Overview

overview

10

Static

static

10

file.dll

windows7_x64

1

file.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    164KB

  • Sample

    201109-nj4rzll2mj

  • MD5

    d468499ca5f8d8f528920635e89ab3f2

  • SHA1

    ce1db497eef5371e20a8600281672ca21c662a7d

  • SHA256

    b927203812bd5776ed375a59e3131046750b5050b3847bf79f61a491026f1b25

  • SHA512

    2232c6badf61f2db66a0a7e4173534eb3aa1415efc851ee9d77b2bb6aa67933c0b6bb97a17d0b155fb608b84950bf51c9f189cd072ebbb683c7cf4cf5808b3a9

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Family

sodinokibi

C2

darrenkeslerministries.com

effortlesspromo.com

ncs-graphic-studio.com

nataschawessels.com

devok.info

bouldercafe-wuppertal.de

ahouseforlease.com

syndikat-asphaltfieber.de

easytrans.com.au

airconditioning-waalwijk.nl

fannmedias.com

miriamgrimm.de

camsadviser.com

berlin-bamboo-bikes.org

sipstroysochi.ru

abogadosaccidentetraficosevilla.es

smithmediastrategies.com

stallbyggen.se

sandd.nl

fiscalsort.com
Attributes
  • net

    false

  • pid

    $2a$10$4mXDHW/nQeJyX075xJ/yO.mK8jLVT1WzmLI40Z4JS3gob6xnHN4ye

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3171

Extracted

Path

C:\o1u52a4b49-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension o1u52a4b49. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA2846180DAB3D0E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EA2846180DAB3D0E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: s0RzUh9Upmxqi5EptzAiAyniT3cMn/ZZAISJV6VZM9yKHpFNSVzWxv3INcnfasLa fR47PLCAMj3U8h6EJ/UJQnDguFXNxD+FypnCHSfPYBD6vOm6wG5AwPU3psskNWpz ftF1rc3sMbbbOXLpCaiytD8XEX1e5M4BKyaUyiOBAMHXvzPeRz/qOufefLTIezQi 1UILst0US4NOKW22jRKOTZrmaaKQ3479VhhgZJv0O6ppFWYc2vFob1p53Efm2LFy 5VckjtGU35+ZhQD1/GOYOTH1r1t0yqJBvU5ZhbqymNB32I1GrP06dceoNGdLSInR 8HFzfo4XmTpWmWo6Fgi8Hvlam6srHIHfhhalTPB6c/dlZ+4JfnMGjQNql2eJurlm jHJtu3K01HLbHCWYXp5oTuLDWHfaxZOG4tOSksEE/JWXrClUpwtQpYdq4Zbo74Gq giuAbbNMV+mKNqeY8U1rQSHVLzD5HDxx4CiAZVXJ4Ch9ovIYAHEQRZX+U29ypsqz F8VINswypdchrhGLsfgV4QKv8Q1tOu3/r7erBPP2xYfzjEVds3m5A1uIquRRsGJP prdlrl2m6GCcpsWWIKYDj1rHO0FmX5idhBg9oD2RP64VIkJSXbGUsNBCAsuYC426 vWxpdau2/RGUOPFT95PD4kRrS0/vB+1jRqUU4O1YzrsL2HI6+9DI+lDxl54lpVNL NZn2T8d16vEEyxBVPBsdOQndmecn2XsYN42N7TAguPxjV61beVmX4eFzlDw4GFqg euaeG/uj3jOjhNgNAfO+t8bMcEiiHxc/G2AU3554nLTk6+c3Vrp4gGcG/6OSjw9w oyIulfN7Q0KAp4UmPCtatzdtM4WcLDfy1qh8DAqYOWQ4Lgh47hLzidtoxz+FSPXI Up17sQ/CjOHanNPH4b+bOH8U7BDEslCNf6iirQKDcF3QZvOWTBdu0LPBMlDlIeWh +Q01iRzxE8F345dwS8TcKSn/gyfQtKQjcnbW6G4wm1rK/5K/UHRxEfU5ZhZoMz4f B+w5oRjykzz0sBYmuKGh+NV7JaaTk6i+frv8MqhVYcphLkEeEC5db1nFvzkW1awN O0qp8QYHqDxRatwCa7EQmHU0xmmv55tPhpJ8YX1Mx+zx6zEBrVmKP0PkjX45djAe UYTD7lBrH+ln3HF+ROAUuKUWaCwoagEk95tPXEdpXRSPaLUXMBDEtE7329QpbOGb ptWQF15chBl8ipnTKhcO/rNjQmLov2E3wHX8hwkxILEAQdZo6jNmvl6XPUPcWUS/ ZUHeZrdC1FMH/yAj2TPsm0W/IJNPSlGM ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA2846180DAB3D0E

http://decryptor.cc/EA2846180DAB3D0E

Targets

    • Target

      file

    • Size

      164KB

    • MD5

      d468499ca5f8d8f528920635e89ab3f2

    • SHA1

      ce1db497eef5371e20a8600281672ca21c662a7d

    • SHA256

      b927203812bd5776ed375a59e3131046750b5050b3847bf79f61a491026f1b25

    • SHA512

      2232c6badf61f2db66a0a7e4173534eb3aa1415efc851ee9d77b2bb6aa67933c0b6bb97a17d0b155fb608b84950bf51c9f189cd072ebbb683c7cf4cf5808b3a9

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Blacklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks