General

  • Target

    file

  • Size

    164KB

  • Sample

    201109-vjbebxal6a

  • MD5

    2756f86ef462729bd072ef2d05f00f54

  • SHA1

    b074e97c19bc69d39c235c763675b492e2e216f1

  • SHA256

    38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6

  • SHA512

    9c6a618870ebb1a50bd647f26327d4ab25905c8d438e1f71be87f343e91d58c0e4683afeefc7f725b091cb1a47b5e7fa30d99402fb4296a88e8a5b138ef62d14

Malware Config

Extracted

Family

sodinokibi

C2

hm-com.com

aidanpublishing.co.uk

biodentify.ai

iactechnologies.net

greenrider.nl

metallbau-hartmann.eu

kroophold-sjaelland.dk

levelseven.be

rolleepollee.com

galaniuklaw.com

docarefoundation.org

bajova.sk

cuadc.org

leadforensics.com

saberconcrete.com

harleystreetspineclinic.com

natturestaurante.com.br

rarefoods.ro

interlinkone.com

poems-for-the-soul.ch

Attributes
  • net

    false

  • pid

    28

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1819

Extracted

Path

C:\1vsrcg83ym-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 1vsrcg83ym. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/15C8719F10C1D019 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/15C8719F10C1D019 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 47BcdFmbv1BdbjC1CNVsEAIX48e596ocSyWqetyfB7U7319p/iQrFs6EfINiZE6R TYOzF8YkmYwrQYITAF2yo/ikbqvPipssk/39nsBxMm+GSfJjQsT8hvgzfPlCMcju zZwNkz3MnJwoGtibivwg7as/latlgTUaKG8wVQmNSPc3B1o9fSgXXCXJxNlow6ik YMDl82D6bQlzMAVUm0NBFDlQ6QTuj0UlBwUkqXw3GrV4rFsamyfxraTIhLmf3T/J /7Of0uS1EhwzWZLwnb1p2Kiq/qi8IHR1grKaQP528VNjvWA6D/d19zWHnau1gbmU TqQJzyd1gii1ISne9+8ArvDHrFwvu94ne7Bqs9lGSDBm/DTVEJFLcQM46am76Qsj QhDtLGSfTsxUQgIxE5ZzQnuMV7MRJvZiqCqsJW7nMyqecapLHVS5jK5jshu4oJkJ 8554wW4W95OW5Ls47qTKnBOlsbCssxDdHpMiJR10BUnv78dlKIapwo6z2mZ5kFrI vjvMSLqWxRneae8ojApQOK69on3AY33SVzq41lg7XnTL9I32WtJ/HLiVtmH/tfjo pzqx/S27CW6mW54CItd+60u1Gho4N5itdsoAkIH5xlitygMr9zAkXyPKdBSHzjNf E7zr+Ch/vzgLyKLUvNwGMMiEr00jgZ3mFGH+LgCkPuoepaj8TFNvyqUz7d61obLP BtCtZT8DIpE6Jp4H9u0ms682Pkny/ySj9CcXrMdCIjVM6c/GS/zg8kQOunK/6o/X ymrXGl3uffRdApRNxCcHc/N4guDWehkgewUg6w6xaU6TScgyFOmv5wLc/d4vceVF sMiK/yYEA3gC+5uR4xN4Wj4FJNJPTMv8dPAXoebg+3jx7L/3focNX9gUplAshaA0 DCynr6rvQi0KB7G6KWqbFor042NBu4oBbXBf8kTOGffBuJf9Mcx6WEOdDwXhgNAJ yHc+xQQuLX8t1wy+iJZfy1awMYR3DDxF9HvBap2SWJfejdastKEbVpgtqSuuqE9M pS4KzpEGxxhlfcLbGxVRRSzpcOh7HnTvIbQYqeyS8/92NA/i6wUz4YE5Vbfxp5Ty bCNpQEqa3F7SXcH8XUTpAXCajcRWzOkVAu6CnbqFs3KOUSGi8UWAb4J7mBeQDnFA Rp4hYg== Extension name: 1vsrcg83ym ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/15C8719F10C1D019

http://decryptor.top/15C8719F10C1D019

Targets

    • Target

      file

    • Size

      164KB

    • MD5

      2756f86ef462729bd072ef2d05f00f54

    • SHA1

      b074e97c19bc69d39c235c763675b492e2e216f1

    • SHA256

      38beb0ea97e3c5758b4839b8874d552a6ddce7bcde77986c62bf49041e229bc6

    • SHA512

      9c6a618870ebb1a50bd647f26327d4ab25905c8d438e1f71be87f343e91d58c0e4683afeefc7f725b091cb1a47b5e7fa30d99402fb4296a88e8a5b138ef62d14

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Blacklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks