Overview

overview

10

Static

static

d55f983c99...le.exe

windows7_x64

10

d55f983c99...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.sample

  • Size

    890KB

  • Sample

    210922-jew5aaeehl

  • MD5

    561cffbaba71a6e8cc1cdceda990ead4

  • SHA1

    5162f14d75e96edb914d1756349d6e11583db0b0

  • SHA256

    d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

  • SHA512

    09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254evasionransomware

Malware Config

Extracted

Path

C:\75wwcj8-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 75wwcj8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CE3EB7AF9D937AD7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/CE3EB7AF9D937AD7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eWONHQcFCLTYZbT2nQvnwy3PeM8Qs/GSWj1ajqsSGTwse74vQS451o6hu3tfQQa7 wUk/u7qOB6uAZxkBx4uijDXeJOhE6FKjl82aKFjTFWx9Pfc+InVnduYJonOmU6jv zyyAm72nyk0FlJ4KxV2NNIwDz+Fl9b6ybw7Yb8PGFvyuYa3p+Igtzl+NNB0yAyoL MYW0z1953cai5+wHEbp3AIKBsGtqP2PNem3AyYloyf1ihL01zWiZir92CQ7UcRzF xFSg70pq3Wah3m9bpUa5YS1VIzf7KAtyrgN938AabjtPGEeX4D8uC/HLi5tlVPPx uxHCHF78Sa105h3tQ+vH7P5AEQNCWAQf+ZskT0jkgvCRQ631yEKzJau/RY15MIRa j7dWW9q+YOROJfdD5lq8rU1WXnfOD9Y/Dg7vzTnKfjQ9M7MtEAq4lJ5Sp5UqTX/1 qHDq1ZWQ6xOoLMh/6RzcZsQ689yI9yPUmxBjocZ6MicqN5agTOZnHIPwaezm8NSp pD7Byq83alpcDlC9pVyWX6tUZYQD3ERbaoNnYKz4yVppL2fyO3GBuKvL1MULlxT5 dHCwaWOE9KTn5WQ6YRn2JuFNApfiF19iEGKp/TrAiozhM2h1IPQUtJRCJ3Foj0kI MQcu22EMwF3TobnVSBw/UScLnGIH2o86LGZMYTnPA/IZy0mKX05yUQoAg8woiiEI 0aoL1rbBfo4mkrQkcAGD10aph6OxIbAoWBN0jqQ2NWfLT/a9mfCNX6Wf/pAen5w7 SqI/9INCWC9Ne730mNhlifglIINez1FM9SXgfs2qokP+1QpHcpvmzFdHEmBwD2lj qUaIfNRx4Z5nuZtXpd8cW2dakoJuXmtsHqUSpH1hWGlaNPyv/JcASqtNW+HJksBS ktX9raPzY6h2OPwpedgD7adkL1WDuDzFuDvA4+JsJqon4Q0aByq1ywBmdKK/Zdi8 XEc7ZXGuS0d7vd+8ccZ7Iz9eB4F6Ybr60xAQQM3z511SpqQ++xqWrpqFxATm0squ 83/BxH/b36VX08V8V2aAdWVqa2buhi/vP1VqbxKWdRBccZJsi6JrCzrA5hTVZefz I+9juknAYfxHv8zxSAJm0D/GW9Mxxlxg58KMXAVDxbT17+g2PetMSuoksSKn905J VrJ1NgcW3bOulTGjJU0LLJ5xTOx+G6Sc/DFZhXiNUctNebx0PhHRQ23Qa5Es7cEM u2DSS68OhbNNb2tikui88ElptPy1l1B2ZL56HVmD+HhAu/S0VxYDJrdRBHu6tx60 nFkaLDK0aOKuXsKOxbdxTA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CE3EB7AF9D937AD7

http://decoder.re/CE3EB7AF9D937AD7

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

C2

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\5i392o-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5i392o. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA797E9D09E3B75E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FA797E9D09E3B75E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QdLf+pZQBrHIyTLaKF93JfY7TyJ6NEuw1u2panl3mUePXResQD2E/a3OU/GTAe0D EVmhbPEKQjDCKipxt0cg6HxNWQFxIy3xCUGlPMQpabGdNhQhYpO2GMsxLmwL+a2I PcyhBkiyOgqG4I9+AaL75kNmXpZT8OwkF7EJ6azk20Pjd4RSaKwt5jf25BHN4Rj6 fA2KADlYQxsEzi7fiwWHqgajVEBqJeu0Wi2jpnW20GaJew8QbGO6n30vasN1ayDc G9YFHvQGcXYwbcdiu3bNJBT07PJNhtO4LZQOj0KQSnl1mBChV21sy7u/rSiv9MbS ztiUpVM/vtaWcub44AeO3WwWDpevCFjklL8e03ffByiB6VZI7PPGahYt4ig1aEzj 3qs0JPX0PfXuNA891SczcAUgPaH1dJY1Xo9mCV4VOV4/mfctIWY6KUDZER/n6vW+ yWkaLzglhEGtU2El5vZMv6gcYpaq01s97cffqO99pxflAUgT1UrkFUc6Q6ERNECz 0/bE8IN4POaaCHOiVENuRcZI/qT6rXsYpGqYfoJIMHFhAThc4n+6gMYKap3KFa6R lDK95egMoGsj1yOuuSqMd+hPJpuV7XuuTKLq0R7V4AwZEu+0Nuatk7dCWVxuKOll 5OZL9+abnkMbkhdmR2cdxBixxyT16B9L4D1rpYD7sAtYEL6cP4oJl9OhzBwDFkZG XQl8NWekLoYl+7a7JtbL673NGfZYHIFcGL8+rcUpEffABlxHb0iQv9I3zATBdHbO uv0bYXJVh4TPwF5vL1GVNgwovgf39HVkvcI5PMwLfg5h/Kweg2MPCuUpVcobyhrm gmFXkPxQOnCcINoy2nT3128Pan8smlhJvJqVjRE+LnAVWx6IItfpWll9opE4Wfnp 8EbP9Rn1zhOk2h+xPuPhEfUrjne+efcOpDvJ8dcdNu1GT0HpE0zP/43UlEMElFtt Z0l3PLzqLFLmYaZx5JLEA6eD9oNL6PUQfNruHnOOmFzxobrDh1dxQkBut3YSe3DP EzF7hVzQwbVSoKBBltUrm189OXasV+fdgirRAbQ0US01AvL2I5TsLsCKLzPcTwRm nsgxx8yqSR7Q4UNtn0JAQ5aUvgm43p8aA/psl6emDuMPPNi1kraPiAa0bNGJOpBd lp1KlgIbHGPLYnGKe3MnzNJuRchjly3D7si3gqcRj5ZaeP7NB/pq8NWbrgR7T9yb xoN1NJDxJgLqCREDgK8D0PsVDQtJzCuwcsCq2reZoaLTMux36opyqM3eQl3sCpry e1hh6MJ/ ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA797E9D09E3B75E

http://decoder.re/FA797E9D09E3B75E

Targets

    • Target

      d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.sample

    • Size

      890KB

    • MD5

      561cffbaba71a6e8cc1cdceda990ead4

    • SHA1

      5162f14d75e96edb914d1756349d6e11583db0b0

    • SHA256

      d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

    • SHA512

      09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e

    Score
    10/10
    sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254evasionransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks