Overview

overview

10

Static

static

10

66060484cc...eb.exe

windows7_x64

10

66060484cc...eb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

  • Size

    120KB

  • Sample

    210412-44cqb8k8px

  • MD5

    ee11b17a14f1b7a6b197e9f38eb5cf7c

  • SHA1

    7fd96ccbccac8731cc8157100740e850facebcc6

  • SHA256

    66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

  • SHA512

    2ae1a8adcd52cc10235d0ae1fcf018d04b6675b951c06c67d61720815c437c9c6b40663da1fab9e8c5390b92798b4dfc65821b27a86121bd4dbdf05230fdc227

Score
10/10
sodinokibi$2a$12$xz4awypoj8jca4cwfs7vbons5eki/ymseyzoczty5zt6tmqswfl327347persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$Xz4awyPOJ8Jca4cwFS7VbONs5eKi/YmSEYzoCzty5zt6tMQswfl32

Campaign

7347

C2

lbcframingelectrical.com

ungsvenskarna.se

fotoideaymedia.es

bookspeopleplaces.com

chaotrang.com

geekwork.pl

victoriousfestival.co.uk

iphoneszervizbudapest.hu

jyzdesign.com

euro-trend.pl

villa-marrakesch.de

luxurytv.jp

international-sound-awards.com

web.ion.ag

ilive.lt

penco.ie

piajeppesen.dk

oemands.dk

boisehosting.net

quizzingbee.com
Attributes
  • net

    true

  • pid

    $2a$12$Xz4awyPOJ8Jca4cwFS7VbONs5eKi/YmSEYzoCzty5zt6tMQswfl32

  • prc

    powerpnt

    agntsvc

    sqbcoreservice

    oracle

    ocssd

    dbsnmp

    excel

    mspub

    dbeng50

    onenote

    ocautoupds

    sql

    wordpad

    mydesktopqos

    steam

    synctime

    infopath

    thebat

    firefox

    msaccess

    isqlplussvc

    visio

    outlook

    ocomm

    encsvc

    mydesktopservice

    xfssvccon

    thunderbird

    tbirdconfig

    winword

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7347

  • svc

    veeam

    sql

    memtas

    svc$

    backup

    vss

    mepocs

    sophos

Extracted

Path

C:\gk053-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension gk053. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED2FB28C03804D8D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/ED2FB28C03804D8D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FCYr64VH3XZsBr46OdZ5vavcTg485O2OlY8CDyt2B81P0R/8EfwtSqbt5Ma2pGwL bK4hV632SCVTs/uxQHjPGnk5OJNSloVZZaosDN8HQqpDmbKxr6NPziQq57UjnxY3 uqNHlzNSkw3WRikFL8GI5BRgrLafwQfpLN5SjB2ZpsiuGu9kMiKTWnbCvx/XSdIe ehhloFX5ItZzXfCqpTztk1lHF1Qgx9FLQqy02r5vo7lFZ5cz+CwE/MPdqlYDLa7V gcrKbVgvx9M8oo7oGEh7bxiTWaRyQ7S4BgkNLYbkZkk5x8pgpkYUrAhbwonnXViy luLoQsBzMjeoBdZ5Q1sS0M+phrsQ98HPGVpA3OJbUPg5tHyjB4SAuUMgsWKIqZJf q89S1RuXFnZ6sn3gSilgLzvTnfha4eAonnNyBbJ13Hg5DdJcXo5ynQNBZ/WswcSO V5sdKGacBIBnMRkxH8pHmoEScmC8lzJygdzUui1OIhBJnES2kWoMYs5GjnsQLfvD /6NPUN0awDPTj3sUU1vPVKo1xtmmp4AWCYkDWD3UmJq2E+R+NtPYVopR0YwoqLww UkyuXXJfeA39KeW9bb6CEVaf57vVMMVf2nzKYU7Ubexj94uBJ8BPxga/O/SomAF9 WYfxGZG55TJriDqBHbjkw6/p8WOxggyOrn9szIOikphLSw4XNSBXRoRjAfsTyphJ LdV/DxTCzaGhNo4QIrLRDhhcI0shG49pVeijAAsSsoJYNEcIPHObEzH/Rutde47i rN0y4gSg89F46RzOrTMj08963pZtAYY02d+1PzybejUZpD+kAttkB9Fdx0WCsYcw fUESYvjB7JpIN6vQyQppd7m79Ea3g3yHYiGhlwudR331BMAqndDidXDmMCzxr4c0 VBqzjM2O8NOHjiCCGF5+ByMfyDYYjuFMmdcdikIuNa/Kx2F7LSOZg4pa03AxRHr8 pt8N06Nj9EbbSVfVUgQMXE0/QbeLinAyqAdlerE0HddGc9k7v69zs7Q2zSm0Xn8L ZTFi/mYtPyctO2dauYJujPu2nk6AorcSnkxP9gCkJipGAGFEYmmew0burf5/IbfN NlshtU/GEvQwiUfuoRmXe009NRTfLyfsC7Yl12onrWlkhMgmrhm+k99vUbEwnZYY cy7rIHVQxP3slfZui4g3AjgU6ZvBZ7m2ZhyMWFLLgthQlYTIhJ7gZh/j4+6mMazU obRnUEh/csvlKaWh5BrSwei+BlzihlErya/fE+zPg3aRtx2cVac8ediI5dklJbQp rBUyn/OBTDiS/SGI5siy/kBga44= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED2FB28C03804D8D

http://decoder.re/ED2FB28C03804D8D

Extracted

Path

C:\9fq7cs685-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9fq7cs685. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A6F89CAECC9B2C7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/2A6F89CAECC9B2C7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: O/XdbSy3lywhbuN7xiExUxJr4ceZH21WEJUehVZ2yyjeabw6Pln8WCRduRrhZP6f 8/a6OP9+Pw+sOPnm29OzN2pRNIT8tH25lN8I6Ic1SQ2JotsmE8yEs3Za4RjH1e5V 7IkWiqcaGUrrcFDJYhyKBDYt7Mg3HEc2/al+RsP+qNgpIJ++1KQLwDvouzKdjow3 RE5Y2u5ii+8S/L185jWo6Mp8MufyhJ8aW6j3KPQNO/FI0n6d/RZ4TcRZR9WaPDDR IS/sJtsqv7BmNWu4YbZ3fxEgl9j5qqEyrwYJn61QKUzaDvTlRDQM66uqLSvwDp5x J+Nl+GVdYyeuWy12CuvtcuVzs3grsHFCaQf7Q8P6ov4xuJ7mDLumvyS+EKE7Y7Wb qQISkoM03hRgbzp2mCvzHPRxjSN6ZS3NKz/advP/rvkgXR134ymWes53e9Ksu3L0 ev/nxrtgHh/KTgd5XJtRdn5dVZlroVgbkLdFcMwS848HBoTWXZRFw/+63Urq14IY IMOB3YLREqcllerW3jx89/o52yzWmxICDuv26itaPnM8frtftge5YebOtQG2UTen CeD+yJrMrA10emC7NObDwnY9KE2Aa5rWEXpmEhvN9KZIi/lMIlMyTN5cCoDwM6Go pNv3roG5DUDj6clrpaxmB13BT5/TLJ9MwJV+bSOmwQx+2WVVLQ4RjLZl5OnmoD2e xwjNN3aNBdpCF+YFsz1OJ2AfT+R44K3UyqerDhUXIwdN4NxmXTBKgg/Iajd1TSRR GRwQkQ4Fc1CPuJKJzpwWFTlrMBW36bPZcdNy3qQ2kF4eSPKcHOqn00LqJZtBA0MT 3Ht2SN+ePQXeK0F5osT1L97ymhOfL/wttAjWyeMlS/D534vLqZptN1CMZg2xOOHx aQ+H1Su1R+keB9cFLFx1DkUnb3Xh0H5rysdIYLXoC/B9aHBQ2nMrYi+BOKcdBgMy vdePqoV/dDf+WL9J1HnQoV225B0P1vny2vJVbabClfgG8ooKeKvKxAW40NoLxKcQ f6WQ5yzG3XzbY+R8xHPIkkerT6sjTe4W7JxFqljVpT9GBDhm7dMZoZmtwqiLqAEX Yo4BhoZEqjxl44mGRJaJVFjPEfxa9t7OnZBNjXFZc36U0uCjwjlU0QM8rw5qo/nf 5RwRqVP1e7V22VMCMgQXTm9Z5M6eVsOJ8iV6Ta0iUKg2UMT9NNCyPENCWR2xygDt wJnogw0tJC6aAi2TeDfhC9ExkvckvJpNkSDosJZD7ssRkExfscaNGadKX0lFnpI2 ke1KktYiiMviIj8l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A6F89CAECC9B2C7

http://decoder.re/2A6F89CAECC9B2C7

Targets

    • Target

      66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

    • Size

      120KB

    • MD5

      ee11b17a14f1b7a6b197e9f38eb5cf7c

    • SHA1

      7fd96ccbccac8731cc8157100740e850facebcc6

    • SHA256

      66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

    • SHA512

      2ae1a8adcd52cc10235d0ae1fcf018d04b6675b951c06c67d61720815c437c9c6b40663da1fab9e8c5390b92798b4dfc65821b27a86121bd4dbdf05230fdc227

    Score
    10/10
    sodinokibipersistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks