General

  • Target

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

  • Size

    290KB

  • Sample

    191216-8bfljdyw2s

  • MD5

    fb68a02333431394a9a0cdbff3717b24

  • SHA1

    1399bf98a509adb07663476dee7f9fee571e09f3

  • SHA256

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

  • SHA512

    e03b076d36374b263dbc63fc93e793210dc5fd809f783cda6524390590ec56b4fb5c0aa80a52650de60c31f2f6d451fee17c72256100ac7f2c15347c05ab6470

Malware Config

Extracted

Path

C:\Recovery\8jwr0e-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 8jwr0e extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FCB7FDC24C90BB8D Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/FCB7FDC24C90BB8D Page will ask you for the key, here it is: dnpsA19wUmBN5WItEDwZq3q/TvmWpyDOrnOsvGXTOcQGK2T2V3HbsQ6T2VMKSx4j WGOgoiDOxGQLC3sw58qxmcV2auS856W44YkLq6IVfnkYo7/JdVXJT6pBcO9Ao43p o7jhVIhIkY4bfg2u1Mm4AkxHiIOjfDbD2WvLteerZxq+rI29sv+PCUf8HKdP8agB DnIjxZBk8xJq6LW/OxgByM0BLxcH2kKc3tXRSOeaq0zbdPpdazOCikAgX/VjzYbf EmPhdX0aV2I9HEVYT53jCI6cOGdIhM/DjZffsNiCVS7sEq/8XyregwhCBjYYayyv 0g/CPmFYe6KyAjGVIMD8WRS6qb6vtpi576jTs0mjLNmsPTQehnDG6YkRkKk721Q/ +aqKW/4Q1/jCkh1ljHbqJ2mYs35XAMCGD+Aj0XswRT/otm9kjLQKWDRjGOUvRdUS Zn6Dkmlm0ejTD5OtHhWuudxNfyYf+0slm7bBorKEBcueAIzIrIqUHfrTVIFsMXro VnKJyHjnSfuh3no9KuyB15BwMqWbTYYgA+6yD/tBs5iq6JCuS+OO229qoK5tc0NG 2FINo7cOwY/GIi9LLvkOOujiH/BH5GMglWRqoohx7XEYitIY+ipycb3k4nlTBewG nC6G0vrCI6+7JjPxhp2qvs+Mq++hoW2Ily1kaFnqgqC7+snxfvq6UMoPQyaE9/Oi V6Vz0wp6TLthgiob3XMx8WZMIPJHKfX+kX6oi7zv6WYPFliERQteWg5DmRVYy4pr aGHojB2SQhxpMXNnIa4X3tPaNdhyKsf69OXrVCCcsaODT8hNnMBcN/h0tvUr+6El Xto408V1Ve6xzU7XBl3xLh8RqNiQAIFAaVdUPasgDxjY9cZv3e8HTZpkZuIVD69p KqST25bHTptfJ9PmCtz85C04PdoNE+HXUpwPFNJtZBrpB9ZV4w1pwiTnJyGLD39I UI1BiuMqc4eDO+2/WaewhOrU1P2C4D69ODQfbQ21jLL0IGhdJ8UH4+pwuw68bWJm TDaD180wyUATNjfuexTLDyFC/6EGhemCzePsO2nVbmmrAbLWa3eXWdNbXzbyn687 cFPh/5fyKjeNEWvxqrt/0LmbsJQJ+A==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FCB7FDC24C90BB8D

http://decryptor.top/FCB7FDC24C90BB8D

Extracted

Path

C:\odt\05z6g30p91-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 05z6g30p91 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/BCFA73F317FB2A2B Page will ask you for the key, here it is: 1luXfGTkEwWQEz6sd/8wsYyITv08IJCgV4n63zFszJ1M+vuZ8En6VnJ6fDSbgmzJ j2GneOwL6/kLRl5YuSjIVygCJEGNy4dE7xKLrf8BCoEb/7X3ODd98JqPAsF5+cRm 7TeQKgDXOBbd+gTjjgG9MWNMfylZJqriAHwKuyEILoY8cnWDWzUBEVRoVEJyzQVf +rJP3+qnZwje6c1P5YaTiw3jBcC1ATJ01rjTPrI1QUXtzfou62qFvtsKTcA4wcDO P0wz7n8VtkG92y8UABFWwqNwtOx0jTyQj3nZ0+aW0HgNVAPXU94FNIOT2JViqXyz QZxvKf+ZAnwhWvGL8823XzFwmm2/LkiHo2pMHFQT0kU8sSjD3Wrk7yds++0nVtsw u3baAlrLOqFrekauX5KKYiF2o6twrIkpRM+PooFSW77Ni8bJrYFf92x4PC4y+3A/ wXbqvXSJitZoKteh3zxDtPE0J0OFevbyhjRypK45VLV+XOTCUiwgSUx4pP6lNGD6 oHJCbDZl8EW2a0jCw4+Y6s51De781/9zIngLMIOGiTa27CoT4KGYBbOFJJI4cJ3h QN9eLPYzdikCflruD6PwA7YMskCsjkVpQBm/pTSxN1aWAMzD3z7G8BE+TvEz+ks6 WCtMU5ELznvexxOwN6H7awZXBw/UlF0Q35Dp4fX0D+coLOKK7f2cWuWzG8KUIwOI +58tnJaY4XTyxfE7Ib7X2CbfzMHCZrH0EYzucoqSf1noVduoqX1iUfKEJlUFwJ36 0MJCTqeiv6lUOJirwh1w/rrgRgVmVkBebUSRO+J0BRepQbGUP7V2Y8iOvy/Jnq2q Wej65g2UgggOQGOwlSF1iQY90JoUiwJq808yA33juiEHoMqPmSwC20doAbmlsUsG 972Y/Qu0Uybn1NmwFdPshJEEeosNLVkyANxhwJCn019kBDgZdDbqt/fY2hdAuL/M jL8XN4lrJLkWC73VhVsPVuUDDfcNhkv7RuZC4gMZ7nsqI0HB1VUCXUn+Z+0+Hk4j ORZ/cSBwg+zw+GJh9DqBIOpucHL1bMuaxzUocZe0+H2sGEzjQur3MewsIJH6gZy2 UPj94fsn
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B

http://decryptor.top/BCFA73F317FB2A2B

Targets

    • Target

      0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

    • Size

      290KB

    • MD5

      fb68a02333431394a9a0cdbff3717b24

    • SHA1

      1399bf98a509adb07663476dee7f9fee571e09f3

    • SHA256

      0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

    • SHA512

      e03b076d36374b263dbc63fc93e793210dc5fd809f783cda6524390590ec56b4fb5c0aa80a52650de60c31f2f6d451fee17c72256100ac7f2c15347c05ab6470

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality

    • Deletes shadow copies

    • Windows security modification

    • Discovering connected drives

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

1
T1107

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks