Overview

overview

10

Static

static

10

66060484cc...eb.exe

windows7_x64

10

66060484cc...eb.exe

windows10_x64

10

Resubmissions

06-07-2021 11:37

210706-77ldcs8prn 10

05-07-2021 14:03

210705-kgqynjz7f6 10

05-07-2021 12:34

210705-5cj5sav6qx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

  • Size

    120KB

  • Sample

    210705-kgqynjz7f6

  • MD5

    ee11b17a14f1b7a6b197e9f38eb5cf7c

  • SHA1

    7fd96ccbccac8731cc8157100740e850facebcc6

  • SHA256

    66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

  • SHA512

    2ae1a8adcd52cc10235d0ae1fcf018d04b6675b951c06c67d61720815c437c9c6b40663da1fab9e8c5390b92798b4dfc65821b27a86121bd4dbdf05230fdc227

Score
10/10
sodinokibi$2a$12$xz4awypoj8jca4cwfs7vbons5eki/ymseyzoczty5zt6tmqswfl327347persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$Xz4awyPOJ8Jca4cwFS7VbONs5eKi/YmSEYzoCzty5zt6tMQswfl32

Campaign

7347

C2

lbcframingelectrical.com

ungsvenskarna.se

fotoideaymedia.es

bookspeopleplaces.com

chaotrang.com

geekwork.pl

victoriousfestival.co.uk

iphoneszervizbudapest.hu

jyzdesign.com

euro-trend.pl

villa-marrakesch.de

luxurytv.jp

international-sound-awards.com

web.ion.ag

ilive.lt

penco.ie

piajeppesen.dk

oemands.dk

boisehosting.net

quizzingbee.com
Attributes
  • net

    true

  • pid

    $2a$12$Xz4awyPOJ8Jca4cwFS7VbONs5eKi/YmSEYzoCzty5zt6tMQswfl32

  • prc

    powerpnt

    agntsvc

    sqbcoreservice

    oracle

    ocssd

    dbsnmp

    excel

    mspub

    dbeng50

    onenote

    ocautoupds

    sql

    wordpad

    mydesktopqos

    steam

    synctime

    infopath

    thebat

    firefox

    msaccess

    isqlplussvc

    visio

    outlook

    ocomm

    encsvc

    mydesktopservice

    xfssvccon

    thunderbird

    tbirdconfig

    winword

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7347

  • svc

    veeam

    sql

    memtas

    svc$

    backup

    vss

    mepocs

    sophos

Extracted

Path

C:\754r3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 754r3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D8D89A234CA66F16 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D8D89A234CA66F16 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lBheGiI0trkDw6zQ7JKcvBhp/Ydjnov2lv38JrrDFv9FMb/5cPN6/B6t657fxY32 q2ZIwOTrcnkSt+2H98xQGYeTfzhK0jmwRUOuHpKr+K7eGF3gtjbQYT0dDh/TNW3S Wa5hbd0wxSjLalchSheWqNEZXDFFxCwI/8dpfdqshwrZxauld+I3MdLTrvJC6pIL 3+mP81T1iFVVwyboIAIpF9yzIO9hM1/6h1aFT7WPOmjkudjklm6/MSwuKPefvtKF Ia25QkMR+laDcP0veDXOZ6JzvaHkVflcQiYr8xu2TxrpjoJO3ASB1Esaqlzu59DC 7/VUCaGmQJUpYhcp1gIZXYRh49g05SkuTFve5/g7kFy8bfQaFmmYTYpibv3E5jZ8 OyC2Op/xVX2wxGkJUwtEphZ9aS8S1n147rkGptvZZbQzawAvHAwfe8XCRJcXzBh5 BtYAyy+8zvUri7qEWNzqa5bV+M8DHm9JjHZPr7NKjAqKKT1JmV4mpjMW+jND/1a4 MtkOiXMk2wGMt6uS+QLt8Nsbt+pQwJffKorwjiubd+rE3QsWxtWLSo7M/sYBM5M9 sgPcQXkhYsWOXVWsK6P1ol7Wcg2Ha7tZ5dADgb8rM1xMKX22UwH3NN838gcWrUW3 P8zWnkstdFUk7/QlLs5F66//GSQhjyQyo8ctHn55POt2HLuEcd1PTu7Nbdyo6FT8 bNAa66FthicdwZD78A8mcoXsOtRyihxSP3RwAwzaSGHyxapNU7Mj28EanXpHVcRB MdVwdMc7MELoibJayqgLwgPcvMxzpup/sipWDozJ+jvYBmlFOOMkEOE67NDuRfpi Ky6r9xGgPuBMY/vk/knlzwdNVT76qUd3xrEOcYa+c0KS4EAmwiqATUDDOWPJdKcJ IV7q/bLbtKvVoNlYZPIob8QyTODF11x3Jvhyl00BYTosSbl5QZjGhgpQeMWssJws qbCXtUUDcq0LxiJ0Kl/+w8N5kPFjX5F6rXBResKvzPKzi0LO4rk0wgaCIuo5COVk q+FdQFuYlQxonAHm6/BCGx2At6M5bm7QQ9++sqxWbeZzgO1IYpI+EbDuxfXh3ujH GaRvywFye/v2XtaIzNMQhVxVGT9UhnTU5qPCudLwaLZanvg1NPmf3fVQXW88zbV5 MBCFmTDakeIzlY5Uocx9cDFLfCkB6BPryXJTF/DWzP3SS5TLgpjXJbq5GNYpR72C uXIArUkfwzNzXsoFGtK+o7HCxDzRi96QgQ7MkFqkGhRIwe0ub6PNO9ZHrZ3Svc81 oW1xKzQXZadBtHPk5tHQlRiqApc= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D8D89A234CA66F16

http://decoder.re/D8D89A234CA66F16

Extracted

Path

C:\5r8k6r25b7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5r8k6r25b7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3A439B173385382 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/F3A439B173385382 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fS5oLV/wxKQRFg3ENDC/Fo0GAjMoWIuTlekrG2xSP83rSoejek47QAw4U1z5L+nO Hcnw1gzOBjXNmcQtwTRtl7BXTUzCcFn4i6XoEOnpDVcXBqlXnQgRhNWlDoSHfDq0 szZMKzvFvJsIS091oWEdmNUPBiRidHAI8NTMbtfPTMbe2IP756i0bk2VNkrHESKw wGLrFiPXVdkhivZ32UOb0s3/L/hkScmJsU3fuqM6FcY9XH9PXhoWYVlOjXyrAbo+ IwSi/gHfyDHzqLB5P5qG8ijhE4682E8HuHEPBQU/ztbZAeM7b5HDeQo8uMeQEuq/ Md3YSZMDy6aD+aPZnZFMq2XUmL74y9unrPWf0aSSoin+MrU703CJJxtDmFq5ziDw 5Fq1hCSqx4Us+qzTXXqy1NTkAu+tfSX0IzzcJoz973j31gqiUgUVGYTiW1tz74bs WoXYcV2AueQMKGxJxdgl2NdGPCoIe13lBXke70xPNEuVjghECufr/lNy4l/ak2pQ iFXEeLDkkNVv5+Rmymvd8pqxhpUaOGvlnrjuPtvruDu0V7E2qs3mzSMAJWt8rGGf CxRkH3FwIPPpB4v4eD5I6Vj+ma8r073e7TJ2XVQ1p9aL+0Nh2kiEbK75RpofP6h9 HnCy5987b3Wkbkc3JjcpxK4DzucHXN9cw9x2zvYDZW3w70Kf1IDdbdANHL14dEjS O4W2N3jNkm3YUhwB/33Fw01VrM5LpEkjWc+lGJvXBRHk+9Ksw4zaM85/utcdGzn6 1iSziLFvPJvj5Ohn14eXhTLAK1NPHPe6gfTfFqpIRcJT/HOand9ZbiYm4gvJ/Ihe 94x6FZvGomxlr0I9ytvwjj9e3Ru05gf1Mpi7fKbjB9AUTa85lbbG1Kv818dLvoq7 WCief/URzU92bgrnyU2kliFJyq0D2pibVram5TAIjSkmqy8G+eh6nj0U4i9sHasU jLgPpG7p1wIcxw4UlKbT0MoFVy0J4FAOWIemSBl4nVaLc/L+dF1x5cEDMYRnkxT6 E6ZkUoLqjjDIfCtv0h17vS0ikKnw9XVH2ue6YjC3R0fFgany5GHvOTrrjLuccsV3 QI8najGBeiySJxQlSzfuMzlGeIpf18pfbN3XgsC3aLwUDKiyEbF9JAjcYwLkS3iJ e9D8jg85ezIO6a6D19YopU1KOFSwl3spukTnUwCTIgNESUBUsDCS9t6TrVoyv7bs ExoUM98R66oRp0Hx46fxiJzoSlQ5RGprrG6r7v9c+6qXtlMXkcmySjAA17nGkcfd UlNnl0leYL4dQJtgcAQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3A439B173385382

http://decoder.re/F3A439B173385382

Targets

    • Target

      66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

    • Size

      120KB

    • MD5

      ee11b17a14f1b7a6b197e9f38eb5cf7c

    • SHA1

      7fd96ccbccac8731cc8157100740e850facebcc6

    • SHA256

      66060484cccedb839fb646d4e6020e079319374b2847c52dcec55c5ad60b1beb

    • SHA512

      2ae1a8adcd52cc10235d0ae1fcf018d04b6675b951c06c67d61720815c437c9c6b40663da1fab9e8c5390b92798b4dfc65821b27a86121bd4dbdf05230fdc227

    Score
    10/10
    sodinokibipersistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks