General
-
Target
unk.bin.zip
-
Size
119KB
-
Sample
210728-bj21jf7bl2
-
MD5
879a9ccb38a526c067f2f28fa994ab82
-
SHA1
6a8015c7d2c7c0caff3d2008242f6be8a24db541
-
SHA256
c78e6a36a44e0b430f9fb116dabef6417ffaca0d4bc54409d5aa7dbbb0a52231
-
SHA512
fc7c861912c4ec1fc58c6b7a3d6f8c7b32c29da9e4f90517b04d4fc3b4a6b8bdb0e78f2659632ba1b3ba17ee46af65fc682c815ec1c826becccf7abd28343a82
Static task
static1
Behavioral task
behavioral1
Sample
unk.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
unk.bin.exe
Resource
win10v20210408
Malware Config
Extracted
C:\5jfo37-README.txt
http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/post/9d3b44c1d39abc86e63b30329b3ff58e68507f7c198dfcdb6074f2a939e2ba52
http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion
Extracted
sodinokibi
$2b$13$902slVegoruyIDDYHPcBq.xgXEngwc1tVyIqy7M8W7ocqBslnYEtK
50
-
net
false
-
pid
$2b$13$902slVegoruyIDDYHPcBq.xgXEngwc1tVyIqy7M8W7ocqBslnYEtK
-
prc
vsnapvss
EnterpriseClient
firefox
infopath
cvd
tv_x64.exe
VeeamTransportSvc
steam
encsvc
mydesktopservice
outlook
synctime
ocssd
SAP
cvfwd
bengien
vxmon
bedbh
ocomm
ocautoupds
raw_agent_svc
oracle
disk+work
powerpnt
saposcol
sqbcoreservice
sapstartsrv
beserver
saphostexec
dbeng50
isqlplussvc
CVODS
DellSystemDetect
CVMountd
TeamViewer.exe
dbsnmp
thunderbird
mspub
wordpad
visio
benetns
QBCFMonitorService
TeamViewer_Service.exe
tv_w32.exe
QBIDPService
winword
thebat
VeeamDeploymentSvc
avagent
QBDBMgrN
mydesktopqos
xfssvccon
sql
tbirdconfig
CagService
pvlsvr
avscc
VeeamNFSSvc
onenote
excel
msaccess
agntsvc
-
ransom_oneliner
Follow {EXT}-README.txt instructions
-
ransom_template
=== Welcome to LV === [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] ATTENTION. YOUR DATA 2.5TB IS LEAKED [+] All your important documents was downloaded. Data leaked included: - Finance - Accounting - Bank Documents - Insurances - Clients Bases - Technical Documents If you do not contact us within 72 hours, the incident will appear on a public blog read by the U.S. and world lead media at this link: http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/post/9d3b44c1d39abc86e63b30329b3ff58e68507f7c198dfcdb6074f2a939e2ba52 [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
-
sub
50
-
svc
QBCFMonitorService
thebat
dbeng50
winword
dbsnmp
VeeamTransportSvc
disk+work
TeamViewer_Service.exe
firefox
QBIDPService
steam
onenote
CVMountd
cvd
VeeamDeploymentSvc
VeeamNFSSvc
bedbh
mydesktopqos
avscc
infopath
cvfwd
excel
beserver
powerpnt
mspub
synctime
QBDBMgrN
tv_w32.exe
EnterpriseClient
msaccess
ocssd
mydesktopservice
sqbcoreservice
CVODS
DellSystemDetect
oracle
ocautoupds
wordpad
visio
SAP
bengien
TeamViewer.exe
agntsvc
CagService
avagent
ocomm
outlook
saposcol
xfssvccon
isqlplussvc
pvlsvr
sql
tbirdconfig
vxmon
benetns
tv_x64.exe
encsvc
sapstartsrv
vsnapvss
raw_agent_svc
thunderbird
saphostexec
Extracted
C:\yy2w2761o-README.txt
http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/post/9d3b44c1d39abc86e63b30329b3ff58e68507f7c198dfcdb6074f2a939e2ba52
http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion
Targets
-
-
Target
unk.bin
-
Size
121KB
-
MD5
adaef9ccad21c049fba9b42e700aad0c
-
SHA1
bc3a32be1cbf94d4bfa4c144ebaf14553e10c2b7
-
SHA256
d74f4ae57fdc08c54695c430dcf7df0ee5e5838ef49f5ce579c69f70eebddfd1
-
SHA512
8cd330c48e9f2bceccbb79bf01c04d5a619d7693dcc6b82c939de59d4ba0f1bd78be8c899d3ef22535d231bedbc21683cdef05f29a1f601d041e78a292e4067f
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-