General

  • Target

    7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464

  • Size

    175KB

  • Sample

    210504-sa5st8c1zx

  • MD5

    5a9e750f4d1d2514c496f43b1e20a94f

  • SHA1

    c02a6413d43da9e8299c0eaab2252a20792da5c4

  • SHA256

    7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464

  • SHA512

    8159e927281c9320422132030847fcbd94c2e322bd6cfac2d0c222e27fb11e7eea956df22785a2b19b43dac5e2474ca06c98e0e416162b75d82392cb730fab23

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$.f7IpgYtYZGmT5sKVxP4DeexwfYEU6ILqgG3IL3orW0F9eevOA7L6

Campaign

4769

C2

patrickfoundation.net

stopilhan.com

johnsonfamilyfarmblog.wordpress.com

bafuncs.org

forskolorna.org

wraithco.com

bodyfulls.com

epwritescom.wordpress.com

gadgetedges.com

commonground-stories.com

brawnmediany.com

webmaster-peloton.com

blogdecachorros.com

zieglerbrothers.de

erstatningsadvokaterne.dk

winrace.no

lubetkinmediacompanies.com

berlin-bamboo-bikes.org

delchacay.com.ar

cimanchesterescorts.co.uk

Attributes
  • net

    false

  • pid

    $2a$10$.f7IpgYtYZGmT5sKVxP4DeexwfYEU6ILqgG3IL3orW0F9eevOA7L6

  • prc

    xfssvccon

    wordpad

    outlook

    ocssd

    dbeng50

    tbirdconfig

    firefox

    winword

    thunderbird

    excel

    synctime

    thebat

    isqlplussvc

    sqbcoreservice

    steam

    mydesktopservice

    agntsvc

    mspub

    encsvc

    msaccess

    onenote

    dbsnmp

    powerpnt

    infopath

    mydesktopqos

    ocomm

    oracle

    visio

    ocautoupds

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome Riedel Company ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4769

  • svc

    mepocs

    memtas

    sophos

    vss

    veeam

    backup

    sql

    svc$

Extracted

Path

C:\c1dgmoftdh-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Riedel Company ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension c1dgmoftdh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52C2EDA248F29EED 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/52C2EDA248F29EED Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lFGgFMjiYYC9zUY9BRoTrUs/GlIdhAC4JkcCkOToQgqiQ1rfglnbDFygGSbBFsVp QfRR06R2rglqm69bjuXlOQzsK/7yOgEI0495zvQf31ZsaBOs7qUHcBU1BJLQb+LX eWqUoHFxuNawoRSkL+aRkjdsDLHfQN9sxL2zrOKW9dZHwD8ms5i1wPBJPAjbznj+ kBCxXJzFnsD49Dz6OXd9kuIkcdGRnUuKb6UmfzlX0XEia7v06w0n0YRHvNHJ+5ts T0nMTOm9YEKSJjq4XOrQmwZ38JadE/02IFuHzaUDF40lmLlhfuzPdu2omCmq3D51 N3mzUR33etRYbKL77z+0+VY7KJGtC+P3NWXFnhDwb1+w/691NLF0M8zA1uIZR1E1 9k1GtrE2ZWg+mrJgdJJgHa6PGU3hwh9VWbpmw6mhW3MwAy9O0gtg/QXfcxdjVv7R vAax12E5K+m/Yj50+DFvuaygsV7R+nBMfJYt35mtsnto+2wceDQ7OyF5fz/IoiVK cH2h/8oNvDle8B50b+zi2SRCGxCfaCJ5pq6bP/1gpcphinVtQ4Os8CQqk3dDxn4m MW9qn5I8IfUtr1hATtngFr9ZH6JKg9F3bQl/r41NufNo7iH6m0/u65NH3gia+os5 SGLV3x5KvyUGcyysxlVKCOpRF1EZVYKFSnXsBNvTSeGa7H1Ro0Z0wuMHLTUVJjTn W3GuBANL/5l7rjkFFWobRAmHmVDc6etteI1Hwx18kGFjci5uFjRhVNRM2HSucZf7 2pP463giov79ifUDBo4/z2K5hGbQdxSHondBKlEn2CpMfdlrkHSHqTHzVsv5iOTi 0BHm2X49GpjkXzEagSf+OdcWfoCd5zr8S1HgP6V1LpdJlmjXHRsdGqcAiYTCVXk9 40Fy6juMJkmCVqVAhZWuq+6ROeehSyVS3FIEMVTox7FaWSZYMrqznJZKD9tQDU7S h/Z/KoBHWN3Vp9TOnylu8Oiy3h4Dwu7C9xf3ifGQHbU+W7P8exFXlwhv0HguTxdn bkMGsQ3f0eEZpovFeKEa9VD0QsJQrm4tUVObMuUy/OsAf5ar8KW4J2h3fkQmmrYR +Br8sJfSZBe61sfnn2sFVLVHEcOivUYFcJ/SQSx/St3x4QOjEj5Maj2oF7t85K2P jjEmVGnYf7expZXmxtUSgIH5VSIe063aWaM/DrTCntJaa79Tcu1qCzngY+BMro+G 5N4Ijh7wpMhSgJV0KbbVqUKIepW6n9rL1gUpirSPqvQrMkLpi2NiyHIUsW26e8ya ilMPAi8nrbhxA7qTJHmyIjdY06pV+vLg ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52C2EDA248F29EED

http://decryptor.cc/52C2EDA248F29EED

Targets

    • Target

      7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464

    • Size

      175KB

    • MD5

      5a9e750f4d1d2514c496f43b1e20a94f

    • SHA1

      c02a6413d43da9e8299c0eaab2252a20792da5c4

    • SHA256

      7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464

    • SHA512

      8159e927281c9320422132030847fcbd94c2e322bd6cfac2d0c222e27fb11e7eea956df22785a2b19b43dac5e2474ca06c98e0e416162b75d82392cb730fab23

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Defacement

1
T1491

Tasks