Overview

overview

10

Static

static

10

17ffd90d20...e1.dll

windows7-x64

1

1caf510598...e1.exe

windows7-x64

10

1d88c47417...67.exe

windows7-x64

1

1ecb597741...af.exe

windows7-x64

2a5fe7d49f...b5.exe

windows7-x64

1

2c1aa4fa14...dc.exe

windows7-x64

8

34d62f47e1...6e.exe

windows7-x64

3

38f1b8c868...05.exe

windows7-x64

10

40d8e3dae5...04.exe

windows7-x64

10

410ee08c8a...59.exe

windows7-x64

6

423b7b37b1...42.exe

windows7-x64

1

4315b6e87c...0b.exe

windows7-x64

7

453c6fe9e1...91.exe

windows7-x64

1

4a841216cb...37.exe

windows7-x64

1

4e180437ef...a9.exe

windows7-x64

1

4fb989bc0f...00.exe

windows7-x64

10

55bdc39b0b...70.exe

windows7-x64

10

5a1b6ba55f...c3.exe

windows7-x64

1

5f056a4a7a...4c.exe

windows7-x64

7

6709db0a92...53.exe

windows7-x64

9

69add888bc...df.exe

windows7-x64

7

6af766a07c...20.exe

windows7-x64

10

719a339594...44.exe

windows7-x64

7

71a20e2700...db.exe

windows7-x64

1

7acc03a357...fd.exe

windows7-x64

7

7bd3e8a108...5f.exe

windows7-x64

1

8034ef305b...74.exe

windows7-x64

1

88be20529e...cb.exe

windows7-x64

8e6c6b616e...19.exe

windows7-x64

7

907c21dd04...b0.exe

windows7-x64

7

9b1d7a498b...21.exe

windows7-x64

7

9b7e5d2fdc...8b.exe

windows7-x64

7

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gm.rar

  • Size

    22.6MB

  • Sample

    230907-rjbyxaad5s

  • MD5

    d9aa719336b223b19cc30d1066a6955e

  • SHA1

    a5ba381e11b859554431ecd3b1d89c1d6524421c

  • SHA256

    78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

  • SHA512

    26de419b91c188182616195ce3c0c2adcc0e9cfb1b77a7bb504deb9327a968251d86aa35c356c4b23c0e87831fd7935d03b05b81403ec82aebcbc7c71579a7fd

  • SSDEEP

    393216:1WCDBR5/qcMb6ezNjpONekKdZKE1R2GjCEyvuCE3EZuzJy3Dzc1Ktp:1WCtDgb1ztpO4OE1IGmEWuhXzJIDzc1e

Score
10/10
crimsonratgandcrabsodinokibitroldesh1519203311862963546backdoordiscoveryevasionpersistenceransomwarespywarestealerthemidatrojanupx

Malware Config

Extracted

Family

sodinokibi

Botnet

33

Campaign

296

Decoy

craftron.com

piestar.com

tages-geldvergleich.de

pxsrl.it

framemyballs.com

photographycreativity.co.uk

cincinnatiphotocompany.org

billyoart.com

midwestschool.org

supercarhire.co.uk

encounter-p.net

ncn.nl

fanuli.com.au

gosouldeep.com

greenrider.nl

renehartman.nl

entdoctor-durban.com

astrographic.com

advesa.com

skyscanner.ro
Attributes
  • net

    true

  • pid

    33

  • prc

    sqlbrowser.exe

    sqlwriter.exe

    firefoxconfig.exe

    thunderbird.exe

    agntsvc.exe

    thebat.exe

    infopath.exe

    mysqld_nt.exe

    winword.exe

    tbirdconfig.exe

    sqlagent.exe

    onenote.exe

    ocautoupds.exe

    msaccess.exe

    sqlservr.exe

    mydesktopservice.exe

    outlook.exe

    wordpad.exe

    dbeng50.exe

    thebat64.exe

    msftesql.exe

    dbsnmp.exe

    mydesktopqos.exe

    oracle.exe

    ocssd.exe

    excel.exe

    visio.exe

    isqlplussvc.exe

    mysqld_opt.exe

    sqbcoreservice.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    296

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

Decoy

eshop.design

harleystreetspineclinic.com

qrs-international.com

stabilisateur.fr

imaginekithomes.co.nz

watchsale.biz

levencovka.ru

acornishstudio.co.uk

kroophold-sjaelland.dk

frameshift.it

aberdeenartwalk.org

leadforensics.com

craftron.com

diverfiestas.com.es

kenmccallum.com

billscars.net

ncn.nl

towelroot.co

sochi-okna23.ru

oro.ae
Attributes
  • net

    true

  • pid

    19

  • prc

    mysqld_nt

    mysqld

    firefoxconfig

    encsvc

    mydesktopqos

    visio

    infopath

    agntsvc

    wordpad

    mysqld_opt

    outlook

    ocautoupds

    mydesktopservice

    mspub

    msaccess

    powerpnt

    ocomm

    sqlbrowser

    winword

    sqbcoreservice

    sqlagent

    synctime

    thunderbird

    thebat64

    sqlwriter

    onenote

    xfssvccon

    ocssd

    tbirdconfig

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    vss

    mepocs

    sql

    svc$

    backup

    sophos

    memtas

    veeam

Extracted

Family

crimsonrat

C2

81.17.56.2260

111.115.6.118

Extracted

Family

sodinokibi

Botnet

15

Campaign

1186

Decoy

oexebusiness.com

mondolandscapes.com

thiagoperez.com

hawaiisteelbuilding.com

cleanroomequipment.ie

dinedrinkdetroit.com

craftingalegacy.com

sambaglow.com

thegrinningmanmusical.com

chinowarehousespace.com

jlwilsonbooks.com

rentsportsequip.com

advesa.com

nauticmarine.dk

fi-institutionalfunds.com

agriturismocastagneto.it

c-sprop.com

fysiotherapierijnmond.nl

masecologicos.com

otpusk.zp.ua
Attributes
  • net

    true

  • pid

    15

  • prc

    mysqld

    thebat64

    sqlbrowser

    dbeng50

    dbsnmp

    sqlservr

    infopath

    thebat

    winword

    steam

    tbirdconfig

    mysqld_opt

    ocautoupds

    mysqld_nt

    msftesql

    sqlagent

    ocomm

    synctime

    outlook

    xfssvccon

    sqlwriter

    powerpnt

    isqlplussvc

    excel

    ocssd

    thunderbird

    visio

    mydesktopservice

    agntsvc

    oracle

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1186

  • svc

    mepocs

    sophos

    vss

    memtas

    backup

    sql

    svc$

    veeam

Extracted

Family

sodinokibi

Botnet

20

Campaign

46

Decoy

marcandy.com

tzn.nu

alcye.com

barbaramcfadyenjewelry.com

parentsandkids.com

nieuwsindeklas.be

the-cupboard.co.uk

molinum.pt

alabamaroofingllc.com

hensleymarketing.com

hnkns.com

comoserescritor.com

charlesfrancis.photos

michaelfiegel.com

sveneulberg.de

modamarfil.com

mollymccarthydesign.com

evsynthacademy.org

precisetemp.com

domaine-des-pothiers.com
Attributes
  • net

    true

  • pid

    20

  • prc

    mysql

    sqlservr

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    46

  • svc

    sophos

    backup

    sql

    mepocs

    memtas

    veeam

    vss

    svc$

Extracted

Path

C:\MSOCache\OUBFQI-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OUBFQI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAp2s2ar3ePG/KIzNVKjYlJ8qeNMPEWJgFvblaGFZFXMqVnXR+Ul/Yuw+EenOuqOhl5fTULHb5h4zPW7k0V9TECzfX4D1owuZWsi8RbafpGbjMCf9mjSmGhnA4yZ2yaglZWn9VDQttZ42zULrzOrz0fkTCDi+r/1tPOkWFnK/JLpLM64WXG7Ul5Z8H6vt1G1XNBNmWHjtjTT93AGNs3PKkiIGkviiJLKie5FPUqLgMUyIATYHzwSMFYtQ4Lmrye0cON333DFDRnXUIhh1nSDftics1rljXxgmdb00oHmTtrh3V6H8pbMxKfXLnq9dREglHvrFnStlf8M8iSDrtLSJU/aMUWUwvjv6AfHkTfmaJXXV+Za+6KymsJ8tCKSVGiR1kWN0MIiZOg+PaPcYAquAgB5hyd5NIXRY/bq0wmGuU1JQmB+rsV7JTWSdcZXF53aY3I3vs/6dmLDUfI1gmokXlCv7Wyp1by+X6ZhQpLz4n7ryZF6xQ+OEJTGl6ikwfq83dCVpxGFiB8SV+3UGMjyXq/B7LReriKuh0awMmunncm3ZpDnW3GuLYS2GNcMH2sO8u2kgce3jP3TgGE7IqiTlqPfyh0VtVWvDb4mIEHBexh48ZiwiLAAS/19gQZPe7OF0Ge6++qhzKZ3lvefk056HMwaXbMN27aIPHpPqsO+WbqPF5hTgAE7thBM1QuKARPEwOctJYAwOmenYcKvyG/slk4aDzUyeIG3lbPYiS+0mysMzOhL6kx5Mvt8shqu7rIWcqQT6e4UNHouBJK1mpZFiI9H3/Ys5xhZ1mHzpkvZoXcT21wVz6Ob56PL2fjnjbFsVYDQXgja9EYQnEDYbEovU7WrgRFHoLr4xiRen0Qw724r6jMSlLBZKDoowZkCh+W4kxw+UxZrmqHbtB1PWH6Ss92qtBnSH0Xgf51jQxk607lu0DwSSbNSHLkdAgcqGfWblpLVuw1aM8RxIw+ilz9/DinPtfA9XZSpU7wQmuXCm8zQOt2Jm46Zd3Z6tKZgrvMjvIa1LzkVMBbbC9L+nZ88lr+XeARtK5mJpTJ3nsHrcPsBxT3kj9pkhPxrgBLTU6cdZx52D92vaEV3zS39NISiyf65k+CHelRqL27e0QXkxrZ/yiIDmPfbJwJoIf1CQyt/MpY8v2xyvZwLJCZO/xhdvMmJYpV/2fRoIVBXO2Wg20dU55l9rT5MRHRl9zUnkTdrAIdz3bpAzBeMlVgd/S4o5mzmBHjegKU3bj8V1C0RvHzdw/+PLbEVv0GEta1I0eiFCm38EZCm0d/waQvAWW/xm0LEUnUVk5p6MMdhS2zJxG3808fNXjEDUQJ1jYLmPPNmm9Fdtu+Dg98anoEZYjKi+5qtCiWXz4CRLQy4d3n7+Dn60Z3M+NCSw+i4jte/ROxrpaAOJwLheNYawp4n/jRpUo3I2sRHaKm52R9o3VAAVU/smH584Puter14NP2F04bG8iBm6m/+/ImbjvMAi1D+AvkSkkJwcxajT6bfVYN7Kr2sFe1yV8p0enKPnFFRTHUmm3v7I0G4aH71oM6oVt/4vPkPjaLAoGEHaY85TFQ0WAHCY993l2bJpQWjlCCzR5vxPvxCfg39gJB47IS/OGirZXeNzntqrfwvstpYy41f/oIQM1YHRJeEy1B84zFB3NbzkglPDHP9cEOOnpD9LsA+KhJkzl0F5Zmd/LIp8/XtMgiRwqkzAci0bkAQV7/ODI4PmuEGmHzptnTwJr8SUAOyac+XZy2wcJ3i8wg43IKshNUTYsnQxtKUOiwyx3/za+UGjv3xXCH1vwbWUS9q+0yPb8HVbwc7PU9+V27qDs/2ih8r2Aid+vnPwPPgQXRciEwgJ4/KU4hS7xruGg+bc3RmsijxvsnjWfz7PLXMpZuoljPXg8N11Ci5dfgQsgPTDSHAVO+sFL/EGgoXkMX7syvShr4sAWgDCLD89HBaFGie69h51cP24nJ2qQVv555aOUfVleZBEWKIYFcsyNkVZxaC5Ge/Y8mivlXxJsB9QhVl11S/fCIVom82Bcbp3jAEQzlPXAY8dZjKRsLb+xqIs5Kr0d8pWUC+fQRjSry3tF81t0zeXStKmsLQ5wHare1ALCYynrDB7cwgN+d3VwJv6mhmqJTOJcco7WtY7cKTBdK3PQWBzSqNRsgUYcPVaam2Gq688HVMuzGSpW9Bx94HLSTjRkpsQqZzgWKIEN+xcw9BWEjyZc5/OuYsy86EgX5CJfsRltLSQv4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTodRuHYZ7m9WqbfFTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEhkUjBs+Kg/zM2E+t0GtNYaVqLBnPt/BGAEdsboScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZibpCRFE3vHLMOat1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20

Extracted

Path

C:\Recovery\07e255630-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 07e255630. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4F974E09500AD20B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jX8QnoidfK8c3h58xcGP14uJEV9ExeDW2VRFYstcQTLrzrcXaHzD8/4udLv2X00D cjArzRj+zqP0Pc1dDUKYtc1+/O/GhBlz3FhgvZUHvN0OET31FvkYJ7pJm+cgWEta tOk7Ovmw/mBaPPDJEWp9+A35jrcBtX0gtpPOmiZEVugEUsWQ85CNGNZCv5Ef/FuH xu4ek7hUek+7lMZL/pY8ny4luZ/BA9dTD6duFDC1yLjG5EJ+E0qIpgFJvReaNAmv m2nYi1fKbLuAb1hUQU2VKIP53jP1DVmSxto+bytMT/zKRDntmjHy9ldoruYVuPmq UNPZycJv3Sph1Tn91d8tdPWurcwAHPh3LXiWFqPJNA1WIhTfrgZFQm0j0Ib4jg/l 7B9WeesCR1eDOHxTgYh4UgxlqpIPRhmH/4Ttvue0bBYqxKuAHNBXQqAGELGENrSO GRpyoluoOkKrxOD3n2kSMQWYAanOmCgkcOnVPvkxRKOoNq2Z56+/stQC3SHctTTo VtqIXDEHLj3tpRSUa3C8A4ENQ7mo+VD9YDVcQblMZ+QdeNJFJZme/XxZ9M//635W 7Cwpl2hTzQ8TRkXitB6p6A7lVbKmBFFyi7IGvBLHSTdi7bvoUcy0ZpJwN0IcIxGs KnGHo6jTBD2EJfiEdH7rDvYW5Rq+6s+JSdrP4FHeuhkUKq/LCEiP7tqCmAWcyk+B wiOHDPJdN8/Yf8bqB9h58mUvfd4ssXSvk5KOqEMWij02SFz4o1KI1xXVo00S4QV4 02SG+m3NI0LdMZdStv2BE7aGMAWtlwJSxFJrVMVjmTKLEmxMDNViZeJlqiECT6W/ EY2rDRlHoJkijLJHmezrgBEYW4nj773ZP/v6+gekEGILC2t99Uc4szW1w6ernN+u uKa/2pGHl56M9mE7SA8XoP6mpwWCUTHO/0rO0Oc4CtCs9I1Lu4z5+XNeUWMQm4LB WCHS0U6zgTEJc9ugBU7v6hcjrYwatLgSwmmvy96nQLS6rYqTRLKpRAXdES8PLKjr dgMt9Bz33V5xAQylydvGvlQ2CAFlIguKPx1+AqMImY/fRXnhuu7XBy+0TztXPNNL 6o+Qc8IzP5Cvh8E+iY/93fSkdkjeWrmJv6r74dqIDmc7RGKtmetXA49hP+GgM1Gp U0DS+uotIYEiMezIaxD0T/uzRvz1mUj0NOdIbQ8NdA0W6wleCjpdfn1o32JCJh/e LMptchfooN0Z2kiFX1jpydK1 Extension name: 07e255630 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F974E09500AD20B

http://decryptor.top/4F974E09500AD20B

Extracted

Path

C:\Users\46nq28a1y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 46nq28a1y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/92E721391799B020 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/92E721391799B020 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2odI4YXUoImYYq//TjI7VlsGNOX5QrZ+NFxJMkRvqVZSogt5kN1thqNyKx1vvBpb vqwofNQUjS3gjrnSH0Qbb8mc6SlOtXpiLnBdAVly+li6SWNClQoXdiZLpvAiD0q5 W37QlMbMV/KHcFHUbEtyfSIo764O09+FIhhTeJqx+JJbu6wmDOprUR2VNBJOKA9h TQP5MaFWYEa6khC2RwmSRPQvJLoft9xEF4/cXvbuuP0IOgUMHKlRMAIzyMH/jmur dU3pj1zvIhTrJFEu6fJXcWYYufstXYEFS3vw5FLbGHFn3o/qkqqhMFQUcEFddnR0 5BY9l4Ei001vZtaoohluwxqz+gqH31Yb5trsXWfxBmkSaQotLeRyJyk7J8rOJdOI puHQIc50QFKNEF/zzNUxXrlUBzfUNszDyBsgtuZAxGV9YyjLz4GG3weDdC6ZAT0h ZJ7hXQngngvpSiGFn03EiXAGWqWP58bwd37z817Nf5sawXQdPTQM9QMDYsIhuoKq 4dqgCzZi8NadIWX9N+rm19mVdovKB46yLWwAvFCf7w1kF3XQq/3FIcg8LNEIC1v7 sOvYbqFI24M4A6xJ8w0fQP/LywEEoN27g/ZWVuTIsU69iV51jWQPDGpm1489LibF 9IPS+Q7cPCGg0Xs1M5ZowCBEUlvqVcGhJhdbCUkH3itL8JxzEHGGQ42U2izNQKLA xeFcpctadx4vRB0wuyZC/4iOe70WUWKtkyhjyc54KT+0YIZjuQkgB+D2DXE1f5wt zbbDv/AZ15M5aOifR6GbsGqodtRpGxjiupxZwhLnrNLFgMuwXoX1EazWxK4p4ATr C0zZCSSaj9s8/YoldZ+aOvzDxMevjgO5AJpRJNd4ODvGe2NdcOIEng91DwLY8Erg tQl+XPTsTrWzyoRamNfhCBHa/3LGLlvVC6mHMvzmUVKRsBS7ub/VYyurOmdmlzsH /u+I7WzKfDfFvytqx2AmAeHLWCSJ0muU6PxH6N7rfy8N2VqhBb/ja0woAuZjybU0 uKpGS52JwUejgUo3qyHi/9khr+ejZcNhjQokmkIUsLmga4t5MWdJAVhDI1Q4Otod S1TAaOl03Xn9H2z0mz4YBUGlaqucUZxkwkyN8IdYkOLtu4MFp9LvRJPEddi2d3SF 1EQxZw00RWuDNT8Oh+NOp9CQadiXlRonIyT5zOIcC0kxXcVqJ+TsIhRvL4JHRXd2 zTIPmGaRolXocv1kGWI= Extension name: 46nq28a1y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/92E721391799B020

http://decryptor.top/92E721391799B020

Extracted

Path

C:\Users\q4324-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion q4324. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F532935A60F544FF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F532935A60F544FF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DfWcgB8lsqBiqlISVsG+RlWIsnFf70qJseANqqX8d8GM9uvPoEE4WLTGiG1wwJ4g szAp6q8K5upTLwTXHmpS1+rRyh+xl4wX5jW8w0NWgTbaQp/HX//KBAH79fJ9LDzF Tsu5lS1PmY7+f3f8Bv3c2LXb5Nwi4EM/tD/acqmkRMZyPGs5bRjeStmWe26WYMea cik+eqSESiBlfWeoiwNVS94woTixXnVPNp0m78B541EC1NCZ15BCdyp73HD3DJcY Eaq3UylFwe4qgGqfylqNyL1Vcy/XPMrMI8Sm8r37ipg6hXil7st/kSx67M0eXM6u gkhhVaZ6Ozn1DzCzyzCWpeExSWTDQ/jXpElBpxWudqDQxYoLm5v9EG2nXc09k1bt f7zIl0d9cbNn0soUFwj8y+lZFGUdwyaPK8Kqs5W7kENOdVtLL5N8NaBzbldHoQV9 3LxIljSAZ3GySV6TEFpQ0o/7jgp9HMGx3hgQOky6k7tSsaypLdZCdrIgsPFA3a8E TBaPvhKVnqrmi3EpA6qo7Feuv3bOBLAc408E8YzQOCV+CmDr05wK2hLMvRqg4zqv 7N6NDUlLeNV6MvknX3aVpREWB21fT2PmgOUSauJUbkoHgHSYgmyUvk36EascMh4I gnyCVAhYHxEe1IY8c5L49jaT4xwVwcAtHq+0L8bbN32CRhgYqNl067vD92HMoyPA 40hR3U4NHtKhwOST6B6INIng1ROOTejIBlakeFkKsZGg9NSYpyxONdlNdJaDSVbQ hZYl92gIRtxHCM/mCLHbUk3T0bX1GT3owBbGZMkhLCiFQP+iSc2mWphKUiaNcBPV tshFnIcp/fgpU9IFiTRdZSMxtDqgKnALBJTdwyw9kAbjiaeHiwwRPUL2F3SM5+Zl FepiwTtzd+qDHn8bJI35fn9uu5m8gFaFKLLTwv/mbyejJ+p1+vMo35yndPrASG6Q umHUajal2k/xZ6YZhOsFCp6pBDztXuzoJBb/A4kKRAPcpCPsQrDgJG102AQHLMQR tQgxbSQ9NSDwDDnPcOBHV48+rMNczCGy/NoLtKHwZrdYSxXNk913fbGJl7hAYsHy CO+3UJe5Itwxu8FHtpozpr0mNdgxILuU9tfsQ6dwNAd/9OHI+OXcnqYaPkWl9fRj 1vvCN1wFPveqWlY+UROzcEKobACgcNLi2ht+QiPmjtQzDi68v2B6RwwVVm2PMb2Y wb+Nm/L9 Extension name: q4324 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F532935A60F544FF

http://decryptor.top/F532935A60F544FF

Targets

    • Target

      17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1

    • Size

      160KB

    • MD5

      b49aedab270215f327ab95ea98cb7e33

    • SHA1

      10b4aafcdeaba91e0140b581fd397e5db94c106d

    • SHA256

      17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1

    • SHA512

      eebc06bc7c6f79be5c1fe0020e17b808e17c259fe99ac4d8455849c6ae383258ed637fa067ae5e203152d271494f1b2ff735973f4d2e09797ec787426418327a

    • SSDEEP

      1536:Gls0QszjGz02ZPO9nEpXiMpi28p7Pbi4eTMluxtXDCntTnICS4Ay4bbaTIL5CMdS:8RwOWpXiIgLbi4eTMlwDCnuo47pd+

    Score
    1/10
    behavioral1

    • Target

      1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1

    • Size

      1.1MB

    • MD5

      40b111fdffe33c4c776d87ce7ff02431

    • SHA1

      dd6eee81a397d0b94c3532d62c613070501d0048

    • SHA256

      1caf5105988781e29d93e58abcbf3bf4c973eca1a207803629bd5cf901ef5be1

    • SHA512

      07ef4139a40d8f08acb489c4c1ced0ffe787f536d59d185ef43aaa0f17e391ca000b8c1c10813feb573241314000b7a91d52fcfcaaa4311f73432cdaaa0f921b

    • SSDEEP

      24576:LzWuYg/8kz9ncHy/B5uwMp1p4pGj3m91dscI/P:LCuYA8kZnpB5uw+1p44S91gP

    Score
    10/10
    troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral2

    • Target

      1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267

    • Size

      97KB

    • MD5

      e24c6b66b4e5ad59853678feed836f8d

    • SHA1

      db8a87d1c47004aadb871b0f1a03dc59ec0dffe7

    • SHA256

      1d88c47417c082378c735c9e8180ea63627d5efff35852f1bb06fe6705581267

    • SHA512

      c10a18e6252c05380c49f9c5c96470d091d6ebf3d51841c566f5700d10fd569f45200af0681909547eebcbd4503a71856fc8b7c87d1ae21f76cd782065104ab3

    • SSDEEP

      1536:JYd7Q+s7EIEne/UO6Ki1wO33sGINt/PogTXF5MJeVG7MpmPy4MPlT1SISS:JYdsihneniS+3akgTXYigMAy5PN1f

    Score
    1/10
    behavioral3

    • Target

      1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af

    • Size

      611KB

    • MD5

      93c5f1cb9b83533edf1dee9cc40628e2

    • SHA1

      788731b2715d1d1f2405bd6169cede470445fdbc

    • SHA256

      1ecb59774182d0d0a04b418249428b621159838bd2bcdc1a3a7b871a65dd90af

    • SHA512

      f6fafb62d752083f97b54cfd72937e4d5483df812fe2d3425b90b98776356ab7bd049ea735db0ba93d1f424a8d7d8bc627b23a5244080917ef2c9b2400c9c526

    • SSDEEP

      12288:ffHVNgJDiUk6UICjj5Lx/q3RqmRNnw8ZnCeMN0pGoMLTcI1dJH8MSsn3dMVziVH:X1yJDdhlyxCIm3nwQCeMNqGjLYcteAdf

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral4

    • Target

      2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5

    • Size

      24KB

    • MD5

      ce0e55a50737e81695b675cc13692322

    • SHA1

      6936cf5411534d80e2765bac129bda7472b5713f

    • SHA256

      2a5fe7d49fcf65525cfbefaca92a12a0d2917d15f348a48fc7a4de7ae50776b5

    • SHA512

      5d43b82290b91042343958d1f6485e602a29935e2bcc720d4698060941129a294cb89a81d6dc34ab60722dbff2c34f8b31591f4c60b4cc4a930535814dcb6e1e

    • SSDEEP

      384:SIa8CfT5HO7Jbh1BcNsiLv2in+HigbmIAjy/xsNXKW:ZaXfTJ4Jbh1Asib2inCuAsxKW

    Score
    1/10
    behavioral5

    • Target

      2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc

    • Size

      620KB

    • MD5

      5376a226b33db36b51bf85b910071031

    • SHA1

      ee89a2daf45bda00154a181b0713d351a19b6e00

    • SHA256

      2c1aa4fa14d7055f2239dbb29ab15089cb2752e9f94ec7a360d275dd607314dc

    • SHA512

      38fae7a2ef4ba9d8633dd6898f525a6d4ef91813700eb5b95a4e13dfe6caea8d291eedfd092916a50b401cb9bef24adb2a2878b327a4f00c0590d09948483083

    • SSDEEP

      12288:wUA9qXSileJnwNoFp1ayIfKIemXyYL1LyV/G/0HCO3ZaqEmhENt:wVoXcw2FpZ+9egiU0iofEmG/

    Score
    8/10

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral6

    • Target

      34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e

    • Size

      432KB

    • MD5

      95d298e38d0ffa1d4bed5bcd98739195

    • SHA1

      f17fbf42b73628a694079801b0680559ee01328b

    • SHA256

      34d62f47e1fe45dd6309326ef696012f2473b0157e1278eea3826a95829da36e

    • SHA512

      f5e96cb68a1ed9f7b66b7bdecc1abe0f4cb1c80b196ef85445a150acbb9fe4fc649e6cf557c6f84d19d2da8de06f19d3fe6e686802684f9b23043e37d5d48578

    • SSDEEP

      6144:+CPCz2/aWNJ+bpHE7u5ZBFCn7Qf7oqQ1I+4M5GmOBVkc4PksaX2XA87cegDj8+j:Xaz2ivtk7q0i7oDhnGHimw7cHDj8+

    Score
    3/10
    behavioral7

    • Target

      38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05

    • Size

      1.1MB

    • MD5

      38d1e069b9e9b3e0c255e49115295b7e

    • SHA1

      151b38a5fc8271cfdd03c72367b55242f7891f78

    • SHA256

      38f1b8c86870354a31878d55c6897d7eb9e83f9418aafbfe9f6ff897dd3c2f05

    • SHA512

      a8334a202415641ca9706de45df45dc9304643b141ba4651bbe80c1c524b72ad56ab4cda01f45f08c3727991ed7789f9bf238d9304a5b8d8a41140fbd7c53610

    • SSDEEP

      24576:PtO+RduDZwmzMo5sD5AgT4CoCTisqywkPOsxwZms3Qhg:PtOAuWmIOe2ZCoC+sWzZms3Qa

    Score
    10/10
    troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral8

    • Target

      40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04

    • Size

      164KB

    • MD5

      5117dc6337d71e68262ddc6124ff1b33

    • SHA1

      41890b9a7043d3d6300ed2a128425f321c69ea0c

    • SHA256

      40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04

    • SHA512

      71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c

    • SSDEEP

      3072:9fg0NBlu9CNTed7/kBazzFbULRU0pNa+eGfiN82R:9Y0NvuUN6F/M4qtXpNHE82R

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9

    • Target

      410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59

    • Size

      370KB

    • MD5

      d607888bc583a5712928c7c02555930a

    • SHA1

      76963321489e6ac40ed10b54cc233e6e3a031235

    • SHA256

      410ee08c8a84fbb947d5f4635c95c6c8d244a51855afd4f6aa0e82dba1c38a59

    • SHA512

      3ff95cbaa21d56b51946a88f7034a812b6941f0f18c67694d7c2a53605a7475a04c2641c524c6dabc529a00b8b46e7e091b600b902973aa68410f1132b3f7f6d

    • SSDEEP

      6144:Us/n1Xe/+6AZbw0aeBQMZb+zpnBvkgr4YXNgyt5lcFT7GeLhLZYl:z/n1O/+6AZFaem8O4YRliTqe9Zu

    Score
    6/10
    persistence
    behavioral10

    • Target

      423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242

    • Size

      20KB

    • MD5

      e480106d096f6a5ed69ecbf74f0a1007

    • SHA1

      48c612190f9aca3dc4b5af70a760b17597edc402

    • SHA256

      423b7b37b1925762c4417d81bd0f434f9760c1ed844b4b47ee7f25c8d0740242

    • SHA512

      6962a66118fd13335bbeddad901c3db91e43f6549d576b69e50e2e00816862517003d50965ad22bc87bcb59eb2e435d0b449d33cadacc989a4a6691ee7cbffef

    • SSDEEP

      384:2fkfodG6s/04vMLk24jXPl8a3XEW5/5YiEB8:rfyQ/vg2XPrY

    Score
    1/10
    behavioral11

    • Target

      4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b

    • Size

      3.9MB

    • MD5

      05e136c5e18d962fc7cc490a48bf43c5

    • SHA1

      db3a52fb85741df954508410d864a3b8d8a7bb36

    • SHA256

      4315b6e87c88972648fac6610116046b7af4aca6bd445839ecc8f21515591a0b

    • SHA512

      e5770d49869f22761d6984298dfb34292719e743a018d48ebcef1c0430067eab83436b846a98b7e7439ead01d80ad0078d132e1333f404b0d0a14edc92f7c487

    • SSDEEP

      98304:wuv7TVLSNplylkdcHc6H5aE1LQx84rK5aKYea:XLSNpl2hya0x84rKcKYea

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91

    • Size

      9.2MB

    • MD5

      b9a3cc40fd0e73538c2500455572fc44

    • SHA1

      dfd804af79f2438bcbb01f6560b51cc6f9efed9f

    • SHA256

      453c6fe9e176af08b176430630a4eec6f1de09f7f147248dc905dc9823af1b91

    • SHA512

      b2591fcfd97c156cf056319373516c87f76fe865cf92805fe823fe2580edb29e51fb1fc91329a5bc906dd335791087777b9b425eef5b5de807f8afbece038695

    • SSDEEP

      384:uNqsjDr0sG2Sah6EzHCkbvllAoQS1qcL2QxrNbSyskR+f6scNTFmfOu:HsjDy2Sahjv31Vt++NTgOu

    Score
    1/10
    behavioral13

    • Target

      4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837

    • Size

      14KB

    • MD5

      898b24cd1105ff108bbe18d9b2b39b22

    • SHA1

      2cc018123c389c5c8c741cb4ed4085674f417fc3

    • SHA256

      4a841216cbbd4a587cc579434a043c17f54e3eb0e7ff615b3985411587dfa837

    • SHA512

      ae2bc3e82bc4e36d4d756151d223b12a54f4097733b7cf4eabb9561bb3bf074ba40f40fcbc43aac4c6cb0267961ca4aa57ac3a6f8abba4bc0c0368b40f3d866c

    • SSDEEP

      192:OJLd5quhzqEQVRMI+cM3xbeaV19ZKcxBRkWM2X48xQI+9y5n0kfz7:OJJ5quqTRNuXvgW48x09y50kf

    Score
    1/10
    behavioral14

    • Target

      4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9

    • Size

      71KB

    • MD5

      7d09bbc0aee91d29b3e62aa7889d75ac

    • SHA1

      dcc48feec76915615fca1db6e2e726543fba9566

    • SHA256

      4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9

    • SHA512

      3f476f40f9a17919946df05bca46d0169531fd32982cc7c62ec685aef680c2fe064361da928fb174274c88f25b64db75f9c996e271e5b3a0836aa4101649a275

    • SSDEEP

      192:YKA9x8uHsLXl0Hjo7WLom8YHwOrDU0U4cbHaF55n3nN7a:YKA9WuwXl0YZm8eDr40/cuF73Za

    Score
    1/10
    behavioral15

    • Target

      4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00

    • Size

      349KB

    • MD5

      eb7138741adc746f8953a3db50d9e235

    • SHA1

      c0adbd63648052edacdf65f74ce1ce9701125570

    • SHA256

      4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00

    • SHA512

      41d4a0aadbe055f6b22ead1bcc407a53e02075218e48aae18d2df5bf23f87fad0c8609725fa60e89de6fc67041acd41303c0505d1b88ddc06b7ed916a5981f8a

    • SSDEEP

      6144:YPNS/+PNS/t7VggtOXOICLcF8t+JKrllVtqfLJC:YPPPiHcXOIFyqwjtqfLQ

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (343) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670

    • Size

      164KB

    • MD5

      5e2627aa0eda8c0f55f2b8f075c91e42

    • SHA1

      5628a78e002734c6885a0ab6ec97aa6425bcc882

    • SHA256

      55bdc39b0b7686a57916d2fee2c0f9559e5b947d115bfcb6b5b255706a412670

    • SHA512

      af01edf7497f19212f855f1717353227a2f35435c9adc4ca82fd4e2d31081a2d1ac1270c2330ceb20afc6c5be6f97782d8a3388f834bd9a3ecc2f7c78b6c087f

    • SSDEEP

      3072:xdHwJK3BMoFiWjmfb+HP+rnRfUMfm0Sl0/1:xNwE3q4jmfCHWtUWI6

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral17

    • Target

      5a1b6ba55fde56e57509d2efea734d91e38a64cadaf9cda4aa31a85a592763c3

    • Size

      15KB

    • MD5

      5656ddfcd3d5c5ce7ea71b4243471215

    • SHA1

      a17d320ef685892af10d492b490e3706878800f2

    • SHA256

      5a1b6ba55fde56e57509d2efea734d91e38a64cadaf9cda4aa31a85a592763c3

    • SHA512

      e6d00d00b7fc80dac0dc451720612684297fd45fdfb7e108b2605d252e03a6864a406777f4f064cd874299aac3a47ffb9cac41302c31e68431da66a83cb4d6b9

    • SSDEEP

      192:ftWsDwsLwZxQVtEbR+Usmaw1Q2M3nBRG2Lbcx90uHb18FtQIDT+DC9sVVA:fYsMEwZiVtE+q19kvFGW88FttTtsVO

    Score
    1/10
    behavioral18

    • Target

      5f056a4a7aff1927cad99e70eae7fa7ed149b5b7f51c6ddd3cdc61993836be4c

    • Size

      376KB

    • MD5

      30450a05140f74e375532c40fba88a12

    • SHA1

      ff8290ece209901e37749f988958a1e4a1aa492d

    • SHA256

      5f056a4a7aff1927cad99e70eae7fa7ed149b5b7f51c6ddd3cdc61993836be4c

    • SHA512

      386ee0646b8c37a4eae67a017b668a60fac263350469f08934dcbf5c828079940aa8fdc36b99b43026e35b3383e103d8b1c043f9351700759ffe7754e3f3a990

    • SSDEEP

      6144:WhGEyczjmpEI4izRHjmtGlMksGiT3/YnPef20YNw8fxLtIC68o7IpRZ1sXetj4+j:WhIcepEI4izRHjmtGlBsn7APef2P+8f3

    Score
    7/10

    • Loads dropped DLL

    behavioral19

    • Target

      6709db0a92e59e6662708358c0197d6b72b86ff9edb798aca32e34cad1623e53

    • Size

      899KB

    • MD5

      196c58f6fb541bce1082b908d77d19c4

    • SHA1

      6c004c1d4a70ec9c0655a6288f5d97297583d8aa

    • SHA256

      6709db0a92e59e6662708358c0197d6b72b86ff9edb798aca32e34cad1623e53

    • SHA512

      e6bc0efa08a28737b2f8acca641a69276cafdf77bcc36d600c46f28a822c7fc021f0a19df6e958f5626caa848a309c29554bb98dbd4df1d2b26efc819b13b65c

    • SSDEEP

      24576:RlQKriZKMRb54kwQppldcLrLmF0RhwF4T1sS:JEKMR94vQvlMrC21xs

    Score
    9/10
    evasionupx

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Enumerates VirtualBox registry keys

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      69add888bcdeed2c14f525f23fa52a141f1afbd420b0fdd38202e5031b3635df

    • Size

      186KB

    • MD5

      f37378f81c6f7271531f91ed5c198056

    • SHA1

      9d00fda560b1cc4c40c398ffc5b688127248114a

    • SHA256

      69add888bcdeed2c14f525f23fa52a141f1afbd420b0fdd38202e5031b3635df

    • SHA512

      43c9777149db017ad063120167dcee73c81e8cad82ad4579ff9451153d47adff796d7f298fe9999584db66610916caba00b553a65a94c5d7b344cb412f2a919c

    • SSDEEP

      3072:JntBFPxJUNKYU1Ga/BU2Emo8BBMdjsEJwuY1MdOKgEjyniUrUMQaUe7hGlY1cS:htHLUNyar845sEJwjMdOK3yi345

    Score
    7/10
    persistencespywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      6af766a07ccc641da303ab30936ed32ad32bb4d7c983f3df45c4c52c036e9d20

    • Size

      165KB

    • MD5

      1701c19d9610ee4be543815bff908281

    • SHA1

      44821ddb87e0260ee8ba368e08c75b0ad3232923

    • SHA256

      6af766a07ccc641da303ab30936ed32ad32bb4d7c983f3df45c4c52c036e9d20

    • SHA512

      6794cb5b710b5165dfb59a6dcecff7776dce69b452b82e51dd9d35ec951e15febe9d71ceedc7ea91845b0d6e8c4214e7c07935dd2c8dd6f5c372e35971eed5ae

    • SSDEEP

      3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NabPos:lw02sJPi7O93N9s

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral22

    • Target

      719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244

    • Size

      192KB

    • MD5

      06dfde68d9e07bc1191626855a321801

    • SHA1

      a17859092783b09986512203119bbfaf4f5e13b0

    • SHA256

      719a339594bae94aad390edd6afd0f784af416eb53b6bc64de024a55567d4244

    • SHA512

      9d4f64e297e694d49ff4eee734afaf48945cf1b0d991dff707253266a10603994edaa6a68ad614118d50925e25a9f9f405ca60b15c4c0d4464175e80c0cfc2df

    • SSDEEP

      6144:fB+pgUn26IdSI1dwCi6PgHGcUHTaF+MW1D:fgPCdp1dJkHFUHT7M

    Score
    7/10

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb

    • Size

      2.7MB

    • MD5

      83cb5b87a786fb135a11bc133fb4d4d6

    • SHA1

      f0fced87788092368e1360dfaf830e6ea1f1ef1f

    • SHA256

      71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb

    • SHA512

      dac2ae2129d2dd477cbd84e2464055cb298407a06fd7fd24c54cb38f692914e9f9cdb8320e23861f25642316b05de411d840021bb7b0a15ab21a035f0d68fe12

    • SSDEEP

      3072:BttFWSfQySeFOHcjyPHkxrahs1nP2omHDj7X2SrhL4:BLXfQySDHcwkEhs0jjKWhL

    Score
    1/10
    behavioral24

    • Target

      7acc03a3573061f3856c27ce5b90dc7f5cc684840862a619edd78ad849b742fd

    • Size

      888KB

    • MD5

      9f96c1e23e596f31eb221bce90071b3e

    • SHA1

      05fda21953f6f369bbe0400e5cf1234e379f9cdf

    • SHA256

      7acc03a3573061f3856c27ce5b90dc7f5cc684840862a619edd78ad849b742fd

    • SHA512

      5239a9a8a94d6836ed19f501918d132cfb28f0465dc7e53ccdeacda0f68e5e6e0e1e115fab39766e02e85bc1e17ecea678131c151ff4499b2ab1321d66761b3e

    • SSDEEP

      24576:pxA70a8L6o/NETvW6howTKkt6+1zbOFWy7/DbnLMy:z+l8GoVP6VdmWy7/DMy

    Score
    7/10

    • Loads dropped DLL

    behavioral25

    • Target

      7bd3e8a10838e95fcb3ab06457404f03e09bd8d3881c2521be3b71fad533445f

    • Size

      1.5MB

    • MD5

      3666648ac448bfb0bdd37032f60600dc

    • SHA1

      e591ae742dd3f597f8bcac9455d184913051daf1

    • SHA256

      7bd3e8a10838e95fcb3ab06457404f03e09bd8d3881c2521be3b71fad533445f

    • SHA512

      3fe4427da3bb01e7e004e2c29b899d36b462155aa59aca130913281f16c2d3743e6f1dac16cd5f0920d707cb5e33240f45b868e84377a88ebeb51617dab681b5

    • SSDEEP

      24576:aFlxmF2j7Xd49AX96bvkPHL+T702v71P9T5Cjpz63g3XeB8Zps9:aFlxMm7Xd4uX9quSv02elcOX9ps9

    Score
    1/10
    behavioral26

    • Target

      8034ef305be188bce8cdd98336f7cd2795c5dc74b19fdebf7cf5161f9000fb74

    • Size

      2.3MB

    • MD5

      012e2a46b9d4d49fbc3263d8b14ebeda

    • SHA1

      a6dfb1c0cf42e266df9c3e3234e32fdc6f49fb37

    • SHA256

      8034ef305be188bce8cdd98336f7cd2795c5dc74b19fdebf7cf5161f9000fb74

    • SHA512

      be2f9d22f95d5b5672cfd4d4b634ceff7638abf62de006a61cb1422b8201bafac936eb7d2821da01001b34de8364b997b583d6ca4304dc01dcb09a9156e59b76

    • SSDEEP

      49152:v0eT6L7AZHRxSY6VC2kBKn7x6JkNi46uyI2+aTOGE/QM:P+LRrkBKn71YuyI2LRbM

    Score
    1/10
    behavioral27

    • Target

      88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb

    • Size

      614KB

    • MD5

      c7d23cb33b0db8303d7cc43fb4d7fdcd

    • SHA1

      b456525f89a5fc70d3022fc41dec753a8a84ab16

    • SHA256

      88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb

    • SHA512

      688b6efb0e2af25b6d8695171ce2bf9ccadc147beab555bcf836b38de884e8c854ea4b7cf4e951b1451caefa741c5c6a03cca1e824a1549ef374e8092f7b3da9

    • SSDEEP

      12288:aiXf2YxXtNvqOt093nvo8eb+s5KaadA6r7/Z77u5V4nutiXhb+:xvtxdNvq98+CjadAY7E5VRtkZ+

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral28

    • Target

      8e6c6b616e846b280572edd2beb96b4c22426963b565553609b4e2fc4b19b019

    • Size

      477KB

    • MD5

      097a4830290984d9c36081b4b8d1f615

    • SHA1

      13794fd6134b4f934fffcbaf2adefbbcc1f01c76

    • SHA256

      8e6c6b616e846b280572edd2beb96b4c22426963b565553609b4e2fc4b19b019

    • SHA512

      1d58ab5dae755ccdf6ede4181524752d151d0d3e84f625132b5e7e9731803911e88b0c76e95cf8918ef7085c2953c6b22a9d70c3422a3cc147e99a6757d59acb

    • SSDEEP

      12288:WYDunOLRQ3sBPBLfeZQ5NO1sPOLfez8olmviTh5J:WxnjsFZi1uHDmKjJ

    Score
    7/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29

    • Target

      907c21dd04dae2f48b048778f36b402c06096220b8c4462d54bd1246f0aec8b0

    • Size

      2.3MB

    • MD5

      026c5d37e261bf90f56293046ec26af8

    • SHA1

      38f6b87904c9192bd3f4073815c4db3c12dba7b0

    • SHA256

      907c21dd04dae2f48b048778f36b402c06096220b8c4462d54bd1246f0aec8b0

    • SHA512

      53a3e02eae2068b16bbd50add46981237842c5428752695db91a7ecf9e93146bccd1b609b0d96e19e20eca030eef94ac8832ae2b15668e59d5f254439b5b3c77

    • SSDEEP

      49152:Q8atUUeTExFEUWf7UrhjUI/IeFHR8c7iSAgx4nNBzG5KeIKvOnr:SUEhiUhUIwSx8c7iSAakzcKepg

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral30

    • Target

      9b1d7a498b1050d27f515245add3690ee79d41f64fa9a95242525c964fdd9221

    • Size

      5.6MB

    • MD5

      d070b8fbecec7498f26708eaa6bd212e

    • SHA1

      b23891129d167fa34a95f23bdd79e258624f6898

    • SHA256

      9b1d7a498b1050d27f515245add3690ee79d41f64fa9a95242525c964fdd9221

    • SHA512

      822c0d7490e038af0ae150dec85521397965c4fbcd2d8e7e2d9978ff4dcef01aedc6edf4b13157276a43f200e7baf5b0a10c08b9fb374087f89a32e37ccef332

    • SSDEEP

      98304:3+e8BYplED9piatxNa4DrdR9B0//Dw7NfY4srGYToe/wnWO3HpcMkbvNoCKD76WM:3+e8BYpqD9pF1a4D56zw7NfcVwW6HKMO

    Score
    7/10

    • Loads dropped DLL

    behavioral31

    • Target

      9b7e5d2fdc7192256d81ce9e4d339dcdbfd453ad1059d3efd4a7d829f5d2608b

    • Size

      696KB

    • MD5

      6c4afbb266c4c09ca6ec58a0d7716bf1

    • SHA1

      9309c83062a2cd154776f1a2d4720be008404760

    • SHA256

      9b7e5d2fdc7192256d81ce9e4d339dcdbfd453ad1059d3efd4a7d829f5d2608b

    • SHA512

      5117bcca2a9b98bb9863d98b0a037cb58c97a7614682735f794b7db2b0c30a122777cef5e1d577b8eaada094ba31b6c2edca0bdbf31597b4fd8704ff0be74bec

    • SSDEEP

      12288:/Br2++HzRcCUNsvdtZhfMF6pI12KM2K/nrRlZmv9BSc:/Bz+NrU6vbE6nK+/+9BS

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

Software Discovery

1
T1518

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

33296upx19351511862046themidasodinokibicrimsonrat
Score
10/10

behavioral1

Score
1/10

behavioral2

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral3

Score
1/10

behavioral4

persistenceupx
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
8/10

behavioral7

Score
3/10

behavioral8

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral9

sodinokibiransomwarespywarestealer
Score
10/10

behavioral10

persistence
Score
6/10

behavioral11

Score
1/10

behavioral12

Score
7/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

gandcrabbackdoorransomwarespywarestealer
Score
10/10

behavioral17

sodinokibiransomware
Score
10/10

behavioral18

Score
1/10

behavioral19

Score
7/10

behavioral20

evasionupx
Score
9/10

behavioral21

persistencespywarestealer
Score
7/10

behavioral22

sodinokibipersistenceransomware
Score
10/10

behavioral23

Score
7/10

behavioral24

Score
1/10

behavioral25

Score
7/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

persistenceupx
Score
10/10

behavioral29

upx
Score
7/10

behavioral30

Score
7/10

behavioral31

Score
7/10

behavioral32

Score
7/10