Overview

overview

10

Static

static

b433aaa86c...fb.exe

windows7_x64

10

b433aaa86c...fb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb

  • Size

    212KB

  • Sample

    210504-yq9a8rc8c6

  • MD5

    c283e5ec517605b6226c29f96f6d1d28

  • SHA1

    43caef6a20ab9e045d76f8bf3e4e96d622f2a6eb

  • SHA256

    b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb

  • SHA512

    8a72a611925f7e504ebde23dba0f23f1cb30613bc1c3f6e36dfa3c8e954e152054a154ad3cc5eaeb4861e776135daa77ce19ebc0b00813d83298fd01ca579955

Score
10/10
sodinokibi$2a$10$r6eraudkjk.uehabw3m2ge5gweh9ga6jwmzl5ibhbgkjemukbiur.4722persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$r6eraUDkjk.UEhABW3m2ge5gwEH9GA6JwMzL5IbHbgkJemUkbIur.

Campaign

4722

C2

castillobalduz.es

nokesvilledentistry.com

plastidip.com.ar

waynela.com

senson.fi

teczowadolina.bytom.pl

www1.proresult.no

almosthomedogrescue.dog

instatron.net

devlaur.com

colorofhorses.com

ncid.bc.ca

carriagehousesalonvt.com

denifl-consulting.at

kalkulator-oszczednosci.pl

girlillamarketing.com

polychromelabs.com

campusoutreach.org

pmc-services.de

jameskibbie.com
Attributes
  • net

    false

  • pid

    $2a$10$r6eraUDkjk.UEhABW3m2ge5gwEH9GA6JwMzL5IbHbgkJemUkbIur.

  • prc

    ocautoupds

    ocomm

    sql

    synctime

    firefox

    excel

    dbeng50

    msaccess

    dbsnmp

    sqbcoreservice

    mspub

    onenote

    powerpnt

    oracle

    agntsvc

    isqlplussvc

    thebat

    thunderbird

    mydesktopservice

    wordpad

    steam

    visio

    winword

    infopath

    encsvc

    ocssd

    mydesktopqos

    tbirdconfig

    xfssvccon

    outlook

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4722

  • svc

    backup

    vss

    sql

    memtas

    svc$

    sophos

    veeam

    mepocs

Extracted

Path

C:\3n6f40w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3n6f40w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/85833F0D52BC4D68 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/85833F0D52BC4D68 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BZaVuHJVf726bMd62XivNbgmpTUbVO1iIVU9C6qgzNMp6v89fUTI2g0u1AfPttY5 GRTvnz4E9601AbBywC22EZgLkbcxzdhrpEVgmYViT8qQjHE0KaMtaocGMU0OJMWY kuYQunEGvX6uY9syIVY51wvaFmJDh68EuepsmqgPB4IR86ssPfMHRRnhBDBZvcsP dFc8J8ldVyqK5s49JRI/4W9+9e1gIh/pm2CV5mc2JmfTPRFXCXSPV2Jd5bn8fNt8 92nZTUpQ42GaCyI/ZqBG301/OaFQWW02ZX4AXzWiKVpu1It8Ok3YgygXvs1Vgib7 XMy0SjH5UM3f3qe+0RZ0Gpf712ittcqr3GEEqcmTHFkafh3qA0Uw5bnBYwuAZCHR q6mA81qE84P+rZQEljmTnH+5nmbt0EAp62xR7dMM3yxrzmDMPHcEscLBybKl/N8B xyjY/olWdvIC1x6OqkDiHC0cVbQ5M4pKRcdRKyHEzmK2H98bGYiBkZ3nCEBdC8ij oUbLvvq/ZQp6jAR8DWk784RMTxbK3N/ymau7Qtuib9e5R4xRDzpD4kucOZ1tU1zj c3Y3W4ZsdS3c6oP/JSUmtzyWwAt1GZhDGFat3mY8uOiJocIz4Nl2fniOkZQ+r8C+ wFL3pIB7eue+yu8E7MdSks/RL/u+tBdCBSjtltLJT14P8yTF5vmY+PRjaADK3wKl bsO7d+tFxvBUVN/hr7m6UuiWyFpa13oveO29R7iqhoHDyMklsj8uJ5MZxmEZFHQ5 3IWQgL9jSJuwZr/+PN7fUyx1rNC45omli5JR8rnJ7ma6mW1z2tgTWQo9M3ta8VzH EaPjimvlttKZLIXh/rvJzPvrE1dPtRuVkqOh3dF5vPE46xr3laMAhH7rq0jGOZkm aprjDnD8uAR//QqCyel6HOCqetyF5XfbanfXi8UvrrAcdFPqHC9Tyl4pUurJ19lg Y4BWbZD9mYzHqjpTFaweLBBW9VV0yZuuTORcyFjMenTc5qwwSD8apluDr0q44v3o MefB3YOmNgMtPqm8ZjSIwkVjRXd4+FPHKFn69YrEdLIfvBqKrxU/cKvyAA0J0Tba OKgnR9gDtaRA4nWNgdKmh81jshFblYZFjzZIIBtmEYCCJ3axwboKBFukNUMDteim r0XIpL1UdqmgJD/VfhGNK8lT8oBOP9Nf3eWiKtXuFSBEtjFQ+Qyjb8dbjvUBs/OG rooVVEpChYvHm+Rlncq9YYcdEjQLdqRm/TdtsGmZ1v4TClpxT27CA7dtvivYZOWM 8G9RxuTIKsCsoKXdUVrm+JHC ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/85833F0D52BC4D68

http://decryptor.cc/85833F0D52BC4D68

Targets

    • Target

      b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb

    • Size

      212KB

    • MD5

      c283e5ec517605b6226c29f96f6d1d28

    • SHA1

      43caef6a20ab9e045d76f8bf3e4e96d622f2a6eb

    • SHA256

      b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb

    • SHA512

      8a72a611925f7e504ebde23dba0f23f1cb30613bc1c3f6e36dfa3c8e954e152054a154ad3cc5eaeb4861e776135daa77ce19ebc0b00813d83298fd01ca579955

    Score
    10/10
    sodinokibi$2a$10$r6eraudkjk.uehabw3m2ge5gweh9ga6jwmzl5ibhbgkjemukbiur.4722ransomwarepersistence

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks