Overview

overview

10

Static

static

10

e3d2f3fdbf...af.exe

windows7_x64

1

e3d2f3fdbf...af.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e3d2f3fdbfe0554589ba961682f93faf9d250a53ffb5737c46ab8bea11d3f2af

  • Size

    116KB

  • Sample

    210412-ldgsyx98nn

  • MD5

    8e30a09eea51d285708c2e6171461155

  • SHA1

    2b8ca5b0d2feb46a6e6831366d16983682ea3424

  • SHA256

    e3d2f3fdbfe0554589ba961682f93faf9d250a53ffb5737c46ab8bea11d3f2af

  • SHA512

    32dce10e6993d18972e9ef73b8092f1ddb598f0e94d95c41cb66709c439ad06a10843831a101fcc2ef2b1101bed6065ebc3896574b1605cd0ab2ab2f2e537a8a

Score
10/10
sodinokibi$2a$12$bicjatmkv/2wb22bauf6to5rqbmrgf6.pssd7l89.txzbspqnolg27420persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$BiCjatMKV/2wb22BaUf6tO5rQbmRgf6.PSsd7l89.tXZbSpQnoLG2

Campaign

7420

C2

executiveairllc.com

hatech.io

simulatebrain.com

stingraybeach.com

stopilhan.com

baptisttabernacle.com

onlyresultsmarketing.com

corelifenutrition.com

ihr-news.jp

vanswigchemdesign.com

ogdenvision.com

fax-payday-loans.com

commercialboatbuilding.com

faroairporttransfers.net

arteservicefabbro.com

exenberger.at

ilso.net

hypozentrum.com

nijaplay.com

licor43.de
Attributes
  • net

    true

  • pid

    $2a$12$BiCjatMKV/2wb22BaUf6tO5rQbmRgf6.PSsd7l89.tXZbSpQnoLG2

  • prc

    mydesktopservice

    visio

    oracle

    synctime

    tbirdconfig

    sql

    isqlplussvc

    ocssd

    dbeng50

    steam

    thebat

    ocautoupds

    firefox

    ocomm

    xfssvccon

    dbsnmp

    sqbcoreservice

    thunderbird

    excel

    msaccess

    wordpad

    mydesktopqos

    mspub

    encsvc

    outlook

    powerpnt

    agntsvc

    onenote

    infopath

    winword

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7420

  • svc

    svc$

    sql

    veeam

    sophos

    mepocs

    backup

    memtas

    vss

Extracted

Path

C:\u40e74707-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension u40e74707. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/686F41402118AD7B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/686F41402118AD7B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: i1qWiDQVA6iO7yLqkzjkLD3OXH1N5zdV5Wi+E9583TyO/SA9hLeqWVwzjgSRLK97 /ldH/Vlqqpi+SIEiyobekaUuMf9f5n3hPAk9AjslycDFoYiYVA8b+ccVfQagg0cM DZZ8f2GsFZkniI1ZShOqyKX1gBEhKGMIICZG4XR9kNpa+9yCSnqJ1nxCQZcXLjmI wwsW/NO0JWD6dhrl8IK7Dc2S8TlEHObPv6cQSuvfXkt6z4/F4ZjhOQS/MF8r/maw uJCMFgPfEcyq+MIK6uvSV8NzfKZ0fvanzcAGy6E50UwmvGtqwg+miTlkikYjC0/3 q16L8FMYhELaCMVXhA+xM/B6aJ2mfy7E1NCGabo7ZkbXQoxcl9ny3bKhl8891Pzb 0WnJKKvUBm6jFBtvYusfbL+o84RUwqhttTFCjzSwzseEZiX8/GnPH6kaCcxPAiX/ +fOaF16LVch4ZDfn7V0IkI6uFbjjgQacinH80ifLKPM/Igdi13Xigt7/RvA4R+xy vzNQr6zkv5hA63h6XR3w4AFpXqkrUhgRXsAj2c1rcCYIcNvvNTNPXeCuFrnS6WvI /We4jo8K9MCOlIKPKcC/2Ng/7lW0TVEJuwaovejGHrHg8buitbwWAmPAZqUp0n1h R/CObis/AoN0+fq8dGPN4zogb8aobeKerKY+9KfQou7APA4RL8vYcza7Mapms/jJ PidZB8w+E4Sa1KkqbQ6UTwJnKYIv1cS+lwIql8rt/Pu090mv0DBG6B25T62GO1m1 tN635e18svi3tHIqGFNseCeiiGQgRJ5x3xZ8GKfAKFRa/10i2j7szMXZR9Bsliqg y9G77knrCVgkGITcFbgx+cdrtKhSxpG8wU+3WNecrlNdaGxeoAazTL6xpycG5TSZ njYKGYH1i8BZNzp1lOpRfsFWpuV42OF2l/m+6SEpL/2E27NEIFQKMmaCwyqyJhVG 7PKUgmnIHyPbDNLJhtPiXFX/Tc1ENx+gZ32P7IRwTyW0nsP3+3P++9gV0asvaLsp vgHLDEv+qEtvygOd8wpDRthaaFTeU95Myn8fjvR0ssmRU2pGHaoL84zZTzQTcrTY 0AxgO0zOLfdFRH0dQJmIolifnk/e7Mnf72aOQ6nIkUcnxShDDS3/H40AICBsHWwi jp1wScXqGtCt2m71lx6zn36z9mNwvCweiJ915+rcM1p7bJRZI3cpU+2EfYtAMnQa xzQD79F3chWIG8WU4ryDdD2L/QpY8mndvSnDwuFK2jwJkEgTYG+O/fqbDbX85aqv RmyJaR1rEJvsH1dlzgotEywP8J7yyA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/686F41402118AD7B

http://decoder.re/686F41402118AD7B

Targets

    • Target

      e3d2f3fdbfe0554589ba961682f93faf9d250a53ffb5737c46ab8bea11d3f2af

    • Size

      116KB

    • MD5

      8e30a09eea51d285708c2e6171461155

    • SHA1

      2b8ca5b0d2feb46a6e6831366d16983682ea3424

    • SHA256

      e3d2f3fdbfe0554589ba961682f93faf9d250a53ffb5737c46ab8bea11d3f2af

    • SHA512

      32dce10e6993d18972e9ef73b8092f1ddb598f0e94d95c41cb66709c439ad06a10843831a101fcc2ef2b1101bed6065ebc3896574b1605cd0ab2ab2f2e537a8a

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks