Overview

overview

10

Static

static

283f0276d0...le.exe

windows7_x64

10

283f0276d0...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    283f0276d05b7924ebdc0a8f9834543ffdaeea2352a7b1a471144ac5a56fbe44.bin.sample

  • Size

    2.2MB

  • Sample

    210602-ydg99dpmtj

  • MD5

    6918f465b1893633522e2e83ac76cfbe

  • SHA1

    82a23e9c4edd5d53f6a25e31c0a55c84cb3aea81

  • SHA256

    283f0276d05b7924ebdc0a8f9834543ffdaeea2352a7b1a471144ac5a56fbe44

  • SHA512

    e2b2113e38d2fb6a77f6275f249f461680d0fe32004344083061ffafe2ad29c7277cc1ebad2f2e6ce878d054baf0531ed627b47ddf14b9d3db41f06a26231a86

Score
10/10
sodinokibi$2a$12$3tgsbmoaiqivvv/2ou7jleqgmwsu0bog38zzm.npkdxknq4heoszq7847evasionransomware

Malware Config

Extracted

Path

C:\9tgxy79awa-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9tgxy79awa. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A8100A829C2513C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/A8100A829C2513C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Gofk25k3JAgRyYfIVis3RxzUvGj4t58yLzy27Fa87LGSN3KrAn1nslneTAm1ck3N se0UsNFeo6VRIANhfOAgUljg6uenuBneuMSGrBWwbSUFUE/slQGyXpCN8kLnz3ZK iiQKdKBVwMcBOHUr8TrWIUOpG2VUm9upsLEsa5lp0AyTj8pqfvmEQHqI+5e0dmM8 x+wrxb2ncbCRQSMeckekXs9xXrUCn8aZRuOAquSuc65O/SgkJ1EksYRes6bp63Qe AlMUZWYOtYddSjt171HYahmjzU1ce8UGt7uXIzmpHGpDun6IlS/49lWwEicySRzQ 4oab3tdBvr5nY/2WoztjA0z093bjgZbpzs0e7NBy8EnaQsVGXv/tJBlbeyJWwyDe ytRCYnLY2qgLlTk81bWuoCFMCvziZ1KzUwtkqK6OwvprcFwBPXqaTl+oIBArMzdf OWw/xMS6eZulCEb0UOBxTOBbXxSW7Hx05TYEbJtvuRhMtrr3BxD4vKMi47tO4d/s Zi7XV/QGvlAKPRrji5E4M5vD75vjtXsfSYbe0gswFGDzJZERfYy3dQSfFWM5pjYo oo6dYOwO9Marax6zDdCwfQ8bJ/x7kTrWOQCAc5qqZOC1y66OyBvy5eWvVObPOXC+ RUUy4Z9cv6nG0+R5N40fzVVs5ZYbCRyQqsuBG96lUHgTRxxSl4O4XvSg/n/RK6cQ G9MegYHryQkvObLVwu18qh4Tz6nAz0Kxd2yzkbn3cj3d5Nc3+t7cWpxN21wlFeSs CJhdNdycqkWBHnKsl6gNHwSc7JfeU9ARvdEtjmsWdRbE1f0z+fbS0qgoDeK4gcuT bZvRpRQeEZ4fXnOGPDzQEfTBIAZrINEvdOIeRJrwRFGU96yRbXG/lgOoBISO7KvY cmsuj67zTIsOZHNO6Z/P2admh+vcW1tSS7vZYHbQwjY2w1wE3ZkFmWWL4KI4v+uC 5gyESJFB8/aTNxl4xvO/b6tkbV+ColOq+rvoPMx9/yedbhHD5+gCHR1lD50vX10h PGbepCo3s3OVeMJOQjfO3J+8OGWcvoFLLLLEQNb7bp1LClPxn8GoQEwCptYwuFbo Q5RSR8BwDHM2TcIbfhg0II4TOZKZ+r7XKu+WHNQdlcdgMNuJznw4lAezJhIOsgRn L6AK25BOS+ccPQsl4S+JYe3inYTVQyxKgsDhRpbkPzrBEN4yeCIct+ZVvP5+zr3n y6NVzjDC6bQh50Xlh76R23SCxntYDmf4AJp5NXiUNYgtfBxjC+xPJklCJoziAXPr yIptXOoFyYqDStFuqFey4DX21GUpCl09ZAecyjF8 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A8100A829C2513C6

http://decoder.re/A8100A829C2513C6

Extracted

Family

sodinokibi

Botnet

$2a$12$3TgsBmOAiqivVV/2Ou7jleqgmwSU0bOG38ZZm.npkdxknQ4HeoSZq

Campaign

7847

C2

dirittosanitario.biz

slupetzky.at

colorofhorses.com

shiftinspiration.com

foryourhealth.live

ziegler-praezisionsteile.de

dutchcoder.nl

oemands.dk

sevenadvertising.com

deprobatehelp.com

cleliaekiko.online

geekwork.pl

philippedebroca.com

blood-sports.net

paradicepacks.com

hokagestore.com

ora-it.de

rieed.de

coffreo.biz

digivod.de
Attributes
  • net

    false

  • pid

    $2a$12$3TgsBmOAiqivVV/2Ou7jleqgmwSU0bOG38ZZm.npkdxknQ4HeoSZq

  • prc

    tbirdconfig

    isqlplussvc

    mspub

    mydesktopservice

    xfssvccon

    outlook

    sql

    visio

    excel

    msaccess

    onenote

    thunderbird

    infopath

    ocomm

    oracle

    sqbcoreservice

    encsvc

    thebat

    steam

    ocssd

    wordpad

    dbeng50

    ocautoupds

    powerpnt

    winword

    dbsnmp

    agntsvc

    synctime

    mydesktopqos

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7847

  • svc

    sophos

    backup

    svc$

    veeam

    vss

    memtas

    sql

    mepocs

Extracted

Path

C:\x0zff4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension x0zff4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E0C3F14358F23DFB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/E0C3F14358F23DFB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HLIDRjleg8PPduLwdkkEI64ZIbKSw0q5qP3erFvzL175LR6cgPNWKHJ1pkS9mPLy th66FA/pMv38bhsguHZdJUPCd4Ffad0hb3ZtNtW8T0IwPYnHRKIXYkb+mCZIPMus rGMiyBa3CasPdRfM8BWOqJHIgbu7v1W0xVAPiC6RmC/XAGnQoZN/8s+lT1Mg3Rcp fYRU0aURd9YAkRLOWTMUsMwlWqKnhAEFWuPFK0d28pSk4BsoAUbEYGZcwiXrJqp9 VfE3d9DQ69I5vsMgyviRrNaHaVTQKYa1kwrIKILX1KUnJ2l8v6vmxrZiluX/x8o6 Yd/xnKF4ehg4HgHEqWBZPWL8YEpIG4REoXG/vE+ZjCFj2XastzRja8cNI5QJJB1s 2ZbbM8g4S2NUjBL5JuEebZpkhV0dkaPtgjY601sgp/3PDK43et6vBj+PrPZYUhim /kBsUlUO6BMgpTInnoL04ZerAu+VCpevnS5Z3qB59AjEXL/NRybUTGlNY/zticH/ M5PVK6djUDzT8+AAgocJGbXwHqJ+XuvCxMnhnmwceUYvgfbyTUUxtOoWTxbFaEpi /eME5aHphQKg3baD6Iss0zQsF599kII/UyA/WKG4TRnIMW9ojL6v561U1+USjwSw REmyWq7/j7hQa/YWMDYNBxcDdpWhsRNBLJqWrJYmNtZ+OZ/W36kK3gb2dpaqWFjC Q/vpkxfumn9u5OyuklToOoAtB2tw4S9qEhSvxjGCchXPZqddltT6AyKslp5ezAra Zed5PqRDsOq8PFCUhtq9Y0vmZZePv5ZtsmeUUUQvF6KSutkWFouZyI/OVkV0Vwet 4sdU8+3guQvffDWO68bt36RebNuxoTQnYSwwYHT98P2ltZwT4V+vlGkMoJbzSymu tT/DfcyQI3UqvPv8UirZN8fcO158rf6bOGifrzNBrhC9Hk6wSuKwC53BIbEzPCEO VqpMNkMwDjV173dSoj7BGsH7v1cc1awQzR4GRWLtQ4SpAiEimip/rIwrJz7/QKuZ CrXHo4R5RoKiN2RkK+bORB7HdYrJl4bIaUBREu+N8YfQC05uyaNh1PsCi68dZL21 FTAv+ZI6xa0I4E8lcl6qHu7JYiYls9cxdl5YRUqrlvr7YBtpuLJds18h4ppuuKhh YpPWgITp2/P09BRbMgzBrYmF2sKpQKitAN7ujjV88o7mqeFNnwfyndXXSr/E7noL 4TpmaAKWDhEe8Qv20e3dapiubEICMirscr9mYAh3jwVGZZXAYw59/u4o/M/V879w oOEjSdW4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E0C3F14358F23DFB

http://decoder.re/E0C3F14358F23DFB

Targets

    • Target

      283f0276d05b7924ebdc0a8f9834543ffdaeea2352a7b1a471144ac5a56fbe44.bin.sample

    • Size

      2.2MB

    • MD5

      6918f465b1893633522e2e83ac76cfbe

    • SHA1

      82a23e9c4edd5d53f6a25e31c0a55c84cb3aea81

    • SHA256

      283f0276d05b7924ebdc0a8f9834543ffdaeea2352a7b1a471144ac5a56fbe44

    • SHA512

      e2b2113e38d2fb6a77f6275f249f461680d0fe32004344083061ffafe2ad29c7277cc1ebad2f2e6ce878d054baf0531ed627b47ddf14b9d3db41f06a26231a86

    Score
    10/10
    sodinokibi$2a$12$3tgsbmoaiqivvv/2ou7jleqgmwsu0bog38zzm.npkdxknq4heoszq7847evasionransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks