Overview

overview

10

Static

static

10

Sodin Fast

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2e0dee8db16b91e218251579203691694ac3e42dcd90cc3c29754cac5b080439

  • Size

    391KB

  • Sample

    201021-xvjfp327q6

  • MD5

    6bb51124ae89a973f8b90fa71b75c0f1

  • SHA1

    9f4ef48ff4798b7819a936880241e8590953761f

  • SHA256

    2e0dee8db16b91e218251579203691694ac3e42dcd90cc3c29754cac5b080439

  • SHA512

    782fa5982da13cb94aef56803d941892c1a62b3c65bee971d613cbc1839078e7ad7f5e238c0854eb397959172183010d2e517203742bfe2f7d136ed00f7c6a3a

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Family

sodinokibi

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    false

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

Extracted

Path

C:\o94q7v0h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion o94q7v0h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8D6BABDE155F6E83 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/8D6BABDE155F6E83 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3eYE0g/hsbRiCJHBADtbYfKoB8j50XdEyTW4YPk+Of6Q8YIk+CgYbS/WDsg+I17+ pyIYoASatfQRuwJQNFpEPYFLb51t4GTff8AGDo6/xofJPUpyRg0fsqXgtT91eUt6 BlmebMO83fEmSeyLnwzY7XaSrPzl1YR5yusFmFmtPkcHpctfyC7B1LAxnVjobMrN sQADQQ1dUqE9pj2FwETC1ADjN7Jbes/fqbKODzJHD1xsStc5zHtI+450OArkrSoC ZYYw0bQGlAMmIs2gSy7vAIXts+ZzhKC7jjw3zCLKFLaEonYlGhXiYRIiyh4jsC9A HlnE5X8CpZeyxBIiamzYL2ek6bdWGOyhNzeFrQ1i3Z95y98X6e/kK0CndFgXTFDH bVuTjNkSAiBaH1LkwravYzrSmV3pQbEp31ZLzXyAXVj/NEYfkGdZ4wyfkeMgjiMM +emU4q9Xuwp0LAqaiwg+9mt+vMVxVGAC3SqJmwdLcPVsm8hsTfVpMWWSADD0OwnR MAt1LJJMXS8kh0nUP4qAGm14J84bKvgpeUdk3f7VTKMTvgtk/EYPH87XaV03sTPT uqHdFP6AvjroW0Su9hsRJAZcOEmBwLeit45DWOvkt9Yoz7yrFpW6TNyw+v7/l5XF kJMm7CZdqGuwpcQN52KlMvqdJyo9nEN993APaK1rYsMwGyKJnM+tHmBnI42gLaf4 iTXxiTEv8lD5064E6YdzDBHT2pWX0CuKh8qgopAyt2dxgbN64gj7w0WgMupKT2+1 iWrkirolOL2rXQttxfneetqzAav1Xi1O7ZGsRXru6LrkpXN7H+/CTCFHHV70A+xg OvOcxRKBcmdnArLt1yaYBhJi5PbQZ7uwsNHF++Y8o8epNef6UtsoaL55dJU5tIYl hz0E7n4XeD4jqGsCOZb231duoI5JqV/RFgiiZ42cUywWYBE5ihNdldkCoBdGVSng 9KQHmpUnX6YKKPz7N07TgTMjOHLcd5+MawKCEryR1on97y3re2YwoizRbvOIqAo8 5GikrnQMgjEjje5qDsJPqOvA056xTgPM6CdyfBYOz1s92E7W5etS7kqyxbVEhqSO M4YCye9lC+vx+OZAQ+ybhcU9axIK+6CpA0709mn28ZQY82Ft1tcpYhCbZzz2rMN0 lby1z/U7eooWNaspsOBdiNUVx3i1xSp5OuTYFBwxJ8pv4CGtkbs7tGIwd5QYpQiE 7p9xNb6xj5mKxWluujtlxNaV9eQJ65SKwDQSHuLxkzpj1SKxfpBfz3SEWhuKY5Jy 1Kqj7H5R5fcYDvMlSUT7AjvQ3tA= Extension name: o94q7v0h ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8D6BABDE155F6E83

http://decryptor.cc/8D6BABDE155F6E83

Targets

    • Target

      2e0dee8db16b91e218251579203691694ac3e42dcd90cc3c29754cac5b080439

    • Size

      391KB

    • MD5

      6bb51124ae89a973f8b90fa71b75c0f1

    • SHA1

      9f4ef48ff4798b7819a936880241e8590953761f

    • SHA256

      2e0dee8db16b91e218251579203691694ac3e42dcd90cc3c29754cac5b080439

    • SHA512

      782fa5982da13cb94aef56803d941892c1a62b3c65bee971d613cbc1839078e7ad7f5e238c0854eb397959172183010d2e517203742bfe2f7d136ed00f7c6a3a

    Score
    10/10
    ransomwarepersistencesodinokibi

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks