Overview

overview

10

Static

static

10

file.dll

windows7_x64

1

file.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    166KB

  • Sample

    201109-s7wtyyaa6e

  • MD5

    614a456cb642fc9d506532f43848acd7

  • SHA1

    9e521578841ec003c8b2197177b365979209fbfb

  • SHA256

    daa26a415b2fce72a81bb0d76b5e7552cc4e41707bb2e8fd9cfb77da5e14a066

  • SHA512

    d0a33a9a545d9ecfecbaedf8790673bc9c471c7cba3ee6047f490fc1feb5c7c694147e2895e9b5aceb81238ff45421f6fc1c915caa836a8a56980711db2b3fcc

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Family

sodinokibi

C2

dutchbrewingcoffee.com

mountaintoptinyhomes.com

leoben.at

bastutunnan.se

radaradvies.nl

chavesdoareeiro.com

cursoporcelanatoliquido.online

thenewrejuveme.com

ralister.co.uk

norovirus-ratgeber.de

nhadatcanho247.com

theduke.de

imaginado.de

architecturalfiberglass.org

fitovitaforum.com

roadwarrior.app

tennisclubetten.nl

thefixhut.com

atozdistribution.co.uk

stormwall.se
Attributes
  • net

    false

  • pid

    $2a$10$h8FAKPY9u6qBEBsl6AJKTusBH31nEUAT0BrIhMBWOh0jYkcvppMLO

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome, Radici Products. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3341

Extracted

Path

C:\2xft7z-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome, Radici Products. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2xft7z. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B55A0BB24A5FD926 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B55A0BB24A5FD926 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JUX1busCur23mzwy8ZQaFRr2ROfevwT4S37SrQCZpAHbtuPSvH41H6Vh84L40lEL GIRPteduyGiQzMqB0ing7YPighSojwGvxE20TmpyCfR6K66nnjkKNKX7asrrcheR J6/mWLtovyx2iWMQtdmicKCrfF/LfLcPnaLUOQ9FGjAH8wX41h9IZwglGfla7247 9vipV80QN0fW9EInCPUkOgepBhMQ9R7H8Z4XGCFAcHHkCi7wfxbdBjam/cV80j/3 UGQlmJQb+uagTwj8m6gGeVyFgEXwET49a8+7/flKcdhHlkq4s5yRpJxQxwJJxu6w yus84OmX7FNeSIpXRye/YXH7EIjjqLD5WTx7HOZqTcWRZ6QTJNp0srA+Pf8O5ODc +7cgSWpo94oV50b4jisgT0lpbkvXPyLKvX23wXZpDBIfSdMlmgzrkuhloCOviCOz WBxorPn462tyJ4hzb8R7+Y3+urQzfQYhnZn3dqaszYY0jagq8OxSxN5/VuuugB9A 1c7EYIO1XBzoelW828IsXkaCujuiANQANA//YXo9LBB2onQzPYPy0cb6rpyjVJ6Z Ekte8hytLvMgnGyu/2U/QaUauinSHbgKIAMG0V0jGiaJyHVxO44MnN4H8tVpV6Ng PSuYdSoTzi6c6/r9bVnk+llxEfEeUgzqiUOaRQxyBo2ljRJwx/P9oikDGjGZFykr BxDRlabrJ6vMArOXO4LaC6u0rM1p0oVg2L5w4alBbqVxRvotv+9bTpej5UvZqptb vtRE+NzHFoi4GGGUlpgkhV3MQerhyjMS1gmI/ArP6JaI5r16Ttq7GrpkZW9bLG04 AEebY8SjQgstnHq7wZJb9b529hu/UXdTYI9jgxZvErtTAbdIhpSshBqfHI8jaNSf FtuEqYcBNPlWQ6sHXzNVdmpVwwKZ/aZ6HedBaTVGhzoA4GUVO9juxSkgu4D5yi3x MGXqSiW0xFAgTAW/C3kSf2P4+dIdFq7XRFk8ROVJFdaVTOMmgm0M69ssIi7Eg4Oi PwiRLE4Pv2cuvh38N6DadZmLsA/wmqg18lYU7LDzTDW6XP/J3n9jZd9dvmIGJJFA FHI1qYbHCtlJkfn9NTYtnojwVVdRwL2lDf2xDvIogWjoJ/Q07RzTJvVTNHZWXcgy yxLhLmn5FlQh9aWpfxQ9G1zSXBDDH/COlVv4d8gK7+8sCm3MUdw5E8hBr6B1Ax0H Q41w1wGvXQPXxZ9p0ohJWFYOvoaDyxlMpT4chVwPcSSLIoQmuJte2X7vnmFlSwOy ykolusrkH1cDCVo1OwdvLQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B55A0BB24A5FD926

http://decryptor.cc/B55A0BB24A5FD926

Targets

    • Target

      file

    • Size

      166KB

    • MD5

      614a456cb642fc9d506532f43848acd7

    • SHA1

      9e521578841ec003c8b2197177b365979209fbfb

    • SHA256

      daa26a415b2fce72a81bb0d76b5e7552cc4e41707bb2e8fd9cfb77da5e14a066

    • SHA512

      d0a33a9a545d9ecfecbaedf8790673bc9c471c7cba3ee6047f490fc1feb5c7c694147e2895e9b5aceb81238ff45421f6fc1c915caa836a8a56980711db2b3fcc

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Blacklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks