Overview

overview

10

Static

static

10

486a7dd8a6...0f.exe

windows7_x64

10

486a7dd8a6...0f.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

  • Size

    207KB

  • Sample

    220124-cllhssabc2

  • MD5

    443a3653113457b08fa41ce46eb3b677

  • SHA1

    c6ebcf8ed468511153c741d8d58fad07beab7048

  • SHA256

    486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

  • SHA512

    bd7ca0759441b3168d78039962f76f5fd61fb9ef985d328f58dbe56b73a949004182fe9dcd1103766198498b4349e7160e8f875d12a40dce81926484bd31bfc4

Score
10/10
neshtasodinokibi193134persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\03bl6l3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 03bl6l3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/77ECF6736A68B9B5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/77ECF6736A68B9B5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZXjwATY/DwQkWg9s4GxXi+7M8Ti9Q4HxrnRkhC5M6wlm6NkApGdXEnWBDPP8RgsK Us2eFbLArKXTJQgGOzdPeI7LIsh76z+QnZjkFUKQywYVlH6V4WkyoxQytR1UgB3d DnqwJKv7HNYOLdmYE0vOLXVJxN3+F6Pqex0wxqmhdupzN6kKG20AV8hEVkJqXE9m N5D60oSLL0xBr5fNJE9PPAPba1p5kDHeJX/987zSILGf4I8DYVhrQIB5GltdXTT0 7cNKrpxpaGnaMr849cN2VxBxJ5dmAjtGVCFnc4k9XazcX2YglJJxXcuZ631uwaXa 2tVPc6tZ2p0xt4XbMLm1IdNAb6IC0yXt27ZliePyYWHsrs9D6toxO0yFa7zM37wF zWpS6DozaR/mNZhFc9bnSPAofDJBVsc6PD0r2QxnbNwxnXaOmWLl/zP2ddkZI8vH mVQ4Ai1wAn4w0fRRCpBGmzzXoK+ghnALfP8plRznypJsrRyiBG1Tboyik/Vii1Cd D/jRoEIXNZRTqx2sRzmxVqs0CA1DFNI4ZldV/Sgvl5/kz2FAj3BiFcc3O8Y9HEcR FSU9gQt3sVYQzg4B1Wd62Av/K/zanG/BrWIEGMmnq3QR3czzFHVR5b1/gqXtbbx0 1e9BkRoDZM6xAdRXM5g6Ro3HkyWgSc3KYQalsWrsKiZoCOpFYlMGQwCKP0+LnTgL duUSiWd0dJYkLaAsEjW8sxVGmNRz4K51psgytKHmruJgpV1dLvS2aLbc1SDePJ2i 17u5wNsSo1oMrUfmFQGJUus+SZ093BofIhvc78OIG1Dz/Z6OrLcPl2kld+CzMNaW BO+6HZ4mlhIeK2eh6FLybcU1uy59Wdo7Hyuc/y8yhhtrRWQARx9FwF2XHtqO9G8K owI1vSylmGdd+yeVssY6ctQw/Ozg1CJhzXwHbs89Y+4cYOsxKcWVBTPJLCwpKt8+ wZ1ZGUiLKUnBQGcl1aICLAtVUhSbAdhKOiI8FHHqqB77hqlsPzfPK+7J+HGFPzq8 NMiRrTYO+dvIMmVcUQ0eDk367SX/VN779k88ZFYCbPIcJ8E29IoE21IM5PspuVa9 AXbfdKk6xcUKLSsma9g03JFNbdYoz4nz1U7JemToT4taVMozByXoWyy/rPr+HOQY COD//7lx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/77ECF6736A68B9B5

http://decryptor.cc/77ECF6736A68B9B5

Extracted

Family

sodinokibi

Botnet

19

Campaign

3134

C2

mank.de

work2live.de

triggi.de

innote.fi

iwelt.de

mdacares.com

celularity.com

wychowanieprzedszkolne.pl

bildungsunderlebnis.haus

urmasiimariiuniri.ro

devlaur.com

philippedebroca.com

kaminscy.com

boompinoy.com

webcodingstudio.com

onlybacklink.com

victoriousfestival.co.uk

levdittliv.se

rosavalamedahr.com

DupontSellsHomes.com
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    ocautoupds

    synctime

    dbeng50

    infopath

    tbirdconfig

    oracle

    winword

    firefox

    dbsnmp

    mydesktopservice

    msaccess

    xfssvccon

    sqbcoreservice

    mydesktopqos

    sql

    onenote

    outlook

    ocomm

    steam

    excel

    ocssd

    thebat

    agntsvc

    powerpnt

    thunderbird

    mspub

    isqlplussvc

    encsvc

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3134

  • svc

    vss

    sophos

    mepocs

    veeam

    sql

    backup

    svc$

    memtas

Extracted

Path

C:\260ox21vwt-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 260ox21vwt. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/80638378FF8FBF18 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/80638378FF8FBF18 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: W/c2tDDJ+tnJtePR4t66bxTnP+CpOaXTQBei0h9l40rZZ6/dAvObNYj5PNy6T3mz smSxnvPHw6Oy7owvxW/YFCyuq5Ks/H5FzIrCgGnWHBCDrIXE9r8C64nnogxGDEzG K5MKx7iT8Nzma1EpU5nbp9H3oqsaXNddKwKXURPUdcGe3d0nonvbm8DpUbmWBFYb e1eBlGaE0nrICP4XuU5IauKAjXMH/pVQHJywivfzSFKocnQY5INIqQEY7XwMBLbh tEs8dRELdDMgbrSs6ResskXs1rtAxDqd//9rb1LZ3/hZKK14/xgjNf2jHwOCbBRT KNop/HgIRCx9R0tnu0SIXX+gC0bgUHbR8dUdyOyzPsp9/bPvBRPsg37/DIjIwFm1 uMvgfMdlRkd9S2QWqTYAQUGe7cmP4GSOEqTLo3L366CQBxYkne6fv8vRuOg/KfOx ra+mp212yINlKu2/WZXlkcmSsmUnhi5/8nOUm7qvSnDEPVGBJ/AP+7VdDv6hf8V3 LvsOBMfutnXczgRqYJ6XfxM4ldjITMZA7HkF7/l4hEgTVdys0BZDdTpv1zxAysJN nuN0a+Mc5VuKpT+QT8sgPyNGe5QK08lcPVg0C9k1sYwPxKiLGJdBSMd1a1eRbmCP cp+GLFh9V93zUHf2cO3WH0JI5+2N32WEfXjnZaCGvYtRA5v0a+YTsKZCfes4l0Uk ZXWvMKpd7r+BdZ9ny28coIaMEYq4J6T6wMWBTFCpX223RmKusPpSSo80pS1qUlYp IRXgGQ6plFS1l+P0X/lEGUiLeQ+A9wsnrnTq0m4ZSdkhiFs65pv6FdffwzWxR+f1 GZ900Yzq0a7qCG0oI7cUCaH6PunM4d7ksOshJIseZDDq5/WzK12Q9dZscePnllLr /a/vBUbxg7m+cWDxV8jr2KtePrG+ZDuJTpCFNQKUsa2i0644aNZQSw8LQxzCYoOe AlXIbowAOM4Q5K95Uqx77mUumpYYFzGrQ6R8dEqzWKH5wa7mfUDNonFtD1RL1nCS SgSlqPADeUNFW2kdrIPf/vio3ooK9YHrvaVBhIAeUv4WXsekV1mNFaq1BTE81dUz UwJOaFo73N8DXJpizH0MElmdE2qtlqeW8MZefbivwwI0qyk5svFEx0QyfbjHmdDx t7GsPg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/80638378FF8FBF18

http://decryptor.cc/80638378FF8FBF18

Targets

    • Target

      486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

    • Size

      207KB

    • MD5

      443a3653113457b08fa41ce46eb3b677

    • SHA1

      c6ebcf8ed468511153c741d8d58fad07beab7048

    • SHA256

      486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

    • SHA512

      bd7ca0759441b3168d78039962f76f5fd61fb9ef985d328f58dbe56b73a949004182fe9dcd1103766198498b4349e7160e8f875d12a40dce81926484bd31bfc4

    Score
    10/10
    neshtasodinokibi193134persistenceransomwarespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks