Overview

overview

10

Static

static

10

Sodin Fast

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    36357944852a0ef33669acfae839c11e03604407d95abc7071ec024aff729d0e

  • Size

    391KB

  • Sample

    201021-9vv26pzq9s

  • MD5

    583aad750e9864066dc001eecd33f986

  • SHA1

    28b0a5d4f59a794f0b1a66ccbc6ecf74ed870cb4

  • SHA256

    36357944852a0ef33669acfae839c11e03604407d95abc7071ec024aff729d0e

  • SHA512

    58ad02b9dc9a3f632f1e960e3f10cd7b1e84b9d9dd72cf206fc17561bae4ffff13e950cbf733a1bb77813b772e32f335614df7899f62c175f43e47a61bd6efb6

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Family

sodinokibi

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    false

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

Extracted

Path

C:\6219wo-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 6219wo. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D37F5CFD57D39954 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D37F5CFD57D39954 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MAQSplFsgHCflT5Hr1A8Qni7luEW6YXND69Vyx4WZ67p0sre+tCrzdhilnSWgJ0b yIZLmeuNRUZwOHlWhMEWtLR6LNu+d5mtiaGHflx8JuIIwuM6S+xdfPBBQSj6W+bX E/RUfoEku6OMJH/2uVDMHX8HW4CA3EXPuFREhb31pqO5iIMuVQvuGT2gxXYQwnLO fFcSCLq3zms+0sqZudT7lMSoseGc6HP3wO8e/zYLQ46ZhMoM+DWJ9R158kdN2B1f GqhYYQ1OidaT8OPTI8nHHvCZKw0RM2Sj45QPfeIT3xMATdgbD6p9DEPgDFCj82oL IttmchkurcFIxdCLNofKy51+TvWjwamkf49f+WVBzIj4bBpuvQZRLWXNhO0htfYZ H3PtRmxGj2rOPqGZO86eUoL9YvNfkKyep0eYc9UyqD6GwBXu3juiTZ5cz88/oxeM ekyKHC141/YDSjG3RaywWE20vjn9vc1CMUsZ4K3hXdB0T9fptlcpvhKVBr2OOpt1 DzloT7LqDEebnB80Jy/DK7hDMn0OlOlqUMF460ERGdnT0EUq63TH3jGfT8I/z9Sb exPcCim4w00zXAy4vCYLKOhrbz89iVr5Fbi7Fn5GTDYt7iWtj1Bu1JvlHT0vBsuV tgA2jv9LbjjG/h64KkiBwAciaWWTBN6X1PeH3Jixt3ezOrOJWALapydlU7WyTwGG U7Ii8Maq1c6jH08Jioj+0gM48b7gDVdeYFxgIGFrD4T3aNvKzgVhHISGwkxBR/2T 8FDyhCsLKqm2wYbaXOLwuwniMnz485Z/rblaawauBXRJiXrL/SCx2I2f0v+1AQST wlnNeBD+MprzvBNdJnqAzCebd07NCkel2ghblK3ZmEctyFOCBNdFhg97NulD/X8N hNQBAsVqyifj05zk/wRNPoVBeu0QrsnkTDkpFf+UJw7uUrzeue1eDFk0okwi+XpC SxHxFmWYX9GySC39QNDdHEijkhkakkdOMKDXNVHqp+F+6TGjWCdbp9Hr7P1k/n7F O7DayihNxwGmucSrb9oJOLglx4eHPJ51R5dlBRQJqV9T98ub5+5gdYw2AeBaqAcZ yRmScyLAkb+GsRI1Hq1d5W8rsj23ByRlcRPmMEHHInSVEPL9413m01j8/rxK/BTC WMgsKc/EYSMtpy92TT6h8ZiXTerC8RB9j8xJD7KJ+/E8g2F0KxkBd69FBnaqVlCh rtZpV775OBBFQRCnPpDd4yfMMwdGjxqAHzSjRE98W66pyzl0C5xpshvSCjyIGHFm Mq2iVQGsH7zvq8ua9m1+1g== Extension name: 6219wo ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D37F5CFD57D39954

http://decryptor.cc/D37F5CFD57D39954

Targets

    • Target

      36357944852a0ef33669acfae839c11e03604407d95abc7071ec024aff729d0e

    • Size

      391KB

    • MD5

      583aad750e9864066dc001eecd33f986

    • SHA1

      28b0a5d4f59a794f0b1a66ccbc6ecf74ed870cb4

    • SHA256

      36357944852a0ef33669acfae839c11e03604407d95abc7071ec024aff729d0e

    • SHA512

      58ad02b9dc9a3f632f1e960e3f10cd7b1e84b9d9dd72cf206fc17561bae4ffff13e950cbf733a1bb77813b772e32f335614df7899f62c175f43e47a61bd6efb6

    Score
    10/10
    ransomwaresodinokibipersistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks