Overview

overview

10

Static

static

10

21eb941fd2...le.exe

windows7_x64

10

21eb941fd2...le.exe

windows10_x64

10

Resubmissions

14-09-2021 08:49

210914-krgqssfdd9 10

13-09-2021 13:07

210913-qcw5tsggfk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample

  • Size

    165KB

  • Sample

    210914-krgqssfdd9

  • MD5

    fad3cd9094f43e48c8e5061aeb2d76ed

  • SHA1

    cdeb9d27b479ecd25e0ebcda4cfdcff8b969470b

  • SHA256

    21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3

  • SHA512

    9063789eab4ea880199791d5f66196b513bdb206991e22e7a991dbc47ffb0aa837e1452de7440985adb7f35e38b6ab7d15ebfce64e1ac2e2c91545876326e015

Score
10/10
sodinokibi281182ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

28

Campaign

1182

C2

andrealuchesi.it

furland.ru

phukienbepthanhdat.com

randyabrown.com

foerderverein-vatterschule.de

coachpreneuracademy.com

turing.academy

otpusk.zp.ua

beauty-traveller.com

oro.ae

catalyseurdetransformation.com

spectamarketingdigital.com.br

carsten.sparen-it.de

stressreliefadvice.com

pankiss.ru

nginx.com

atelierkomon.com

augen-praxisklinik-rostock.de

lexced.com

amelielecompte.wordpress.com
Attributes
  • net

    true

  • pid

    28

  • prc

    ocomm

    steam

    ocautoupds

    onenote

    sql

    wordpa

    mspub

    mydesktopservice

    synctime

    excel

    outlook

    dbeng50

    thunderbird

    sqbcoreservice

    powerpnt

    mydesktopqos

    oracle

    tbirdconfig

    xfssvccon

    msaccess

    isqlplussvc

    firefox

    visio

    ocssd

    thebat

    dbsnmp

    winword

    infopath

    encsvc

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}_Wannadie.txt and follow instructions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1182

  • svc

    svc$

    veeam

    mepocs

    memtas

    sql

    sophos

    backup

    vss

Extracted

Path

C:\ultj009_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension ultj009. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F141245511FBA0A0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F141245511FBA0A0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9ogg/Y0PmJZ+P3zvcusVynpNBNxk8Ka1NRWOjV5PlqSBAC05be9z2h083PFiFcmo KxuSCnjvXUHxuh72saskMInj6feI2sbUnhS9U4lGJqXS+Ug9WDY271ZgBDdJlOFg FpcoNRr8KONBvwwUQ39hmyFVKFiOi6Jo+AavOv/HAZzlWAdtGYtecp9/Q5Ti4j6X ZTNGF0xk+/t/oxlVJmnz9eHwnAtZIVloguNJBMCxPA58tG3GyjGXXlnawJkvueM3 XKw6pelYdCqMnBCFydpG7jUUQB3PFN+UH3zIuxveZTE/CbbpFdkPcp33s7z/5Zhk 7WhBhYixOteeXDOGMUTCf4kx+EirAQS1/c8p9VTpmQUTC/nmT81+5mibJHs7+qOa BM++vJ345Y8LRolhKFCRDSTODfMMGiedLrHQ0NqOFhriew3/NgmLv/zQhnHbeJp7 sHlAxLG27C1HFecuqrWU2ijcYFDWqhBAMhlw5xMx+SNjFKuRO1NNZznOiTmoNxmD ml0hKapcC0/X609uJxD9JGezD3f2liC2YDR+2jdgC0BFAgJ/IOddrfrygUl0Rbjn UHXPKReKaVu+eg9nbzWheCYDf8gmTGUM95nkP0s8aA7lpRrI/LAnJw/FMzHjjHrg Ww1ABw0+DFCPU5l8Yb6vCU/uG6BbVLfWtwtuXNBP+zw7vxdEOWynXm6CDyWlxxl5 BuZs9io1FOIu9nTMbVnazdM5Qzq+IRRx4etuDfhu3tiObQRiIp3S+CWkpT8hiz/Y 90sqhiG13ZViogw1ARw11c718wE1dst3wqJP4N6B4U+oRXfiV5noA14xe11UwyIs 7zlYMmadO3hxqFw8rWDeLfx23AcUbzMmyyZ8mpWuZIX4RIluRRxJsnh04Y7/RZJv 4rcqggKhcKAEocVCZymwFaiV1wjiKCOVfnpDYKyWU7IGz7sjil1pshwjPWOyxL52 jNuBa1j7u+B+7P49iTRVJNQ+zBMKe87F2t7Z6nDYg7ITjJXeZaw5w6r4Kbylee4k ChecbbrPKESERGjFsmnmJLjGSJ1J9vNc8+bP3VS9kxa6BfSPihY+XtbGPep2I/2K 7aYJjIfgh/XG6skErtr9uNDYe3jKqzFyI35LpK6qGC9o27irilpghHwgVMW+7cFk i5jicQDoAg/6hICZVVU= Extension name: ultj009 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F141245511FBA0A0

http://decryptor.top/F141245511FBA0A0

Extracted

Path

C:\vop1j504_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension vop1j504. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A22888B8FBEFBD28 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A22888B8FBEFBD28 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NDU+1O1CvzDkrNyjdqeJHJFrMS0jzAQZWWB+2OprqIcXX4V6CBgIGpfatym9f7Eh Sjy75OaW0s72gcEjiUVH+woWewArvOspiUs9VSlrgiTvkAw9gRRVrps56+A2C2Za dfEw3MCzqnPSEn8tuc7ORI/0YUIp2TIAs0o3Aov2COnNCgSzYQeEi10oWSZmDgwG 2sFlOxJwCkszmSRdlk4LapfdS/awKEehTLZuTUp9wN7+G85Y3691T+46P5VwFcMl yzkekcqPGddY1e5//CZ4K1KYfhmcAVZYWtzicWXObbCsRREZGgVM3/1AbzyK04aV fYtHCtid3UwiMQyj8olhSi3dVARD05gGLdf7fjs+T4WdILR8ciSwoaOR8vP5AiBq /J4GSC6rbREjdsmet4LbfIZMjMKxrLkmSNt2aXhTQ2JPymlsMcMyicwGsdsE5Bre bn9ywYe9EDxZl3PKCkM3QUZ7w+Y/AgOTgv+lDj35btQsf5KCTVFZITd7rq5L8CB5 yfEjac66V1FbPtPQsPLvUPAWkYO0TioZPRNC2mueuAnqzwWS9ZNpfN2G5xSSekCp tPAFUl3AWPLjGdzOr2ft1aXgW8OEbL/CNr47JFw8J0CLtN4f9PctiGnnFz/7fdyF keK5SlGeKYnBuWaeV1XGlD8B6yc7iMkaft2r+c0BMV6orKf9xN2HJsj97cyfwrHD RiODYFtwwHr2YfwXhKYK+1+sO8gw8BsGHst6qC4TP/bejcJM6/YkEHVLDfzpO8qU HefRFh3J9JhKT0elni6rwqHQPQPJ869eLp2cLRHsJ8HTiiDyeZxAlUsP27L5ugsV MQ0xH6yqfun3H2OzQzhMqiNI7gzJVoowdy6u9TeTxJNb3PtkpHUYvckujE9Qrqg8 FK+RwGdKMD2kvRQVXHTXailEPlz/Q+bedMdHsRxRKovSc4UTIxzjFz1A8P9U2wER INlOQYhVkAOQKf4rziPH3C9nhpmWmsJvWPj4CURIXY6xJPpp1jHh6NIOA9LRQVX0 DwqddwOxDQ5O5unlD5DsWzTHMIB+FyLO+jHypJ+NoOYUrQE/JxYY7dDuwqZQD7ga Leh7XECbZo/wmnk6mLUbGj7y1uenrw8X3ujSDLlQ3stqeg4isKet9y4wo1qxpKUj Extension name: vop1j504 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A22888B8FBEFBD28

http://decryptor.top/A22888B8FBEFBD28

Targets

    • Target

      21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample

    • Size

      165KB

    • MD5

      fad3cd9094f43e48c8e5061aeb2d76ed

    • SHA1

      cdeb9d27b479ecd25e0ebcda4cfdcff8b969470b

    • SHA256

      21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3

    • SHA512

      9063789eab4ea880199791d5f66196b513bdb206991e22e7a991dbc47ffb0aa837e1452de7440985adb7f35e38b6ab7d15ebfce64e1ac2e2c91545876326e015

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks