Overview

overview

10

Static

static

10

3c4063956b...e0.dll

windows7_x64

10

3c4063956b...e0.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c4063956b797106cc43a49a634bb530aecd6e9a898124bb8fed6978f4556ee0

  • Size

    119KB

  • Sample

    210412-rqkkgc6a9s

  • MD5

    91e06d83a0ea2e73f8143f9d70c2b8b1

  • SHA1

    7ff7ce00ddb41170fe4b86858ae7bf4b9957ff0c

  • SHA256

    3c4063956b797106cc43a49a634bb530aecd6e9a898124bb8fed6978f4556ee0

  • SHA512

    48e60e0da5a730837c1845552db012578c91655ae5234a27093408a83c25b2b4aee9b7c710a4484d591bdaaae838634aad02b8f35f656cdfb8ada5721cbada47

Score
10/10
sodinokibi$2a$12$1kwceqbwh9vpgjtx96on5embxogxcngxdgord/dgjseigfgk55vmw7353ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$1kwCeqBwH9VPgJTx96oN5emBXogxcNgxDgorD/DgjSeigFgk55VmW

Campaign

7353

C2

zzyjtsgls.com

ussmontanacommittee.us

bayoga.co.uk

instatron.net

pridoxmaterieel.nl

tux-espacios.com

parks-nuernberg.de

epwritescom.wordpress.com

outcomeisincome.com

vorotauu.ru

xoabigail.com

lenreactiv-shop.ru

pubweb.carnet.hr

villa-marrakesch.de

cirugiauretra.es

mirjamholleman.nl

ki-lowroermond.nl

architecturalfiberglass.org

global-kids.info

mymoneyforex.com
Attributes
  • net

    true

  • pid

    $2a$12$1kwCeqBwH9VPgJTx96oN5emBXogxcNgxDgorD/DgjSeigFgk55VmW

  • prc

    ocssd

    winword

    isqlplussvc

    outlook

    mydesktopservice

    thebat

    ocomm

    sqbcoreservice

    mydesktopqos

    synctime

    encsvc

    visio

    mspub

    steam

    tbirdconfig

    onenote

    sql

    oracle

    excel

    xfssvccon

    dbsnmp

    thunderbird

    infopath

    dbeng50

    msaccess

    agntsvc

    ocautoupds

    powerpnt

    wordpad

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We downloaded more then 515 GB sensitive data from your file servers, including internal company data and clients files and documents. We are ready to publish all data if you do not contact us! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7353

  • svc

    vss

    veeam

    sql

    mepocs

    memtas

    sophos

    svc$

    backup

Extracted

Path

C:\oxlz5ld9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension oxlz5ld9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We downloaded more then 515 GB sensitive data from your file servers, including internal company data and clients files and documents. We are ready to publish all data if you do not contact us! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6338861BA5A96AF1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/6338861BA5A96AF1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: k2rZYiJt+4PbBi+jlWE08fZ27y54tEaWtGCMPiCaA2rKq6mHDUGU7y1kPU06FShn KDHiFzddz9DCJpo26pRMMqxLSttzi5NL7n+3iykwRzuN2XbpzXORXaZjEghliSP7 eLRSQwd+c7RdOg9jntHKhraApfc47FJXIQ/pDoFLHN1aQMWEtsU+dzhe0UtFgH3j b02LA/vbpuYd7jqoObHDWqqQdbeZdZjlQSgMJDi362Ao1CDTrzahO6eJcUiczaEo c0g+J1ZPitNZgALg3+XRMonOuqvHK3j7MX1Vm6UJ3ChyArTGW3uY0Md6SRjeYNdJ oXpCHYZ4HMbQnlqRKNCarIonzINJJf9VNCUVlky/mWbOMCQ5zAgzt6G37pKAKkEE Rkt9YVh9tamPyp92NyW8x1lTTmEBlZTVuyjhJGfD26ijYfzsAGNmLQ6xF6xfV+Mv I06uNWh2ygP7Nft3JHUWwVTr2sBsj9FTe0JBLpUJVbv1FnXgeMvyz9J6SUkAEVv+ lYhbey0/3CEKo2miuMqtVRkaru2VooinySPVsN6ADgxtg/l544Dqns61mMtr/pib 81yoGUGzjvU28TlYfe2oF0XZ6lvoqPqCPBr168zcbhya74JQKzqTj/9TcAmfuYGy P0cwSj+WFk6lBin12ykOcN6hSLsLxr8LC0FPlS+fUpUuGBeaBv61N7LoBeIzkpth wNEqB6DGTvFTwXpg5RI8yyrKK/6Z+a3/Pyr8X/kfjmWh9x7KJiI72iWFdzMXzznt 2Rc+EF1l8s75ggFtgzs3/CLjLh8b6a5DG9U/bTjgNktgxcnPsajJiLMybsSPrhOX pqRSu2lW+tgTKKlobLqRzX8i31NNB6V3Esk0EuBX/C/jnOL912tioKieaR9dN9v5 8taSNhMrrEUmtg/nE3anizO3hL+Pm+G7XT5PtT/6OkFaXvLeAMtV5144pI2vp6Ro Hut7Fnanu/8ni0387ZcN8VH14K3B7IxTr2hlAiwubkNIkx2BNvrMVogywjk6tQRK +DUjZIYJ52IZVSbeCc079NiEfVRnx337SRR65hBYuuSurUOlFIoBOHM1hO01JLmT snSh+cUlVD4VhBkXa80x0uC9m9eAmhmaz1PEtXJrr74fWhuvI05fEGVZlTbKDoP8 B9ja+kjy3uZ4umCC+gDk0GToLp/U1/SxXII2zYX40tdbgOP2hwMSHACXtYZtgJ1m X1CxPlmC/6CJBF//SNdB/tB10ihuThOhRrSDJERzuVAMBeanWH3jYZfuRyD7Sw3B WLRfiBx4xSobhsPvoX1XmaMrivvkAZ0cQWw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6338861BA5A96AF1

http://decoder.re/6338861BA5A96AF1

Extracted

Path

C:\m2yk86k98-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension m2yk86k98. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We downloaded more then 515 GB sensitive data from your file servers, including internal company data and clients files and documents. We are ready to publish all data if you do not contact us! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C915E1DB9A5DA187 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/C915E1DB9A5DA187 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xfuWA0pe1DhMkVKT3xdGxv/9FzuvKYDctuFI4AexBHBXLChUalQuzm/RbVxHS4HY D4Wj6oPEFHJdUhwqSKFtuPmKJpWOnmznPr+xAIMrv066whnQrgqWRhR3pB+xVfkY dyd8l68SlyO3BdEhn4wU23ufGdULjs89IE0T2N46685x6GXFyH512IscNtWGp7+u Y2KyBs9so1Md3XosCw6dgFcSVBEgL7ZNevi9y38UnmEsKjHx3vHIpa/BaKbjuiyY hGI/GRW4sbsBi3/afC0m+UqlsQIMwm6SSfA9o8PiziBjjN1QU6Cw0cCO23HxtjmZ yHfQEHg6JCgMwEeQZ+VMOW/NEdgt0SAzFAvRMHoxhPRKRwANFH0BtD7nADdIDOZ9 p0YKo+We1+8a2SxRRh5fNB4t/EJ4KB783v/tStR+54UDchHhV0FQrAgF1sSBS94U gD8PzR6S5PYBrUlZGYanAx0L//FuPsqb4AY5OYOXPceeVlgiB698YSHXDOBPus+P drdPXrQ9nNRh8aVpddFi5O3tRDStY8xGD2nsNqtrpscvxu7wYI0tV2h1UEHlq91U CiiJTPNoHJ90A+N22qeP61gTS+7U6pYYRCYXTLb02S4cmFf0JLKMHlhUwZhk5wfC KZzSlm68jZoN1b8gfT70o3wVpR90d00jxLXSl9VauRvdwQVdf7w7BdFhZ+8ewi0G MXB4t6Vb2IrlaG453iu5zTn5xrTj7YbszvjQPlNlRPS4UE4feUOuRyjGGuZSyvqH PwMlgEVvbC/PG+tR6e2Fl+NGzoIgnXXzv3tBEs7+TBss6M485ln9GIfDxOxooxJ5 UYpZbphPySPFAC34qB/DM3fst68h30NOEbsglOsLT40mnxNltJqPIHiWH/dUXyAj fYGWAO2RIMk6ezL4sXpT9pDecLUQi7bs4wbphfLP4GENzrfDMyfuwXDc468mz/od /T51C6SJ6XOByY3MY29I0KXYsQtr/bHzVdDlN2+jpXlcM6gASie+m9NaBZOhHHz7 Cy8bWgHuNqVZKfq5bYXiNbbsTXmeb3aodwoNLEcACHJ4aMByYRN65mvEQXTZOiCX ysj8loZYFuBnnWpJfHBpQkoDykasmqVP5YYCIUhYr4vpWiuKa3lrOKnPwlngQrCf 9N9lpFT1V9HB1g8FyPS+6d9Y/AplzR5qzgTyxG+3pFzy2/Z8q12qhffQsYZtII6T YfGqaYpI4io+FJWke+NRDvRr0Ehv9QFHdKzpyUmmIdRD29lTl/cKKpJsbgc0hc52 BtA7sCNM9dBQx9ti ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C915E1DB9A5DA187

http://decoder.re/C915E1DB9A5DA187

Targets

    • Target

      3c4063956b797106cc43a49a634bb530aecd6e9a898124bb8fed6978f4556ee0

    • Size

      119KB

    • MD5

      91e06d83a0ea2e73f8143f9d70c2b8b1

    • SHA1

      7ff7ce00ddb41170fe4b86858ae7bf4b9957ff0c

    • SHA256

      3c4063956b797106cc43a49a634bb530aecd6e9a898124bb8fed6978f4556ee0

    • SHA512

      48e60e0da5a730837c1845552db012578c91655ae5234a27093408a83c25b2b4aee9b7c710a4484d591bdaaae838634aad02b8f35f656cdfb8ada5721cbada47

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks