General
-
Target
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e
-
Size
137KB
-
Sample
210929-jqzdsaebd9
-
MD5
cefffae5b88b714dd237424055c2ebce
-
SHA1
cf0f8bfc14e862a1c0206939263821ae58a706a7
-
SHA256
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e
-
SHA512
ce19b93c44ea81ecee3231cbe84a7d8ed7025d57c937e5741908fae492dbe307f486bfe44898084619fb09851ef1871687e0c2a245ee0b1340ba91d8be2937bb
Static task
static1
Behavioral task
behavioral1
Sample
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e.exe
Resource
win10-en-20210920
Malware Config
Extracted
sodinokibi
$2a$12$IPsxj5UBx9fK2WbMDbQNDuSnpzgGG3tBnGPAlCUD4FGvD57Cl3LP.
5781
-
net
true
-
pid
$2a$12$IPsxj5UBx9fK2WbMDbQNDuSnpzgGG3tBnGPAlCUD4FGvD57Cl3LP.
-
prc
xfssvccon
msaccess
agntsvc
powerpnt
outlook
encsvc
visio
ocautoupds
tbirdconfig
firefox
isqlplussvc
dbsnmp
mydesktopservice
ocomm
thunderbird
winword
wordpad
dbeng50
steam
sql
thebat
onenote
infopath
mydesktopqos
oracle
sqbcoreservice
synctime
excel
mspub
ocssd
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
5781
-
svc
veeam
svc$
mepocs
backup
memtas
sophos
vss
sql
Extracted
C:\zw49tq0jk-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/459E374F1DB639C9
http://decoder.re/459E374F1DB639C9
Extracted
C:\5m239w-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C0B2EE0969419DC6
http://decoder.re/C0B2EE0969419DC6
Targets
-
-
Target
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e
-
Size
137KB
-
MD5
cefffae5b88b714dd237424055c2ebce
-
SHA1
cf0f8bfc14e862a1c0206939263821ae58a706a7
-
SHA256
9f256973ee6ddcd3d781761480c00220a140fad833dc9a6a085f45c419d1714e
-
SHA512
ce19b93c44ea81ecee3231cbe84a7d8ed7025d57c937e5741908fae492dbe307f486bfe44898084619fb09851ef1871687e0c2a245ee0b1340ba91d8be2937bb
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-