Overview

overview

10

Static

static

10

a10298c6c4...30.exe

windows7_x64

10

a10298c6c4...30.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

  • Size

    158KB

  • Sample

    220124-bttnpsheg7

  • MD5

    3aef3009d06b0f41ac5ef79719de858b

  • SHA1

    a90e2f70158644795a4ed571dff27be032855a7a

  • SHA256

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

  • SHA512

    08dd0e50becdb2f55270864f7591971b809f82c5f70dff3d6ef78e5d4282ef9f42df190acf476a63f94d40d1e413f607cbd474e741030462a54ea7a6e939f305

Score
10/10
neshtasodinokibi$2a$10$jic4pwjsow3xafg6jrtwu.4s2ybezxlbwnhxoxp2z1e6mthwcdphu5223persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\f3zi38348-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension f3zi38348. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4F2B286CBA81C23 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B4F2B286CBA81C23 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eWT/l9+oka1gPicSCIU0FXoiiKQQQX89jkG6GSlyTjBI43vfj+iozrBTOCwA2uNL knjKInH0JyxK1HiktXdIZTi9K2/Ovl2aUi2dH2yMe97dheG9J6hYWPvJtiHsu6j2 DGKPoyP+sV90ENQH8DbcsjHIRf0yUjepNq5MieB9Xjw/o5Jy/W+lU4by4M73Ze2n pgdonyy+ZDCh8dyczC9rRCL6Ph6i1L0l4yQLmqX1qe7vzhb9Tuqlhv8VypetTQq4 9gtFdfjHTAwT4rf9H6wCIBjiX30l5CUdFaHkvMDLBOQfiUnRIiOuwE2OSd6cjqAa jcm7/zqEeF/+FABO05lQTYLL9ZT9I4gCqcUqFkXWpMMm0bx+jEh6zK9oCkwmQIBw aVyrTbdAUFXb8TqopwImjOQCp0GESw+8V12xilcCSEjL84wZkkjM/FDwR+ibkfUP Pd0oC6/puGRH7WtY3XtXeWoYKJo3BU5N8MEG022RRDRcV7XkmpbO2rpqvn5a3Wb1 HEyQHzPAVhLrx6upwF681olmd1x7qBC1GXixOvnUkmetKyLtODs/YdYPSZ0vyNTj yk+o1mKjRm5QagPrUnfKpBSDgw7ox161/jTNDfCZ85z9vSGzToX308TzWUVif0zB LnrCRXK+j2DsVssPztqxSG5A4AGypLhplD6AjRz7yxEi3fBGNj3zNXtLuc7On3Ku UnomvlDwEygLJAMD2J2N9IGI7s/YGYMSBRcR7dXHQv+S4VhiPsecNiFJB3OlzxMh j21jaYXvBvcRBn7kVYfTQxMHznDUb0h5kx247/R2dsW/0oJ0dUtFrnkrM80dr6W8 yNT7K8OzP9KwK+HayI0BDaGRkfHwF295wS55LxgS4n1n7l/VHSXCtv2UMNATyGAT 84zio5tgtLM+b6Hysz4/YBOR+038alVFPGB7sESweumdX9w8Dugs5JQspZi3fpAs nmwesaj7jE2rRfBMpxdIa2EjVcXqWpYDe0EjkGKu3ErMSMYIUM7WD0HM+jCCNXAT ebzHLqfbQLhJAAvWReckPErXQbAHRsdpwXjkS2rSZJzL+q7e3fNmnJqc83fq8/sN rJONt2IUi2kCrhZ///XpfLDxWJyBdx5mFrEh8F2rEaVT95gI/bGhDdEHxC9u9Nz+ 6R6ySuh+oFPc5CbkmCWJpNswh2HNOctn8RRyasgFGpi+dlIyHOmHW7sTUVI6HYX6 Kp9GzTg2GP+M0FfwuFar/o7+qTb6Fa7atREZP458OKXQD7mwqnuHKldNP2ey4E2Z pHTLN8JSaJhHCe5DCFnEcw1GZXxG6LQF/M+bVHZp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4F2B286CBA81C23

http://decryptor.cc/B4F2B286CBA81C23

Extracted

Family

sodinokibi

Botnet

$2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

Campaign

5223

C2

urmasiimariiuniri.ro

thedresserie.com

hotelsolbh.com.br

theletter.company

directwindowco.com

hugoversichert.de

ino-professional.ru

bogdanpeptine.ro

d2marketing.co.uk

boisehosting.net

girlillamarketing.com

romeguidedvisit.com

maineemploymentlawyerblog.com

sachnendoc.com

pomodori-pizzeria.de

vesinhnha.com.vn

restaurantesszimmer.de

toreria.es

homesdollar.com

caribdoctor.org
Attributes
  • net

    true

  • pid

    $2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

  • prc

    oracle

    mspub

    outlook

    sql

    tbirdconfig

    msaccess

    powerpnt

    sqbcoreservice

    mydesktopservice

    thebat

    visio

    dbeng50

    ocomm

    ocautoupds

    isqlplussvc

    encsvc

    mydesktopqos

    thunderbird

    xfssvccon

    dbsnmp

    winword

    synctime

    infopath

    wordpad

    excel

    onenote

    agntsvc

    ocssd

    steam

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5223

  • svc

    backup

    sophos

    memtas

    veeam

    vss

    svc$

    sql

    mepocs

Extracted

Path

C:\mtq45-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension mtq45. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4E1A6639DB05278 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F4E1A6639DB05278 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: uuoXHCT37efSs80FfW5CKgfU4kjhwIm+80nkMOnorPMnfT/OF4U9k3+ZEBNtETSD j5xYEj3x97CCNK8ty+8UKvNGy8a94oFjj4UY3ZU/o7cTZM1zbrk0W5iJ2LmUQuvj SnIzH+SnsaU+5d1f852FDVjEGV8iHExQgpFarRJNunbYbbKZGoxDlOc4tVDmaF1r eFELE+Lhdsb7r+Dso2/OpTiMhKQRRbTDmep+54ss0xW1g1Q/jQHIM3kcRjvepirR D8/7kjar9X1aXgXH6gmsiWnKEQidQfTbtHpX36YWW0I74ArvoSNtCbkvzq0+UT4B 6Poa08etPP63Tui9nmCTFyr/1rNYi2A/nN9WYwmzZsRRw2oxso4hv25x4BaUWyg4 Gih2526qt4x/TjMeDED7tF1oU5ATV22k+G7lBiAJl7eTjCulN6P/7h9o4GLOxGmw /qbozjVb4fR7nWjGcZZLaoGPD13nO82fn21/6S/vamwSRfEiqdYIKen/vVHIdsDg xGqG1/ReQuu+pUt0VGYeDTk9RI22WhHhCqlUObBEC9ZPPva4peJEF7vPEE/rIA6n ie+5nP1JO2ztMliCY03m5+cT0aPh1XT/J+cwobqhJ9EJVFY9gd/do5ztjwx9sI+P P7NFpwGNhkXF1n/9jGxMNX1t2NL9IpY6x5sdIaHFhhIpKCLjh+Rd6D159KdKfvbC b2E6c/OQT5OGIEkC+iJQwFdXuddOlBIruNy8DYJCBgNsPpSk8QN7f8YTLeYUeJTk 7hl4PAXeBR2AY9w+WxUQMmS419RMomPG8c81fQoxpuEr+czUAReHVa9gnFBNR3SV 25Vj1363tCYTetcus+yT9UQAAqMFskxl5zPRq95x7BnKUA57QB2luoS0R2/A06qH oogshUcHyQawyz6xEnOxMSc+WSBq9wjpxJ4jgrrHeMJnNyeKeBoMsZTxTInqa+4o MmRiC/Lc807xUh0UK45iLka6Cmh/g1/SgimmLc+OmqTpb4TcleTIClr+hMfH4h58 e5IPbnbK4AYXXJgWLUHt0yWC+Oai75QIpW9bfRLldH0ucgptc8+1mylyUjqtN++A 9A9eGvllmwHyWIXcQ9ErTD/i6qWWeBXfmB+TuJZ4FUURaMiTSLCMcSjDFYwKCBGy NTtNoTMTYa7byryfZMV3jyrLIKAIncvjzgKZXxebGgHen57T2Q38sDDuZtAagsWB ZxzIO4hDMuODNi7SmnW2Wn3yFPRl3MEbdh1kXqx0ujCK7qDM6dL5FjlG2jmHRCRW 8DSmpwOvToEgw2rTnxs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4E1A6639DB05278

http://decryptor.cc/F4E1A6639DB05278

Targets

    • Target

      a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

    • Size

      158KB

    • MD5

      3aef3009d06b0f41ac5ef79719de858b

    • SHA1

      a90e2f70158644795a4ed571dff27be032855a7a

    • SHA256

      a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

    • SHA512

      08dd0e50becdb2f55270864f7591971b809f82c5f70dff3d6ef78e5d4282ef9f42df190acf476a63f94d40d1e413f607cbd474e741030462a54ea7a6e939f305

    Score
    10/10
    neshtasodinokibi$2a$10$jic4pwjsow3xafg6jrtwu.4s2ybezxlbwnhxoxp2z1e6mthwcdphu5223persistenceransomwarespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks