Overview

overview

10

Static

static

10

048.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    048.exe

  • Size

    404KB

  • Sample

    220702-r2ms5afger

  • MD5

    0404a9cae8cfa9d41af806cae65498da

  • SHA1

    8cd0d5b397e6ce5747bd37fdeb877e95601488f0

  • SHA256

    fb872a27ca16a1c14f58076a0a29fb3166d0bac9643b3ab49aad3f29f6927256

  • SHA512

    637455e998cb9964d35d05dce65cfaa06e992ad16aa8f4293b59c66d9a61bb26a0260f2afe14f746d440a7e2c19fb057117fe4c5831841e3c608f97df8ec9ff3

Score
10/10
sodinokibi1929ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch
Attributes
  • net

    true

  • pid

    19

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    29

Extracted

Path

C:\odt\54vch88v0w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 54vch88v0w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B573CE234FF30A23 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B573CE234FF30A23 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MIuWa18Wu0LEJZ/nyIon8QfRQXGn/s2HbC7lEfncxfuK9Ai0J6ngFlxozGW1rBHV yWTQhIWgsxe47LOdN1zXCc/e8uW1VWEJx1+EE073I8R7pbG7/wXAHGdBl0+beMj8 I1sWYNPimmGnQRsIqJiZSelSgVSI+QNcPce4mVGvi5/faMa7pAORLupWfGddnfiM +wXDp6YgColdh2FXNnItm560zt0jslE4X+o5SqIg50vwWy8tqwoaWTLDDl19kPZg KoaeUg4qalpQrHdUm7a25w89W0AG8zWiNGYOS3nId0fmWtwwowOkgF/LIvB7f18e h4C/E+DokrN5wUijfc2YzNnDfOZ4qdSmhfjUrp9n10IAUfXQiFar+YmnyK00k46n GHVTkHsoJ8FkSwimRoJjwgZzl/Re42+CgyL67Iyo81Etsqj0GhEzCtzMirH8uOgA xjEydvuk9Xf3rJH4WXVBKpCYktE4K8Fe6ZqtpVid04NQk6CUzLLXqQZ3D00cndm6 0tFJQKX7+0PUcyCxHWDl2O8HPakfDJnRrN2z9ZZIaT/jK/WLCXUKhOy/vtGre5pY GEey41eRN5ATsGVXsu2QoqO5N0UcVQdMKcXyUO1vUqSXVAlju/0H32bZq5NKtgyx WeTNTNTi9Co4Dzk9tsHncgUwkWwAcDczImCRAd0QD8LZbQuVd93YHav0S2Mp0tKK fF9H+Obttq8KI+kqNRF2eZXHO2SD8FJBlznWA0OYFjz1ZwPqv5hH9ZW54f9cR3e2 8IJTB8bYZIjXTdtM8w/dcVgQcXwhIlx2pFT+pT1z7DYm1HkEmSWOBuvbhEJkIMV3 qXU0d1X1Lgxfq/PthAClbWLGhjIW+SQ0nIzq3y6WkQk9AP60Yvc3ME151OaIHj99 fbjMAABUDtXaFOcE42erse4y6/Oi4eF7sgFycQjR1skR4DTUmtbwSuXWDKAOY3JS rXTXig/c8uf4EV5RjCyfuj0Tk3AMpDXxkISPcwlVw8CsiuocJTy9kVeMkQLhKSeH zEEg66WYVLu/zj8HqxwAlrS52pDLltD+jv4Sdr4xtYLmT1TgOlZNWGIiUMYo8wTW X4rlMd8g0O/sCq1cQ7dbJRwP9QxSDvQT Extension name: 54vch88v0w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B573CE234FF30A23

http://decryptor.top/B573CE234FF30A23

Targets

    • Target

      048.exe

    • Size

      404KB

    • MD5

      0404a9cae8cfa9d41af806cae65498da

    • SHA1

      8cd0d5b397e6ce5747bd37fdeb877e95601488f0

    • SHA256

      fb872a27ca16a1c14f58076a0a29fb3166d0bac9643b3ab49aad3f29f6927256

    • SHA512

      637455e998cb9964d35d05dce65cfaa06e992ad16aa8f4293b59c66d9a61bb26a0260f2afe14f746d440a7e2c19fb057117fe4c5831841e3c608f97df8ec9ff3

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks