Overview

overview

10

Static

static

10

064b5a8a65...a2.exe

windows7_x64

10

064b5a8a65...a2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2

  • Size

    199KB

  • Sample

    220124-c3gaeaaeek

  • MD5

    81da022977dec2624184697c779c0318

  • SHA1

    e6591a63f5466d721e3227e05ae7fb5e726b81f8

  • SHA256

    064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2

  • SHA512

    f63b0b04c6a5e01b92172a7ffe37b29ee537e620c67bfeba6cb270950288b80a557e5fcb9e5cd0dda78241cc75b61a66396d6b8d7d3cf163991b547990c893ab

Score
10/10
neshtasodinokibi1996persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\1mu4v19ta7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1mu4v19ta7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8DD156D589223FF0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8DD156D589223FF0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Q9QugZBHBPkhK/Spwj89qfAGbkKGogsJ1H6uMM5QB8qFCpva9U+OFAucH+6FdAKf GsPhfPHdWdO1k/Nncvb9/pGAQRWHQjlAAAkZzHadDOZQcxl/KWfuwBcJkn4abl0E EMo8+0u7cI4ck8kPh6ZeheNZNpBb5la6Ic77QZdxgrULez9VYmtwRSu1Hi5O5A+c iUgKmUcRLlBkFPCvxysCZNpkPl9gMxaUglPdLMG1RU6Gc1AOFoFD+LgmXUKSxgRS Ve8aSMqEQwACmM386TsP8k/FqMYtCzRGGGUF0B/jCqwSlxcRW2H8CEQ+82D5djVk MG0ys2jAJJw5TdkpJYC5UvPC8PrSj1sFyDvh8FfkvMb0kR0BiEmJp5SnvRCCg9FM iJ9dIy+sjkG7rB6DRBphirdYLI+61bb+hdYX8fGM9S2ccjakqcVCE7n1sx/z1Bmk 3kiytkCn2afeUwpC2uNR/du8SJP4aGuDF4Jd2dbJX5eSoAKPl7WQmO9EeeAiaPDF sfv3rdZLGiLpaQOfQbjbK7KwCaU7I8HwZMhxvC5AswdIiTqpiR9KdEjQDSxXawA3 pX7j8DTB5+ZuV/R8eIQ/EuNX9iA+9AzKplD0nNND01jMvsJMcqdMAUKkgfzCG9gc t40AA4P0NJn8KmNnJe0JbFRAW6PF+8jmEBmwHi9P+K9+XdWurugicsXlzg18j7Ak ShGvJ8RF7ROcujdlyeJ83DG1DGesfKe3IGTwQtpQ6ugQzdZ27RuXFaZZ1euXqtgt ipVelRPkF6EzumABZ2JJWIb+16M55TtzVrObiK6ea07jSUZyO3VMVCILYpuJC9TN ehpt+rgXCAsOmEa4joQsb37HPKknpRam/vwqbeSu1peybN1rlGzuVY9KIIdZ1tLL WPhqmgjWGWsP9PRoxkdIjnl4JnDafhXXlStGHYFd9xczy6AfonpDuHNdE3vAcIvx XM74C5TX3TlLDDA+WqTST+ntmeFkvwa6iQmBH0YL96X3WAbDTaD1hSCEoDqQWmCY 3T9HhZ2VZ7YeGj5RJGwKHYu6BG1WfCeBNlof9+9GZAVN1E0TSnfacTxqxcEKJdWT p49yTpI7MH+asMdAHNYKVNNj Extension name: 1mu4v19ta7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8DD156D589223FF0

http://decryptor.top/8DD156D589223FF0

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

C2

vitormmcosta.com

allinonecampaign.com

edvestors.org

haard-totaal.nl

stabilisateur.fr

anleggsregisteret.no

ufovidmag.com

oraweb.net

oththukaruva.com

acumenconsultingcompany.com

xn--billigafrgpatroner-stb.se

glennverschueren.be

subquercy.fr

leadforensics.com

devplus.be

silkeight.com

bluetenreich-brilon.de

askstaffing.com

hutchstyle.co.uk

netadultere.fr
Attributes
  • net

    true

  • pid

    19

  • prc

    firefoxconfig.exe

    mysqld_opt.exe

    thebat64.exe

    powerpnt.exe

    tbirdconfig.exe

    msftesql.exe

    mysqld.exe

    sqlwriter.exe

    infopath.exe

    winword.exe

    sqlbrowser.exe

    sqlagent.exe

    sqbcoreservice.exe

    mspub.exe

    onenote.exe

    thebat.exe

    visio.exe

    mysqld_nt.exe

    excel.exe

    thunderbird.exe

    encsvc.exe

    mydesktopservice.exe

    ocssd.exe

    steam.exe

    ocomm.exe

    isqlplussvc.exe

    dbsnmp.exe

    synctime.exe

    agntsvc.exe

    mydesktopqos.exe

    ocautoupds.exe

    wordpad.exe

    dbeng50.exe

    outlook.exe

    xfssvccon.exe

    oracle.exe

    sqlservr.exe

    msaccess.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    96

Extracted

Path

C:\7c7nm6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7c7nm6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A9BF329183CAC3F1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7n2JIY+x8Qi9TW8QrCSxrI207yfMXQq2YCMXMPciNCLd1uafpIy+V5K9mkiSSQwd rXZ7LhLhbZCQUEZGCw7xvemlCjYCxMmPLaqOlEd26Wn1dDdb3lkubFg3FE8XMvID ysV2WJI2Lrlyxgc2AY5/2CAFs/QMmf7W5pCOvXB86c3AvJ778zYPxj3KhgOdoOrz o/4iZwNEGVqDepjdOQ9rDkqCoKcJrSLGU7KUSrmNxb8ZZnGvUB1FGGd/K3fr6qGD Jw66+PcqqllG0gtVRd9XzVwFE+SMiP63mSvdF8n/gv3d1qeHQPqX/zgO56BQxrvF s5UrUwVagiilKe2EBnsc7us0SmwuYmdVygGTCHFtkPHIGfUaVwX9y44L/iy3FEVQ RAZF46G02Cjau9NrC6udw9DuA70ziH6Zmt2PqVWAcbg4euM6u2kYsmZ++Zv4XIbe MyuOXY33k/OQnTNJU1MpWgddKdBNHUCzrm6zN2M7MgcjpWa4fgEM967pHDzIw0QJ nndKT3YTxJ7CqFfRtfp7KC4bnu9CcczqjgOL02ZhQH+FNvmRBVzxOS7Qtwsnx8V1 jZOUSdCQCef1iLqW1JqgvQ/sx54+ELhZmuPlAReezSOu9reYhCBGHjQfL1YquLuU omFK0NM+Igx/J9cNg2EuuGvMv+7yr3/D47yRl3d7f1rV3toITWyQSfZrNauH0A+W 4EBLnY2HnPn54lMAScFBeV6M8mEfzNI5FOjiQp/sUYXs2/7fDhUzi9bs1lwdNoxb dkQiSlFerglXoukS/maZufUWqASiOnO6pvcK5vyuexjjlrpR3bHvFqeBH1tvMDVA lGtEH6EfYxaTi2XboK/7e3PkpmPGk6u6tKssHLhQIHKjqHgIOjrtL1xX5hLmSdRo 7pHoXXURV02kRswnHIr/Zzk2EaxwgMmTGOqWuRn41y4UC5gGZTJyZXSG1wfHFJ7N 6Z5wflPH6lEt3DYKve56aH5Vd2m7H/ZnQSfigCUaslxgdq6+V9JdikBFr3BHy2qM l4tQt+PNpBsepehMOoL3BIzpV+oD7e0S5KPfWNUCIitYLmkUVHRzqSXnZtMdRl0L CEgQq9nHrkqL5A== Extension name: 7c7nm6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1

http://decryptor.top/A9BF329183CAC3F1

Targets

    • Target

      064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2

    • Size

      199KB

    • MD5

      81da022977dec2624184697c779c0318

    • SHA1

      e6591a63f5466d721e3227e05ae7fb5e726b81f8

    • SHA256

      064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2

    • SHA512

      f63b0b04c6a5e01b92172a7ffe37b29ee537e620c67bfeba6cb270950288b80a557e5fcb9e5cd0dda78241cc75b61a66396d6b8d7d3cf163991b547990c893ab

    Score
    10/10
    neshtasodinokibi1996persistenceransomwarespywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi/Revil sample

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Deletion

2
T1107

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks