbXmUbLIG/JBms6OxdKxcug+i0HcQnG/HjjyzNTJyTVWNQJUdP8W7SYYGOYAOEIk 3b/0Co9UFpfUlRUeS+LDhyjJA5LmLSGWi2A6uVGwIZ6QoKTBuGH4BwvF1gqZTi1D 6QiQILFinhe+cusKNjH6cuPPbfs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1020560E2095C69E

http://decryptor.cc/1020560E2095C69E

Targets

    • Target

      c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

    • Size

      247KB

    • MD5

      04d97184729b092f1d795778caec8927

    • SHA1

      ee0a24536a64ed0803502501d6d6a1e336213063

    • SHA256

      c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

    • SHA512

      c7cc2ec811f73c8b844281d689bfad03c89df321478e2cf2b4c3f0b46371bebf430349f1bfd8572d2588681189344b5b90e8a8b168ac3ac7c0d84521db1b23ec

    Score
    10/10
    neshtasodinokibi$2a$10$zgqiy89jar0dy9/9hnp6ku0nkqxp6fzh6tuf1uc0s2.qefdpij9ls2866persistenceransomwarespywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks