Overview

overview

10

Static

static

10

60bf2bb354...66.exe

windows7_x64

10

60bf2bb354...66.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66

  • Size

    206KB

  • Sample

    220625-gzvqvabch3

  • MD5

    46c50d9690c2ea3fcc28eabba5c62379

  • SHA1

    25b90b6fe4154cc912fb6ad3435837ef276abd5e

  • SHA256

    60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66

  • SHA512

    5c1dbe2dac1a51cd895dbe2aace8c5f24abe3d50bfa69ba255f154e2ae39892b1e7aaf5acc810af4a5d2a2a2abc03e79e7cf1b0b5dcc0dd226d878499255467a

Score
10/10
neshtasodinokibi192909persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

2909

C2

hoteltantra.com

randyabrown.com

noda.com.ua

vdolg24.online

zumrutkuyutemel.com

ufovidmag.com

bruut.online

kausette.com

paradigmlandscape.com

achetrabalhos.com

mariamalmahdi.com

glende-pflanzenparadies.de

der-stempelking.de

georgemuncey.com

sbit.ag

advanced-removals.co.uk

lattalvor.com

fotoslubna.com

michaelfiegel.com

sololibrerie.it
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    firefox

    dbsnmp

    xfssvccon

    oracle

    dbeng50

    excel

    sqbcoreservice

    ocomm

    encsvc

    tbirdconfig

    ocautoupds

    thebat

    synctime

    mydesktopqos

    onenote

    mspub

    msaccess

    isqlplussvc

    ocssd

    steam

    wordpad

    thunderbird

    powerpnt

    agntsvc

    infopath

    outlook

    winword

    mydesktopservice

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2909

  • svc

    svc$

    sophos

    sql

    veeam

    vss

    memtas

    backup

    mepocs

Extracted

Path

C:\aeo9e3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension aeo9e3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BEB49F4BC5DA85D2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BEB49F4BC5DA85D2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: somZ7XVZ/MGAfsM/xawfaIaEtyInqUoyiZ63YBEwLdTzejjGYQa69vx9rkJKL4CX FO4Uc/TuQ88SI3R9nVGEVUeg6kJbAa/RutyX3VntLg2HnacUw6aa7fVEXuZQQmKw Gg/24bEbGYKwqwL9SyGiY66KemmFS1/uSjBRa4AO1A9eq8dWP7GLadDHqIg4Jpty PpRHwvxGf0HfUyWzQX18v/blPFBcpA/pulduCF5+O8fFMJCjTwMpOLKlogJxN+9I oSdi/Rsia5mw9zadGwFmD9oRBQjLOltX4dwnOOOsSEZNm+Og3VSoMQZhu2NT+ixJ up/HGyYOWtuI4AMUiCrKJclz8nW25v2QY0KXGfIGURrgVOrWJjXjkS4EOscelvqf Kuoxm40mjAq05W61YS3itGR7Xzv/mmtPIVxjBICGfrN100aXwXbjCwKp6Rg0T+Uc 4t4jcwLIzPmIxh3kmW+5+TjVmPZVkzyKWqOtadzAxRDIfISrdTIJQ6oOUeLX3rFG PGUVsfA1NI+8LAKUqqwkokQFKPaq1Oif5qbdbkj8np1ZskPvAFljiGoEYc+rMAiK nKTRZ/fYn39IryKQVWkQ/JVC0IcnpuW+7k/YCVBalHhsKYBRXm/BuXdTHjAnfoEq kwAz2v1k2p9wXnThchvMVENSRI/aNAVDC0qIXZOn0pG0fx2HtlDPQ6B6Hr5uCD8w bEW3D4UzzTQPPyu4b86pvi4wwsU48ZlIMmEMIFdtk5a7Sb2YwF7xUW+/vKSGVyqO 4alJlhM98vUgFhgwBywzJC7jRjzMQzcXySNoiQJ2sL5hkY2psEjSoM9DSnzEkH0L joFJU6O0TMLiH2aoB9P0frtfkS65yMgHtw5bJiot8X3Xrb8h/POKlTFTzVPfv5pF UrL30crOHfU+D8qzBjc5fzhSVnQnTz57sEVQMAHp0xcRE2yv/R8MydVmIoVboYDs 4cIYnlFgzI05qoAp53daj+dXOUyu8rJeL1bptJE7px42fPyAn9CE0AUT30icpa9D yGFEAbuSB4jqk958eJFJjmxqDwk1Gj/yf7kaTCCojixWxX1f7cr5LVy+ywVw8jRx tmAFbOAlNlur62qIpAqfr1/UJdEH3mZGEIqAjzCFT0Yz23Q7/xqXHmQKUvZlHZYO fFLqyX3qEKoeuA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BEB49F4BC5DA85D2

http://decryptor.cc/BEB49F4BC5DA85D2

Targets

    • Target

      60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66

    • Size

      206KB

    • MD5

      46c50d9690c2ea3fcc28eabba5c62379

    • SHA1

      25b90b6fe4154cc912fb6ad3435837ef276abd5e

    • SHA256

      60bf2bb354cde8463e912acf65db4d39f44469fd587a0764183db4c3bbb07f66

    • SHA512

      5c1dbe2dac1a51cd895dbe2aace8c5f24abe3d50bfa69ba255f154e2ae39892b1e7aaf5acc810af4a5d2a2a2abc03e79e7cf1b0b5dcc0dd226d878499255467a

    Score
    10/10
    neshtasodinokibi192909persistenceransomwarespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks