General
-
Target
7621976121.zip
-
Size
53KB
-
Sample
220617-qps9psefb9
-
MD5
33cb287db7a8b7c25612fd8fe0bca428
-
SHA1
d6457a2b93c0755aeef8dfb5ddeb94f80f4c3e00
-
SHA256
93d45790a1edd20a625a5f91709527c8047d0edf2db428f85f00c2fb971f2af7
-
SHA512
956b04f1902ac1241b1aa65cd23fcf577cdd7c628376bdfbbe45b4323f1fc6762740587666474860aeb9d5795d62162e3950f0ac3b3a80f267a9be423433ab08
Static task
static1
Behavioral task
behavioral1
Sample
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
sodinokibi
$2a$12$QKlALWFyUOkhUAlOVB5LeuiilRPMgdL4kq9Ex9LPdBEioQWEgg09C
8506
-
net
false
-
pid
$2a$12$QKlALWFyUOkhUAlOVB5LeuiilRPMgdL4kq9Ex9LPdBEioQWEgg09C
-
prc
ocssd
mydesktopqos
msaccess
thunderbird
mspub
firefox
sqbcoreservice
visio
winword
excel
synctime
thebat
onenote
tbirdconfig
oracle
infopath
powerpnt
isqlplussvc
dbsnmp
ocomm
mydesktopservice
dbeng50
agntsvc
encsvc
xfssvccon
steam
ocautoupds
wordpad
sql
outlook
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
8506
-
svc
memtas
sophos
svc$
vss
backup
mepocs
veeam
sql
Extracted
C:\7sc8022n-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C9400D6B3ACAF42
Targets
-
-
Target
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83
-
Size
137KB
-
MD5
21d01fa87dfcaf971ff7b63a1a6fda94
-
SHA1
f3caa9831fc715af4f47cd98803549902dffe30a
-
SHA256
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83
-
SHA512
f89997f8c31d77029f1087257a5b24337f9989bebfbe4169067acae72a5dd50ce118d273fae00690ef2e2bf345901d723034992f53dd3e5b9df5cbe9be2e67fa
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-