Overview

overview

10

Static

static

1

Device/Har...er.exe

windows7_x64

10

Device/Har...er.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DAG-S-DC01_2021-07-21_03_42_15.zip

  • Size

    214KB

  • Sample

    210721-zr46z5mc66

  • MD5

    5b48600bd3f374bb2cfa9042a6d081fe

  • SHA1

    8f44396f6f0ccaa3b040494bf4ffd3ba51d70414

  • SHA256

    a109b6fddeff883d36555f3f32fe47103eb24d6f5c2c6a026a43ddd270d23566

  • SHA512

    cb3194aa980230a23e327dd41882d92f45e1f81f30aeff1d66da73076006413ae94d290b548e800ed68af18407f93f8a959c5bde1eb243cb25bf3b0677df6998

Score
10/10
sodinokibi$2a$10$zvcahrcgosssnxucojxyjuoapynymqwen1zmwc0pxexpcngauxx8c4953ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$zvCaHrcgOsssnXucoJXYJuoAPynYmqwEN1ZMWc0pxExPCnGaUXX8C

Campaign

4953

C2

lucidinvestbank.com

villa-marrakesch.de

pomodori-pizzeria.de

seevilla-dr-sturm.at

naturavetal.hr

rumahminangberdaya.com

kaliber.co.jp

campus2day.de

newstap.com.ng

liikelataamo.fi

easytrans.com.au

baylegacy.com

blgr.be

denovofoodsgroup.com

jobcenterkenya.com

lachofikschiet.nl

tinkoff-mobayl.ru

nandistribution.nl

bildungsunderlebnis.haus

better.town
Attributes
  • net

    false

  • pid

    $2a$10$zvCaHrcgOsssnXucoJXYJuoAPynYmqwEN1ZMWc0pxExPCnGaUXX8C

  • prc

    cvfwd

    visio

    ocssd

    sapstartsrv

    vxmon

    avscc

    bengien

    infopath

    thebat

    disk+work

    CagService

    excel

    ocautoupds

    mydesktopqos

    TeamViewer.exe

    xfssvccon

    DellSystemDetect

    powerpnt

    isqlplussvc

    cvd

    tv_w32.exe

    sql

    TeamViewer_Service.exe

    tv_x64.exe

    mspub

    pvlsvr

    winword

    thunderbird

    EnterpriseClient

    saphostexec

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). The faster you contact us, the easier it will be for us to agree. Your backups were also encrypted and removed. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- You can read about us on Google: Revil/Sodinokibi - Travelex, CyrusOne, Synoptek, etc.

  • sub

    4953

  • svc

    VSNAPVSS

    WSBExchange

    BackupExecManagementService

    SAPD$

    GxVssHWProv

    memtas

    GxClMgrS

    SAPService

    CAARCUpdateSvc

    MSExchange$

    MSExchange

    MSSQL$

    MSSQL

    MVArmor

    bedbg

    CASAD2DWebSvc

    BackupExecAgentBrowser

    VeeamNFSSvc

    SAPHostExec

    AcrSch2Svc

    QBIDPService

    GXMMM

    QBDBMgrN

    GxFWD

    AcronisAgent

    QBCFMonitorService

    BackupExecRPCService

    avbackup

    mepocs

    backup

Extracted

Path

C:\6oe2u3mw6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6oe2u3mw6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). The faster you contact us, the easier it will be for us to agree. Your backups were also encrypted and removed. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/80111FF3C49D734C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/80111FF3C49D734C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CZuLX5yLpAipf9uu0eazaTRj7BWawVpJldKJ81HnkJbVfnnH5dKg5+em/LNfYo1R ead9ugR2Dk26ACRBuX+yVPXp6uca8JZEB2vmkg11F6YvSs+2CaWPtYaz8xFMVlrU z92BlJW7PrPOSo62hOo7VKalbHhI3qSVW2ZnBliT8do1QFNjUBZvNInzqYxQEipM Vvr1iT1YYE+oNgDuN9xmSBZs8TfJ065ciOlHAXQrBIU6aFVJuCjboO4uxnCUgjIV zSnmzHcodleTU+EKBb6hVv5rHFXvtlJVE9H6mEFUly9aojY1ej7QQaEGV6XDTpCp 8U2/xAS/1ayOY+gSRB8MFya2c637yP8BfdJjgLKTlnad+wmsQevkvzrfBIRebNHy iSfT6qFPQODV3dkCg9NehDwTTLHVB0SqAMYruK30Yo5jEk1ecKErYCbQ6CLeOUsx 80HGITD7Q0w2yNgtZMpDZR3jXjTcA3yLONK4kmc8Sd3GbYrqTQu/l5jVLJYf1reI gDmlaNzhYdLgxwSzfJvR8jMsOf+EkSKkHgKBrFWWuwt7+pPwdNnvVLHimJ8E+5Or xID5cMIefXbkjPQ6ZfxBv8Qu8+o2c/J1pHmT9JV9S+8TwQkjNKGgqJ1QkuAM3FNx 6iDIIz/36jUS2JQg5cv1EYX0ALi8LayFnYuE38SynZ5GqGBGm3Sf7lwyzZom+byB oTczBr1nEsEOYsn2bFeIyonNDGMJ2wt3tw5JgQUs97EkAuvsNzLhxqUyHeRkvo2K LnZ34YKNBUNCyW5uk2WaI9XMbifdcAa5OGJcDdPWGgXPP+SKi8XCsqJBCR2Z4qfK uKypTPTH05RDs0DRKRnQcq1QM3P7shlNdjibstdrC0AQXqyMhwZmpuBm0c9TscG5 2vxnLU6Y6//u2NtkoCqphrHOkQOyU0XSPewiFaQGKHwcz3GRji/QEUaD/zK/6O+N w6iR2AQ4qI+pgJm01+JUT/Utp7B3SGPSMri9Zt8dwgr0CEcXOjHPTp84MwTRFLG+ NMFk7vPlL65vVoXTozyx0cJbQS/+nao5p57A65V/poKFLtB9vKfFaPVmxgKcLwyo 9KODOOCTFljdJ4f/2JcNd+rIkDeSmt8eBPrMd8JV1fIFxcSeNj3ZRYk3z0pNMInM j/16E2cUZb1d12lMqNBg8GRMNaQLwf8kKxtIWFNreuC3d0TMr3swNG1WTIuFaQqX AcxQ5UzIwPCXIupYGcDniIvgu9BxlThPYqj8OOKxoUuB+OxCOC3QolMgWLENpdhj AXlMVP62mnNq8A1kcn5v7rqLeAgeow== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- You can read about us on Google: Revil/Sodinokibi - Travelex, CyrusOne, Synoptek, etc.
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/80111FF3C49D734C

http://decryptor.cc/80111FF3C49D734C

Targets

    • Target

      Device/HarddiskVolume2/Windows/Temp/ScreenConnect/20.1.27036.7360/updater.exe

    • Size

      304KB

    • MD5

      a8c4e617b6844adac7cf660206eb2b04

    • SHA1

      18dd1abc064d994ac14f7ffccdb56f0df627e82b

    • SHA256

      6671809c7cf4981d0ef027241b33ba9620ca52422a944129891366fc46758d46

    • SHA512

      18c7d222b446588d31ca5d38779895691c33a9fc16acb4d8b8ba108098fec9cbe1808e0526256ae73e31c68aff44e52695d73d6e14975b6e7f8812b175011800

    Score
    10/10
    sodinokibi$2a$10$zvcahrcgosssnxucojxyjuoapynymqwen1zmwc0pxexpcngauxx8c4953ransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks