Overview

overview

10

Static

static

b10d9a62ed...88.exe

windows7_x64

10

b10d9a62ed...88.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988

  • Size

    192KB

  • Sample

    210504-4apxzsqmbj

  • MD5

    beed14bc183ad523b94ef6ac2b270b08

  • SHA1

    4ea45e0d8a4d50182063cc97c8a86d579f3adf05

  • SHA256

    b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988

  • SHA512

    da74c44e21e120af26074fb6493a35067f037cc633e630b415d9b6947c9dc58e354fbb33afc87f733da8cd4d1f8ca66081df0e96d249ffb1c2ba8142c9317196

Score
10/10
sodinokibi$2a$10$bpqdmnebhmlzbau2umcboo748r6jumha1.gdqtlbvaxac48ocjy8e5340ransomware

Malware Config

Extracted

Path

C:\0m3vzk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0m3vzk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9AAE2FE053FEC315 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9AAE2FE053FEC315 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /5FxY+B8pANAJm7dYBiQaWYsWvjj6oeEoQJJbqP9tfB4tGkH5Q3nQS7Y9WLu2N5Y uKMiU1xePBjTGsSm5epa5dp/djggGemrO7JjZkitkJ04Tqd5MvS8ykp/qPQ+M5QA Leil7XquOOweTadg3QzE92eZEfL+d9SIKPIVDNKTEFXZT3xqRS7ygtc/0kCupyb0 Cl4ZtV7rxkyzALC9w90MPHtPRhFYu2a7z1YSWdhpTa7RLSTt0cg/K4y1uRYfvLDG O7RuIU67GqopaK1oKRy7yLAFkbXsAmzTpJD281kFVDCFTFcPnwVKIIspOXXVXmBK E5P732Wx/ie2yOJW1t8f6I/WlgHUQFh0aaygvhpiYt38gIl6GpvNF7YiC0V9oLoD kvwukPfaZ4cc53IqhkZh5g6pWtvUBCA4L6azsBCUisMfUov3fs0e9QOUnPPd8FKx uwVfeq9Y6iSKdiPWFslZAJcwCSKfHFwtpenKmsEeejKQGYsZ4PAMJfKpZUgTzI0n dAaBuJmyaiHIofmeB87j+q2a+w9duy090fHRV4uhgOpSo29IDTjnqptMGGplH0QG +1V93H12OOYVCvv92D/NZj0ZSdfe+7EC7OehytAXT2EYO6XZG67VVYQQiIIsKhBe n9zdVleDmkBaJvEyoWFZHfm/mRqhwwwzAa9hCrWN8xfo8ALjNkAsddd0XqiMJTcG mSGL8qrULuRDSBhWvgIwA6tnLmfKmLQaK1zcUI8QFkHz7I6QFe7OnZclaMcE91ms J9MsEEDjylhdTaxHJlKPyYSfVzI+SfCxOpGz46CKES1epFybIjjKN127iqJnlJYN xJorOpN5AhAU/nJdl4mklDt+D0rN9efuppF8hG99nfVkkp3YUTeQ1TwlF70twlzZ ESVYWNG+ykTWLnuLGlK6urC5kXUoT5FkLAEZBXb1A06ZSeIHqCNjltzwkrblqx0J 1i60OlX+BvU+Mbnm5YVWynRx4htrN9V1Zq2eVOZuRC8P/hv6NXan4HRzmJZ9ccl9 su1wACogzOG/g5V//c6wdVSu2N6aWMjULcag+TuB7hZtpnxb2Z/WowiGWup7JccV qMgvCPkSMdegWRcWMzqDid1JDMQGwlmblEHJlWfCUuZQXr/fI6aiaT4uj0ETHTAq X/bTtHZed8Aobrg+8nKZeuILQYyyO42uGz8ASze5abbiod6+g64vAiTOFiGGP7Vi 5ngEROnnCPq00rGv1AGShkJu3DTyA9WwuPW6qVK6KTUqWCuXqhVMPazkvJ3+8G20 e30GiEmxzkjV1h8o2alhkNlOVJlenoA8z/bo1T1D7P8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9AAE2FE053FEC315

http://decryptor.cc/9AAE2FE053FEC315

Extracted

Family

sodinokibi

Botnet

$2a$10$bpqdMNEbHMlZbaU2UMcBOO748r6juMHa1.GdqTlbvAXAC48OcJY8e

Campaign

5340

C2

boosthybrid.com.au

makeitcount.at

danubecloud.com

takeflat.com

new.devon.gov.uk

huesges-gruppe.de

theclubms.com

hoteledenpadova.it

plastidip.com.ar

zimmerei-fl.de

whittier5k.com

cityorchardhtx.com

greenko.pl

eadsmurraypugh.com

yousay.site

autopfand24.de

artotelamsterdam.com

ftlc.es

waywithwords.net

skanah.com
Attributes
  • net

    false

  • pid

    $2a$10$bpqdMNEbHMlZbaU2UMcBOO748r6juMHa1.GdqTlbvAXAC48OcJY8e

  • prc

    firefox

    xfssvccon

    ocautoupds

    steam

    ocssd

    msaccess

    DellSystemDetect

    CagService

    VeeamDeploymentSvc

    pvlsvr

    raw_agent_svc

    powerpnt

    isqlplussvc

    tbirdconfig

    dbsnmp

    VeeamTransportSvc

    EnterpriseClient

    agntsvc

    onenote

    sql

    bedbh

    beserver

    outlook

    sqbcoreservice

    infopath

    oracle

    winword

    thunderbird

    wordpad

    vxmon

    visio

    bengien

    mspub

    ocomm

    encsvc

    mydesktopservice

    synctime

    dbeng50

    excel

    mydesktopqos

    benetns

    vsnapvss

    VeeamNFSSvc

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5340

  • svc

    svc$

    MSExchange

    WSBExchange

    vss

    backup

    VeeamNFSSvc

    MSExchange$

    BackupExecAgentAccelerator

    MVArmor

    AcrSch2Svc

    BackupExecVSSProvider

    BackupExecJobEngine

    BackupExecAgentBrowser

    ARSM

    sophos

    BackupExecRPCService

    VeeamDeploymentService

    CASAD2DWebSvc

    PDVFSService

    bedbg

    stc_raw_agent

    CAARCUpdateSvc

    BackupExecManagementService

    BackupExecDiveciMediaService

    mepocs

    AcronisAgent

    veeam

    VeeamTransportSvc

    VSNAPVSS

    memtas

    MSSQL$

    MSSQL

    sql

    MVarmor64

Extracted

Path

C:\b13gd23qbj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b13gd23qbj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/64F9D9A943E5E574 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/64F9D9A943E5E574 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nAOnBeRVb6wZfE+UfzMMEoXY6Vbcw8azoipfQ02zmGLkSkJrH8eokWUuU5jWXRtX EqZ4xxFR+SYsS0CRMDUCQlch+AP1sklMGktwDeAeE/VM4J9hgxEOwjqMaYsULG67 6/EbHirjPxjSlMlwdFSWYgJFt0ClvZx/cjIZXvBeAMMUSocvPR+ikJXrTHqrbFLQ 43HgCg9HP8ygBmyH49d+oexdMLpuil0KMtuhh6xVASjdOOd8/76t5Xhm2dArhqda S/T/hwOjbW3/OUqK/j2tOPZf/nR9kOjMiu1Tg8JDdaGbpfne9GN8eObXnluyQZSG kBdCB57XyRtZZ7kJw9AeVJ/DC84nHSdrSIcXxXa/rybWl4LJQnnJbaJYRZl0ExTk R/uh+tJryTllZWxW2n/spkU3hcpIvzwAWYEeEavoZJ4OclPqcSHPrRm7sjAdmpjn +RsJYhGkcvq8PsppYLPedcCrLGc0HE8AXw43wcg8dwpdljg6+4zk6qZHsodrJ+Dt AiMMsD5j0xblkDC4rx7Uc0Maih1N2ukrk1RW/Eo8BmHE/uFoQzJHZEyRb+zkJljR cd6Tl2HpNs7q2zWwSq52au9cEE8hinAL7mxq1AgsFR9m6zv7+3g8JjrYNKIXMbOk F7OCh29Xjy9Fk1JdQRZ47HDsJoQwx6Y6Z70zlaQTZywZpy8Ab07e6Rw2z9WUhQbk Kdd98tw6LwKsh44hD9fiAjAVefQ0zLQEBo8ZpwPWN+/yzR899e14tYrB2ys+8p6F ZIt1Pfjq/+C8K4zOH2fckYt4Tt3+Efln89r74jnlnhk1jjAK6xGBzzLWRvnSn/nx /GFMzSsE2mtyb8wFOjEO7vsjCQw28i/njO1iEMRQUp8/Wde7VUYxn13TpkQJoFGU jFXLYUrpI4BjayejQEIo9n6MJBJanI/uI4UnpZV0Lh/SX1BFBfWOkpjqi2wMsnoX qGmLmRfJ0h+1UCMVcxvtcXobP90LagaQIHKkBhLOx7BDwD+6ER7XFKzW1gMbYtI4 VUO+k1j02XEpiESEJkvRoL/O/fKeb7TFRv6w06l1HfPhKsrHUppDCjlDDOc5mKwv aPXbVtDqjrIcPMNhLZI1GZjBmPzXS5i3FJU0gh7Xb4ogiBFw3OOw8YwGNycmE+xX qE40WcOdFDD4Vg/Ey/IRFMuLRrl8ztBhevWHkNaafTAsrRjtdm0OeGX9HknP1UGO zaw5y372C1w66EOKSuyQdaKLw5gfGgydNNzproTuu4UczeSyd9Sy5kRuC5N97Njd wZnkORegH9T+a7UuvnFmqubGd4D24hzV ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/64F9D9A943E5E574

http://decryptor.cc/64F9D9A943E5E574

Targets

    • Target

      b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988

    • Size

      192KB

    • MD5

      beed14bc183ad523b94ef6ac2b270b08

    • SHA1

      4ea45e0d8a4d50182063cc97c8a86d579f3adf05

    • SHA256

      b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988

    • SHA512

      da74c44e21e120af26074fb6493a35067f037cc633e630b415d9b6947c9dc58e354fbb33afc87f733da8cd4d1f8ca66081df0e96d249ffb1c2ba8142c9317196

    Score
    10/10
    sodinokibi$2a$10$bpqdmnebhmlzbau2umcboo748r6jumha1.gdqtlbvaxac48ocjy8e5340ransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks