Overview

overview

10

Static

static

10

2650b2c6e6...50.exe

windows7_x64

10

2650b2c6e6...50.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

  • Size

    207KB

  • Sample

    220124-cvpa2sadam

  • MD5

    8617cf6577b2020b9251a898a98308af

  • SHA1

    c4d7436ab085a6113c4d77b8765504d42a66aece

  • SHA256

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

  • SHA512

    1b11cd0de765f97be892cbd8b3d244dd7fd226af2c9f8ddd523aca293c80ca22ec437204ea7f018ca35d9c2cfa2f270c928c5098db5184a8640204a610bb5426

Score
10/10
neshtasodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\u4qw07161b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension u4qw07161b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36728C38FD7409E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/36728C38FD7409E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lO4o3glkY3NTzLhyqNQKHH0157BC8j023pze6gnKDDxk/oco9vMSz58mmhtNMnHx HyUWdjhvTLuWTIP2+h0W9Z5yJLB2vMezB0RFmjrcOcEF5inBFshlDTvoSeLyITYE sdN0fjBwZfvSi6q/cQjDlPKz3teN2/Mn/6aNTED+ab6QLCE7ekQ5/wY8rBXqZ4MN iz6vECTVn8eSgmRCHEyl8JcMkEU/mab5+1YBkk12DhkFwIj1gtbZSMlKGPlJ+w8f F0RvRgVDpIVilIHLgYKNZ4uAR/mt9xe32wOPYnOuAkNMjrLQvdH6x/SmYaWWxcMY HaYiYvX/5gCBbq5uiBPViJ5CrXIdXTOK1RPPLiSRvJnF1FIm+wUpRXKz31+vS3w7 IGfAUsFJkMKqD1OJJ+1i56Qg69EDLQlijMRMjQ4HVjIOaAQStKrWRofCoSZ7kEQ7 CvSgAPJTvVr4bDGzpEXrvoFZ/YqGQjIgRp42hmd0D3pHYCR/YFvh8mWt70NpfiUs plBy0B62PzTUZreU4+kVIjSGXpVB8hhDXEYiZ6mx8nO4POuUcuOldBnubXoOPRV6 wvR22jR05z1fHVWBi/swXoUT6+ntN4S1AB48z7JbOa+E+V7XHli0j8xQSewE6LzP +ZjyeqxMA8NZP/yxA4aWWSMwUVk2N7Q0SxYPzeXJze4CmfmkOP05HB49haJ/2iHs 4QyXGnpcvSesNT/RWLgpI8IkqUdkB4TANbR+5g1V0+ZOpIpScpmjtPjRV2HRqk4F C0rxiVbVchHWXclN05MLR57UclvYciK4Eaxvwyig1H9iXSauxJ8zP6CPgNOOrdjA fGOCZU/9X3+aeLLl8tbn3llunGaRgovJ7Dxk9o6Koognu+5tmHVmcDbm9CJzdaAi RczXbuG2ItgXfW9QRX2SL0E2qhHeasf0LA3v4m88nDf/kcK6qE/O8H68ffLpnsGs //bG9ZgqyWgdGcuvW/nvNcKleenGyqBeRb+y6mDC9ynGtqiCOoWAacg3h1b9ZjBV eHY12f4Zc1WmdC979Nc7mKTVPGaMM9Dz5naXJi+ZRDTUH9hTF+U+KvAwcsMJXIBU +fFmL8pVjUpGXw125Sh7U2CkNFXBu4zz1uoVUP/+F0n+kgrTX3+bhHvC1yyWtzpW q06ixHqanyJms9cxP4Uq4506IXZniga4lmh735yUqrDz0vPK+Fp6dToes3VvQHzc 2KtAaA9Vf/OWgA+rtwhc75i/R+l5W1H4FYOOSkkUCI7cNRbcCS4QLHE3/O6rA8NS tfuh68qmSXF0R3BL9ixhbQ5JlKZeuL7rb7xBESlcUFs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36728C38FD7409E1

http://decryptor.cc/36728C38FD7409E1

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

C2

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr
Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Extracted

Path

C:\w0o9n-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w0o9n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2B975C6815AB259 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E2B975C6815AB259 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DklhphJ2/qYNA47SGLunjGxN68XIQ80crzGxtCP+S2t273+qR/rkXfOpFiHNvcBD QnhOA0q2Lv2PPmG17uVrK6DWqY4fE50IeRnuK+52IqCK271KT5RP6StpNc5KGyHw Cb89uwlFZEhz02Doah+PEaA039m+OxUCd5P1vwXUmHM0hZF1Pu01qytj9G5i7FeO wMb3Md3ncnkkiPVM8qMCVXE8k2qQgbw/92xKiV5xCCLoq31ljVAzj8l4d29OIzBU V8o7nRvIQD243wxOqCt0lqf1GSb9ctSXXa5VDjCmJA5vRw9MeM71kTeyXn+dpKH/ XmFweHAZShwST3NU63+e6Y2rzQRYh8rfQxf30dcOOxztJTgu5vswiIIL+tvuZWTQ g0Nx5zMverN6RP9KXsXWppv4o+BNIC5qw4BGvuT5uvMeDcsebTpgMhJe3mSNuIId NoreLNgUBtA46DgfAVe8I93HaYIMHiiz2urMJArRqSL4zi3b27Sbai40rqWhemR/ 93dq/CTlLDt0ESFfD6YricGE4WY3m5VouOLy9ulP7kYEf+ejguNv0MIQyjEkbAHn /kCf1XSFQ/4JrYyjvUcE0iShdLfy/w4yAFMN3eYE4YwknByTeAukdSDJjWYoLxVI pvMNLJAMOqJdsnUoef6QTZ2y5F2WQJwP+kgdCDn8tng1OM1Id+ngv/Vb7WCONp4c c9uqKnYagziB8zK7Jx5raF20GuFsT7xvF2iREzt0DT3j0E51d0NAF0zmOTiIXLaP JlinyozvLnN1odhADUTZsIt/iOejxCXEUNSqX5FWMywM5GJrVa4cIjNafcMlxood tr0bffLrOgJMNfyRMOg9bMyvUlEgc4c5hM2IwetmC5IGmFBdLn2KCIMZgbS74cbt BX0W6gh9C2DaaccztThzuCNYGh0gxqKAq2nU/XotA/f8qjSC0eeMNjmxT5udwrcS ae9PVaoGTuaOn/lf459Vh374bYivrknOD+REwEZfQppVYyt3zuVgFoT8Uzx9cTD1 8CAnwW5E9o+byeRAEGk3on7a2gEWQMedrGej6avG98sChqUczELyz3wiFx7VcW7l W2/aQHpViqYeXOMZhDasLoXcjaRZdZJO/kpEk9VnovpeTwuteyPO9fHPBC1lg+CH g81an8jwKWrO6rWPwK7jH22GyZulhsr41ZRnBFErcJ+bp5wcw7HBvUe784qfbmSI h1EvqGXqszbDRCNUItoOZeNiY5vfX69WiGudkB9k72nH/tc9vgwy6TVN+UNnjgLr KZb1PjyEJjj1gRPMsW0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2B975C6815AB259

http://decryptor.cc/E2B975C6815AB259

Targets

    • Target

      2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

    • Size

      207KB

    • MD5

      8617cf6577b2020b9251a898a98308af

    • SHA1

      c4d7436ab085a6113c4d77b8765504d42a66aece

    • SHA256

      2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

    • SHA512

      1b11cd0de765f97be892cbd8b3d244dd7fd226af2c9f8ddd523aca293c80ca22ec437204ea7f018ca35d9c2cfa2f270c928c5098db5184a8640204a610bb5426

    Score
    10/10
    neshtasodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomwarespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks