sodinokibi | 4377a3187191c1c2c679d950e24f4bbc462cff4ee5cd4c137078761fc2e31060

General

Target

7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
Size

561KB
MD5

23c745730da3466dc1e899d4420fc22d
SHA1

ce0c8814d7630f8636ffd73f8408a36dc0e1ca4d
SHA256

7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68
SHA512

1d72b6f6299b56de01f4cc02becbfd38b27dda086583e54a9d9917f4ed2f6ec17d15a73554eff55ae5df83a1b3ce9839ed5f484109535eec2e5c550dd2f2409e

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Family

sodinokibi

C2

aarvorg.com

dramagickcom.wordpress.com

modamilyon.com

devlaur.com

psc.de

americafirstcommittee.org

ostheimer.at

patrickfoundation.net

deoudedorpskernnoordwijk.nl

greenpark.ch

merzi.info

hypozentrum.com

iwr.nl

triggi.de

insidegarage.pl

nativeformulas.com

retroearthstudio.com

layrshift.eu

stingraybeach.com

ausbeverage.com.au

Attributes

pid
$2a$10$HkGWU19jchMZucMO1CskOeQ3CMFGC/XK9ad91ZajdP/aBULE62o02
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome PRIME MOTOR GROUP ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Downloaded your data! Public information! [+] We downloaded 100Gb of your information. If you don't pay, we publish full archive here: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/115?s=ec1ef249d454fc83514a22ac85fdf72b [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
4973

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe

pid	process
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe

description	pid	process	target process
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
PID 1188 wrote to memory of 1624	1188	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe	7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe

C:\Users\Admin\AppData\Local\Temp\7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
"C:\Users\Admin\AppData\Local\Temp\7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe
"C:\Users\Admin\AppData\Local\Temp\7d5677cb8a7bccdf0f89fdeec77d10f72bb652e1e612576c7b439e6408a12a68.exe"
2⤵
PID:1624

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1188-7-0x0000000001F00000-0x0000000001F7B000-memory.dmp

Filesize
492KB

Download
memory/1188-8-0x00000000029D0000-0x0000000002B50000-memory.dmp

Filesize
1.5MB

Download
memory/1624-3-0x0000000000000000-mapping.dmp

Download
memory/1624-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1624-6-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1624-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1624-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing