Overview

overview

10

Static

static

10

NEAS.42c28...0d.exe

windows7-x64

10

NEAS.42c28...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

  • Size

    166KB

  • Sample

    231117-tvr6daah68

  • MD5

    43e9093ffc8dd69985a9ae65b26f5551

  • SHA1

    7b268ff84e824ddcd8b7df3cf9993be012489d01

  • SHA256

    42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d

  • SHA512

    118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0

Score
10/10
sodinokibi193134persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

3134

Decoy

mank.de

work2live.de

triggi.de

innote.fi

iwelt.de

mdacares.com

celularity.com

wychowanieprzedszkolne.pl

bildungsunderlebnis.haus

urmasiimariiuniri.ro

devlaur.com

philippedebroca.com

kaminscy.com

boompinoy.com

webcodingstudio.com

onlybacklink.com

victoriousfestival.co.uk

levdittliv.se

rosavalamedahr.com

DupontSellsHomes.com
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    ocautoupds

    synctime

    dbeng50

    infopath

    tbirdconfig

    oracle

    winword

    firefox

    dbsnmp

    mydesktopservice

    msaccess

    xfssvccon

    sqbcoreservice

    mydesktopqos

    sql

    onenote

    outlook

    ocomm

    steam

    excel

    ocssd

    thebat

    agntsvc

    powerpnt

    thunderbird

    mspub

    isqlplussvc

    encsvc

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3134

  • svc

    vss

    sophos

    mepocs

    veeam

    sql

    backup

    svc$

    memtas

Extracted

Path

C:\Users\n2gxyt5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension n2gxyt5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6528D0C1E772CCF1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/6528D0C1E772CCF1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zYN59fZ7ED3Y4lvOQvGehmBmxIg1mpgGeRz3IIjx9cnp7qkdEUr/31OKks+smlJq WHtf8v5tT2fU8wL2wJ2vWHJhtvr6fbrqumxD88AlPQTBkvTVHJthOfN1SFdrRQWj N8rSpgzpFtAIz5HIZLEjA1EoWMJacFhn04aBuuG4J0YUvU2kfwPDFOewiPDDOBWm 6tHpLX/QbVgYt2aWalJBZ1n6sDnfQvD88K5og2Vnr6/rfkZbdXxcGrvC3aDYXo65 5J0wKDax8rMhDBV7k9ZzitHQ+uFLsCYfCGHJVefGYhmWVHRDnw/a4vD/vcpCUV+6 9Cj5cOs34pvgjyAnMCJnIePLRkt9AfWldmhrv+SbTjW58KTXgM9ClAW0H3y1dMyO GjvU+a0rrUh/mFH3N3+4IQ8SSKOLXvwONUmkhzbX/e85J4V6C8KpBSYjHPNo33EL BYIS++XrqNxev+8uP/lAisnn6KU0lUpOAxIwl4tYIaMIJ3jZ8rEywt+jypOKiJkd OnS6ZpcNVyclVfi+zODGyp+CAaFwBrn6tzlOqhnItMvUlzUZEh2ayQe0OrvVI6bD 3uBZeovmrJDEXDma2go3TCF+4EH4nCVB4koqwwf6tfWe1LlqWOo7RiUcEdWgjpx6 Y0AeuGmlZu83Bd53KS3gkRp4TXEVjHHBn3YK4HB0s4ghr98mE52BeSPWzlQP6oDv VYG2vT2i5XiUxPu02wYPJESseQR8VzsZQI1Hh/uLtowiggss+PuhZY4CgTx1BsZu YY5AL1ks/YIpwIdYVEsM8mSqUb6qn+P4ybyqlGtrjgEmquUxlHRy5NmDsOyHKgcX 03AHdVXRpsb8zW7rJwHecwczZ9ogBZWPyFcJUn0nHFpK1vPQwRfTo301daz02aLJ dwxzgSdp7maB2nbmAEQWuY6efQATneZhJNy0+9CCK/EHTGkZ0AP+uA9hTb16DPmL qC/tgG7zIPdNSqOXYIMeQQk7i0nR3TU3tUUYfSkvuedShUugYftZpy3DjMZf7Y5H fbv6GZWr6cbvWvbo7dpaStXEV35txzC1PvGbw7wL3ZUDQb1I6fXegc/JAsGXTtBz tbiNJGzjUYn5o83f4zzpEsB+8Xqq5NE6TWt4v7XPdJh6NRSSEtFDr8PRmAHhi/jS 1R3V5+LWt9mQXMejYvm3hrV2U9VpewP29kEfRJtDEwySVlQlYl1Bve9vsk5qJNXY bMA+VaLdf7BXDXbGEqQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6528D0C1E772CCF1

http://decryptor.cc/6528D0C1E772CCF1

Extracted

Path

C:\Recovery\0v23z7s65-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0v23z7s65. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6CE3C64B425DB91B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/6CE3C64B425DB91B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: I1XReEzJEhuj5tvlXk6BZArh6tHf/iEO5X1K1sagKdU3EnEFxEwYFSMcmVYF8HtU ynGaIlP3UEyKlg5rTPyiDzZ66v8QRueMKaGW4ANYAy80T87QqQ8r3uSfbQuTopcT PF7XTWDZduMVjiAdt8UFMaHWN+Mb93VhpTWG7e5z07GK7uR961PZZ3mZM2DE3dFR /zbwVon/k8Bk0EAfKvR05QqhxWDpHu/5NPTcvppvLDRCpemmqkZxdC+TfnI9y4vh Y7+gGllx6rCHwjGoQpteH/YAeLHQ/htSsJXiEViOrIfxG04Px3NUkRih3wJJmHsl MaDP0bzOBIeWx6xrBfdDPkEW0VWKsoLoJTYbNHMXBVWQfSEhGl4cZ+Z0nEqAYYBq l29vBbdgoDPfN5Db7aWs2Y1wEFbsSGvX4f/475BuhJlfgp4HWTUafkKW+DQbJcdj 7CDUJHfj9WjppRyE0/xMKQPvTO3u1pvp++zSKc7qzrz12RnppV5XJTwdsLTQIQXn nmUnwWVDmn2hTcEnmndDvQG+g9MWwBklr4KQpAnmMs9tfQPdmGwmzzLBXaz4G9rc hJqvlzrVUg8WUZQH1NXSkdsKTzpgBFrozXJvT+l0UNkLA54XoLx6CDPjXa4BveSS 1JGiYxIEsTjGDOIYnBU9A+18tNvZVy//mbLL80iQfqkQFhTHijY7ESaeXEph4RUF wGSfGf3uzkHoEfQFKcpLhcJFTro4Ipx60kT21VRIbxp2dcuNKu6lqdUknBPm/pOl KGszGMOXYuo+fUJgKurBo6m5YHN2/833VN2uTMvqgL8SP6OaPfF0LuNzYuGsO22e v1FeJzhE11UaO+9ljN8KQWFI9B1TGmOP216I4kFY6yHLGte+7k7lxnY3SEzj0cuR spKyyDki7myWEZ2+plwQkpcYSRmrXgZblpFjZXV+pw/7nYYE8zZzK8U01EunWZ+q KiszT9CV+VB9rG8+z/4t8KyoZF0M+lH7dkji7KAVX5JXHturJ90sNhXKf4lGoGaM I6WwOuAh8Fm/K9jpCxeUQTaTsFMXhG5F5KyBDHMRb5gB/C4SxF5S0Vdekc5QrGoD gZyWFFhM1tr+aw2Ay7NxX8zRp6W4ceU9Ahs9QMLllarwRRQSIqLuKPT1Koe4qHKL R/dZAbhU0T3ziWhW3yY0blEOJBQq2JjP5ohFjSPYZIB8Kivxgx21PiKhVPAs9C65 JGZ+E8UG9fXNON0gAGOnmTIJWy50sfwW ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6CE3C64B425DB91B

http://decryptor.cc/6CE3C64B425DB91B

Targets

    • Target

      NEAS.42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

    • Size

      166KB

    • MD5

      43e9093ffc8dd69985a9ae65b26f5551

    • SHA1

      7b268ff84e824ddcd8b7df3cf9993be012489d01

    • SHA256

      42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d

    • SHA512

      118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks