Overview

overview

10

Static

static

10

v2.bin.exe

windows7_x64

1

v2.bin.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    779e9a1d_by_Libranalysis

  • Size

    73KB

  • Sample

    210430-dnl3yct7pn

  • MD5

    779e9a1d22e14ec6b0e95915b6cd044b

  • SHA1

    c4229d12aca7fefa8b93b1c2c63401e802a89a64

  • SHA256

    fb894aa3a2c3b11a83006c3a08d3c2fb983725b24586e3ac325f55005321be84

  • SHA512

    8154338a20fc6bcdc3736c0d03e7635ca7429215ba0bfae0777ea2af3219ea04655f8de1f87311986e9c6efd3bd48c95452b7ea00b1f7bad2b6dfd2de23dd414

Score
10/10
sodinokibi$2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw7563ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$lTqvWf.cQvh9W5jZkAk9LO0hMLnifWtUFoBJ86Ge.hLZGVClg6xhW

Campaign

7563

C2

commercialboatbuilding.com

parkstreetauto.net

longislandelderlaw.com

lbcframingelectrical.com

assurancesalextrespaille.fr

smale-opticiens.nl

naturavetal.hr

global-kids.info

kaotikkustomz.com

klusbeter.nl

socstrp.org

stefanpasch.me

jandaonline.com

beyondmarcomdotcom.wordpress.com

nmiec.com

sabel-bf.com

edv-live.de

zewatchers.com

controldekk.com

berlin-bamboo-bikes.org
Attributes
  • net

    true

  • pid

    $2a$12$lTqvWf.cQvh9W5jZkAk9LO0hMLnifWtUFoBJ86Ge.hLZGVClg6xhW

  • prc

    oracle

    excel

    ocomm

    onenote

    mspub

    powerpnt

    synctime

    agntsvc

    dbeng50

    isqlplussvc

    firefox

    mydesktopservice

    steam

    winword

    dbsnmp

    ocautoupds

    thunderbird

    sqbcoreservice

    ocssd

    encsvc

    xfssvccon

    tbirdconfig

    wordpad

    infopath

    visio

    outlook

    msaccess

    sql

    mydesktopqos

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7563

  • svc

    veeam

    svc$

    memtas

    sophos

    sql

    vss

    backup

    mepocs

Extracted

Path

C:\7720qc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7720qc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B2F1E4F27970263 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/5B2F1E4F27970263 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: I6TLKlWbLUr/BqPgLZo7YNIOfUnp7J3ANmXB6SVgHBo29Uxal51V+MeSUTm9B5x8 rJm7PEAb+ZgsxoYqcpNlfSwRFFKIuvFm7u++r48a+ClsoBV1ZsNfEIvusf1m4PiU /s8xXNd71VtjebmcC110ZLjCW77jYCc6QovXQcnaFrQGdgEphakxIcd3Tu821WZY uryzX4+X8jj1HdRrYbsAX5OoEBazOSKDXx7t5EqmHQm1hfYbX+jfUL6ivFSECkxR au/a+EpHZxbkSq7tOOYw93QCRp8niT39yIy8nO5XAnnDTuHhPkAUMzK7o8nBltf7 nX03M4r1tu9J6A8ZTa0Qpj/L8m3tN1y5Lly4f9SG4qsktg4bNR9X0T6cYKLmF6Sl c+Ec5Ukv+q1+go3Nx75/ZyzT5H1mJi3wwWDR7AQDG8wRMDiRjy2xrMh9mRVQQ5AY 4sXAx4ahcJygr81Qjh08gdSsvz/zdO5ETrPhzZXyDmReYvp+fUcQZoOFPr8S209L h2S9HSg3GB/fSUsapQY+TMc5GB1cz/YmR+apFCpbQbqstZsfy2vjWzXxIjtkVj1g vtq4Z9ZxoTzAmz8V9d0PQfx14lhlhIOlp5T6D16x11DqgY19hO1b/hIH5RrzSYmu QwBV8MSGF+jaQpVIFmojdSQ8Yqq6vqfZYwTIsP4M2lLGa/2mAJ/NsKGDcQ+7Mgmg SJ0fF/slCbFp7Fu0xBbsedHuA+wgzCroy+xMS6FghrqPgpBILhs8Yq0eYt40kYCQ 0mfKDOdjz+MZRnOSOFlg1L6p5MiK9VZQiQeRjWiFx9lMWM5EDVdQaf5cvpQtkd6w tILaxKvHt38QKlQG7tI7pdhba1/TnSG+2Uif9SyiPtb9/1wvxyanTqyTniqfgTNX HeK2N6imqXwGE6Q/7kPAj/nqM5NjfiMQ7rWWtCMlO+WgGs9XH/EwWRxyP4VbyM2H DXjEcNs/hNwollDfOXHtU1Q526TYdFs/7DlP+APcUHAA14b/E/gyGmQlRmY6vJw3 F1N5F4SScav5VvsnkxU108TZJHFEG6l1mRlrkgxdwhR4+zKq+0kzWzV95PhzyqKy 88CYItnD4jyZ4dfh5g0rRA/DXfy5zsM4nb5vF1R5oTJ9rP6uu1/cgtponC+So2s4 AxEGV2Q5EEcnHf9xWuqFv2qWjCAuRdvRlLc1N1oLlettXTd/GUGB+/O6tor4Q98k Hru7djnodnw16BEi87zvfn0+aQBAhmudejZEuWXz3hLiLhJO6y5bg144pGE1VuJm BPk8y9Qc ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B2F1E4F27970263

http://decoder.re/5B2F1E4F27970263

Targets

    • Target

      v2.bin

    • Size

      121KB

    • MD5

      944ed18066724dc6ca3fb3d72e4b9bdf

    • SHA1

      1a19c8793cd783a5bb89777f5bc09e580f97ce29

    • SHA256

      74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

    • SHA512

      a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks