Overview

overview

10

Static

static

1

RNSM00406.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00406.7z

  • Size

    14.1MB

  • Sample

    241028-y7qkjavjgs

  • MD5

    8686c6a2e40dc71fab82100398e2632d

  • SHA1

    269c34be3d1b79598ee909ddc39f390a89ff9840

  • SHA256

    6fd865129e1ac457f1202195add630cf1d877a5cd7b327eb91135922b12e9ea8

  • SHA512

    d778a962ace50370e87c1f6babfd271435384ddcb09e0c673ea1e9ee52bdb16c699de7213ea47e19a5eacc2338ffef8974cca32d0db9e2e9e4162940e1a37be4

  • SSDEEP

    393216:ryFtfJrX3l1fGXaDe9ihSs/dc5ag/RZHEJ9:ryFtRpN+9ih3iW3

Score
10/10
bitratgandcrabsodinokibistormkitty$2a$10$zh.ylp3n2kd9/nomyjfg2.60olpxhcnipjkls/fffw2wmd130tmku6033backdoorcredential_accessdiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

bitrat

Version

1.32

C2

u868328.nvpn.to:5881

Attributes
  • communication_password

    827ccb0eea8a706c4c34a16891f84e7b

  • tor_process

    tor

Extracted

Family

sodinokibi

Botnet

$2a$10$zh.YlP3N2KD9/nOmyjFG2.60OLPxhCniPJkls/fffW2WMD130tmku

Campaign

6033

Decoy

pier40forall.org

judithjansen.com

vesinhnha.com.vn

sexandfessenjoon.wordpress.com

highimpactoutdoors.net

ecoledansemulhouse.fr

girlillamarketing.com

n1-headache.com

wsoil.com.sg

yassir.pro

beyondmarcomdotcom.wordpress.com

puertamatic.es

kuntokeskusrok.fi

spsshomeworkhelp.com

ccpbroadband.com

thedad.com

berlin-bamboo-bikes.org

truenyc.co

desert-trails.com

first-2-aid-u.com
Attributes
  • net

    true

  • pid

    $2a$10$zh.YlP3N2KD9/nOmyjFG2.60OLPxhCniPJkls/fffW2WMD130tmku

  • prc

    encsvc

    visio

    thebat

    ocssd

    mspub

    xfssvccon

    tbirdconfig

    sql

    msaccess

    mydesktopqos

    oracle

    dbeng50

    ocomm

    excel

    firefox

    synctime

    ocautoupds

    isqlplussvc

    powerpnt

    outlook

    steam

    winword

    thunderbird

    agntsvc

    sqbcoreservice

    dbsnmp

    onenote

    infopath

    mydesktopservice

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6033

  • svc

    mepocs

    sql

    svc$

    backup

    memtas

    veeam

    vss

    sophos

Extracted

Path

C:\Users\Admin\54d3m8g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 54d3m8g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/780A0BCBB9929EB5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/780A0BCBB9929EB5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Lrl05RUIWT4Y3FOXCTGYgn1SO4egfA/oVHy5YxaqvqbjisIvkVqrr4znvcmCTmmn DVYmq/nzUdn0sf1bQn2aGOxEQ+aUb2pl4qtWpo/C+RymjCOJFfnSrL/jfWKvKvPB dp//8vyeYgh79IF5zGMKWRauFx7obUpDhzXT3PthXlhGfx5IgN3YeMgKFHBI+Bj/ XUw1EQFWCQTBrlEpdBypLREAuS9xqOLg3POBXEAVXYNFEPsvS2O9+VW3DWpGiSyL BOLRhmV/EXUG7z/ZPZ7Q81QtoOd4Mnb74M3aA1GryZLLVpBWRaQ0WIkSf9BWY0cX Eq15qi9hksUD9fLRWJ3PgR3Gh6aS2kt1gBllLNr/fuaAZyGVAlNMMgbSwHBoHu6c Wt+hQTqnJ1V7H0aexo/T5eMhR6YOpBxSsK7Ifnn1rwIC5eest+fDeVCjk+gU+lqB gIIkE3mOhUHH9iGikXhiUF0/I85Sq9SYpraRHbU687b8jqczDkctEW+cyS0ho3aC fqG5xdvmIUGTHSfOklS/1byqTgyaW8r1dmM95aH+W7bkWOfkk18GvBFLTNBcipCH BqOvdFFQOLmOcNMhtR3oPbIhNYpIAOiis2NwAwDZOnmRyHCyHKjGW/49B1nhZzpB BVlkc3gnIKsriwgvXGpNmMQjQUa9Fzbaa6cYgGOKsY+OtEUaTtS7eVXb8Pt5qhdQ THmkv2mA3k4t4U06DIHmEiV4zh2qdNcnVXdlkaeXafDkv067QIapzMScq+hnOKUc swScyuNidHakMwYC7xnh7+9MCpythc1YAkrc8lvS8rlG6EjIvozDu0z/H1D5Btbh bubwspFoqjQWQ+gIctwSOUXBxs1rmUet3lsSnckdZTlhliQ753DIMNJgp/xganZa xdIgJ4zs3EblpxlcELu5SxazHq529zYhDnPUwR8kWPn7jUeMRUFVLc1QeoWKZq6r i+nL1Isx7eOqE7n5eFRCoq6wXEbVCgtZeHaEplcG3f2j/r+RBxWL6Llzvev351L4 uoC7NhQIYSz2zERQnx9t+A5yLB/Tnzak0ETnOmfNYjLNOBdl51S9xf3BxFjYn9O+ X4/QcsYziAgW4diRuoMNh2DrOPCyC3n8KRWgZ6OrES1rVJjojG8icE5s/JJ7miVA PjP/WFoMRRVpWy1e/6vJCCufz2nzxv42zeFysDgn1Im4dJtRJgz5TgGiyWJwc8kz bmD6R2xq68KZwOssU32cmEeQf0iyhFv4wjlJcfF7djc2X47hotAT+yt3xV3iah6U l48QHXx4UguPtbm57Ahb5Gugbw2mY93xDyXHkEWwM6m5DBs2CkiGiDCrpoQIrR0c OuP66y7K//iXd9weJqNLHPwGGk02Mqyf9MtpqfsuwzC0kT5rNzVhHQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/780A0BCBB9929EB5

http://decryptor.cc/780A0BCBB9929EB5

Targets

    • Target

      RNSM00406.7z

    • Size

      14.1MB

    • MD5

      8686c6a2e40dc71fab82100398e2632d

    • SHA1

      269c34be3d1b79598ee909ddc39f390a89ff9840

    • SHA256

      6fd865129e1ac457f1202195add630cf1d877a5cd7b327eb91135922b12e9ea8

    • SHA512

      d778a962ace50370e87c1f6babfd271435384ddcb09e0c673ea1e9ee52bdb16c699de7213ea47e19a5eacc2338ffef8974cca32d0db9e2e9e4162940e1a37be4

    • SSDEEP

      393216:ryFtfJrX3l1fGXaDe9ihSs/dc5ag/RZHEJ9:ryFtRpN+9ih3iW3

    Score
    10/10
    bitratgandcrabsodinokibistormkitty$2a$10$zh.ylp3n2kd9/nomyjfg2.60olpxhcnipjkls/fffw2wmd130tmku6033backdoorcredential_accessdiscoveryevasionpersistenceransomwarespywarestealertrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Bitrat family

      bitrat

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Modifies WinLogon for persistence

      persistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (1346) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

10
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Tasks