Overview

overview

10

Static

static

10

ecb315b1fa...7d.exe

windows7_x64

10

ecb315b1fa...7d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d

  • Size

    120KB

  • Sample

    210412-p6syk39xe2

  • MD5

    a9d0f7e5c8f73806660711e59026e433

  • SHA1

    e435b0fb78497445aa8b677aa170cf2c3c66d509

  • SHA256

    ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d

  • SHA512

    8ab3f03a83d8e785e9989de01073c3f3e3d6659b6086822284bb276da03b8b434295902508ecb1be21b04dbf17f4ac7677658837bd21af911a44a0b784b947b4

Score
10/10
sodinokibi$2a$10$sk8y4sarrwixoao9cj1uyoe/i7i3bth9vvtq0se6x8yxq8qokzadq7254ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$SK8Y4SarRWiXOao9CJ1UYOE/I7i3BTh9vVtq0Se6X8YXQ8qoKzAdq

Campaign

7254

C2

ruralarcoiris.com

hiddencitysecrets.com.au

diversiapsicologia.es

jsfg.com

modamilyon.com

restaurantesszimmer.de

naswrrg.org

effortlesspromo.com

seproc.hn

personalenhancementcenter.com

dezatec.es

lange.host

schlafsack-test.net

croftprecision.co.uk

jenniferandersonwriter.com

xn--logopdie-leverkusen-kwb.de

rocketccw.com

maureenbreezedancetheater.org

helenekowalsky.com

puertamatic.es
Attributes
  • net

    false

  • pid

    $2a$10$SK8Y4SarRWiXOao9CJ1UYOE/I7i3BTh9vVtq0Se6X8YXQ8qoKzAdq

  • prc

    agntsvc

    outlook

    excel

    visio

    ocautoupds

    sqbcoreservice

    mspub

    ocomm

    steam

    onenote

    sql

    encsvc

    dbsnmp

    powerpnt

    firefox

    isqlplussvc

    mydesktopservice

    tbirdconfig

    xfssvccon

    dbeng50

    msaccess

    ocssd

    infopath

    winword

    oracle

    thunderbird

    thebat

    mydesktopqos

    wordpad

    synctime

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7254

  • svc

    sql

    memtas

    veeam

    svc$

    sophos

    backup

    mepocs

    vss

Extracted

Path

C:\346geh1b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 346geh1b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C49220B27BA53756 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/C49220B27BA53756 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Blg7E2MiHEAT0ocbbbZ8wT36FEeihnxZe28K7K3UQ0ewEQkF73bhs7r0wwueb74E fqDnx+9gjB5WWdGlzMjAmsoRWxxaPu2XVJoRA5oahJy0OAh/x2aVz8UGYZtgMQR1 pZJUvA8vOfZEGXg6541OiI5q7JHnlAAwtiDhMSDZ/Vt1vdkifvj9osSNKEAQiKav FSjSjxRw7WOw+40Lj26NGagHQuqAT1Bj0cYw6vB3cGcauUwk6EMcApaZpbwYxmox AUpaVkVTWdvTw/WeZf1Dd9V0CMjpjMcSHW/8xAjR/I4jMUbU8kaZa5HuA/QswA5x dUAWA1Vws4ZbLPsiyhQiGl/gzkOf8bUweJiArspTpcvA3l0iJVC4OTZQVSen9TyY S0AOhIHlmIFsNaki7wuZKIGWD3KNl8hjXC/5/jXeQsq5DDZHA+p+Zj3fCw2Xvw2H rfHskyDRoVLw1np9s5e/S7nuOqtDdoAKbhRxuJzrCUTKR9GpGlM4+8PyfuL3kSrd JiBjPhax4FSNdkC4YKIXehhwUsXeSdsww7ksT6DHD+q+xTvrFrXjL+M8RFb/1lIB +yUfJcVUQgISHrtXyPR371lCFruwVXEo1XY2ud5847jlOmHxCzlAOV+lukQ5Uepe YJ1NL2xQXbo00VozZRSNSTgq8LPj8FzhTeCl8BOpoPe9ewsTTsjOafA2PDbHSQrR u5WaqIQtufxODGL5+OlWtGZeXPLBYRiTLKY+8BOLQetI7Y9+qxhHGP5Yopt8SfQW 3D2Y1lUWJY5dzJhiivSFt9omGwZiwWSDLGQWNHt2RSiOHtamA0200fgbe0/HGT5J ruB6h8nAFhxRIj0wvR0etPfJj42k0Jb81+BeGz4hKd6J2uBMRhXMk0mAgM1YzIIU 9aNwONhmQFXKzYeiukrTSn/noVYxxmIdlPM26G4iaMFaMT/2JOAX5GKpQn9b4Ccw 9c0xvV6eFBr+XrbQ4Sa6mIFYzByw/1Z7Omdm7kz4ZgNkrmxHQXreZk3t8Abf9Qxy AbL2lkbL0LRdOfxH8oq8uFTXG5mz2bhMcWpIgalQeB3nRFZL9mvYc2he+8CekJ59 UE+0BYRTyLtzdy1/6zN7VErGJyN/RM+2qF/x1m1WGDa6AzDt6NyLFLyf6SKZlVgl djfy5lfQJQi0RM1rT0U2wUUR9VsEmBDECAiD33X5a00QsRnIkJUmRW9lhCaE9PqL vmBHAUPd95R39ZYV8e5hIMBES0c3zW6MEkHt04aXusjLe+GXRVie991XYp3f4kKO XUDVEMM/WBk2HFRBDr0pWYYUfNMJG7zpabw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C49220B27BA53756

http://decoder.re/C49220B27BA53756

Extracted

Path

C:\1c5u4r54-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1c5u4r54. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8784CB0A76B35867 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/8784CB0A76B35867 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Bk2UdhfJEHY6OqK6m3l2M2GO3I+Kv9jZmMjRmyg7gGC9xAaUqMoCK1c/6xCDyCs6 h2uCRRm5ttr86JH2+5rEW5IfhHsRM+PX8D0DO8IJ90esjHHV9AdOOfDlfh5cOTfU y7ewgzpjHqRURKuupxqt1UnOwH5HNd/bVAzNhYAJ/KQsqCt0MxwO6HLOnX2gJUOu lGWgjxtQmu8UP2mdkeXEZpU+Z/vP2WrK99dk42+o4Wp9h7j0u8l4oByr2/KfR9Le nAbiWvCVXsSuK5Z3T78PFETxoxJK6UJsWI5d/v21nvYTkZqK/B9ZsLuaIHVSiIe4 VFOwADqUd3GqE0r5PkSncvr0XIv6iB8eBSQX26lhFdZ89QHqzgShjQVah4QFDcxh 24qnKv4bZ3WV5KdkIkTWejRcjb3eWK0nxuc9au+ADvj+EUtCctsWtThdE2ZQ9BBm fp4HaIOLzaCr8myDM9/HqeJjVbsQdwlBLy2bAs1iASizZQgXMb/ZKQs8YDr49zKb /QDTVVXOxHkf6DpyC8pdCUoadufIGYZQnkuLO+yzVsNDttOQun/0BW2Q6lMfM+kL lPygcQnmYd95zptu8UFcTq0g3RAuXTMh6D9nMiUz0U9ttiFTzexZ4csylu1FRVVn N+RJ+rOC6Zl6Us6ijfmDY/QKTwrofNCGdfWvB+GsvbsQxdemNvQoIfM17UPKRTIK sQnrAVQln21uevUP9K7pa0dTpN0TV/7eQNllY6/m+Rt1tGSlXjk4QaW8qz7KcoiY AR7jzhvxc+UB+e+0e/3hL/bShxZMZMfCXHeJO/QxSpsydNHL49VDkOG/JzNxI5qH IiU3wuffL0CjpL2aH3x0YEsLfJcjplVZ3q3hpdjYJWdKmyFTBBYblY4D/jqkijQ2 R3eBgUYXdvsW3vusSTGil+dBJ0BEGIjEgHKmeGYFoLKBwfToXG7BSyqgrQITHrfO u4wqLD4mBh1jY8la/JEX1QdEUdN943gVsR/1orXFoMPqDnAPM0bOKHDq2X7pIMwZ N6/g4JNvmVC16HEBjVmZp6wWd6ICtxjXKY3RxOBVzJcB14E1bvnurtht3PEKVLwK kL0qeY11K6glwVhmm/IYKFdd7I8yDAFZXvCAUj6TQA2OhV8WRqHn0DCSRm9vQtu4 DUJuxm9/yaRag8Uy/CBUMXEVb3DvaLod46EWXwuPpFoPCL8zeAbVI2nZW0snkUsu yvlPJMIiKoNiOFqElbNe/kYEtBCu/hwUEB9c8aCk2cyER9of8mKHzPGWl/TEqa2I gyWIsCiNGj1b6Q== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8784CB0A76B35867

http://decoder.re/8784CB0A76B35867

Targets

    • Target

      ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d

    • Size

      120KB

    • MD5

      a9d0f7e5c8f73806660711e59026e433

    • SHA1

      e435b0fb78497445aa8b677aa170cf2c3c66d509

    • SHA256

      ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d

    • SHA512

      8ab3f03a83d8e785e9989de01073c3f3e3d6659b6086822284bb276da03b8b434295902508ecb1be21b04dbf17f4ac7677658837bd21af911a44a0b784b947b4

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks