Overview

overview

10

Static

static

10

b4015b2abf...05.exe

windows7_x64

1

b4015b2abf...05.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.zip

  • Size

    74KB

  • Sample

    211208-rdegvadee5

  • MD5

    08c456f9210b5ac3fda0c5f30969cc59

  • SHA1

    f4ddaacf312d6a7278b73099569f489e2da2e37c

  • SHA256

    b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32

  • SHA512

    7380ad9598419f18bf5effe7880975648e2a495af9e9347cf91da2de120d8158cb97e044274e8532325f6d69e5c003dd2c1f19a235c4d5414b74ea51da3eef7f

Score
10/10
sodinokibi$2a$12$wsdkyj/flqr3lz6h4k2qmenp6qlhkwtltahlc0fur6s4afxkjrehy7029evasionpersistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

Campaign

7029

C2

cuspdental.com

humanityplus.org

sportsmassoren.com

adoptioperheet.fi

kafu.ch

innote.fi

polychromelabs.com

milanonotai.it

logopaedie-blomberg.de

theletter.company

conexa4papers.trade

tampaallen.com

patrickfoundation.net

visiativ-industry.fr

idemblogs.com

copystar.co.uk

paulisdogshop.de

atozdistribution.co.uk

sinal.org

purposeadvisorsolutions.com
Attributes
  • net

    true

  • pid

    $2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

  • prc

    oracle

    synctime

    mspub

    sql

    outlook

    sqbcoreservice

    thebat

    agntsvc

    isqlplussvc

    mydesktopservice

    tbirdconfig

    ocomm

    visio

    powerpnt

    dbsnmp

    encsvc

    onenote

    firefox

    excel

    ocautoupds

    mydesktopqos

    wordpad

    steam

    ocssd

    winword

    xfssvccon

    dbeng50

    thunderbird

    msaccess

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7029

  • svc

    mepocs

    vss

    sql

    sophos

    svc$

    veeam

    backup

    memtas

Extracted

Path

C:\j1lpd6spa-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension j1lpd6spa. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E30D3F99E2B36012 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/E30D3F99E2B36012 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: H0bY9v6ihlTplFVIMrWSNfKjYrIu1KVD9Qsg95pp62nTGIzW2X5DYgXNs86e/NI6 p/t+Xbh6BjTke0I+8dPyXofycCAwZUWL6rac/Tqf/8k3MAVNg6phuPLEV0jKjo3p YfUxXpmryXrq4N6FYg+5iPU1FOinutD4frMI3TLaZ1a2YzrR3zmnWgrNEVfOzaDe 1T7zRSvBg2KDVsUtnKwjHBULDDgCzCfLfunCGE2QlpVzCoZC8X/oHPOH0nGGS+4b jMj2GTbdTpaYbLDTtZgoP0igHa0hdJsigZpWP8X2hdmXp3JnWZCrjUifu4c2KI2E b3tHfoHdtrOOZyotKnTyE5xEfige1ofd3S64KcN9Sh6NLwG6sCXupUZ4uADMOfST E0u/dxMyVNsTluTdt+83TE1KoeGOZ0yvKHzW6O7kFk2xV/EvKo1CyFUmeLjy4W3u 9SRqg3HWQCppMlx2e94ARhr0HvzSk73MDRJXKZ8Ms0hMHKZDwLZcCHQt54rLjyT+ Bph4KkjMeP6Cs/3wNw32butqwPvd0k3IFbtba6CPKICs1Cf47WjE5S0dQGVkuoMG eiGm/KXF3/urSru0ejOsPuz0LKAzcEhWpZF9YYgrLWIKJqgdFZ2RWl6+SN0JlIDm ZdieAOuJF8yKB38WtUTfxsrH77Iz66whu65zm9rIkCPANknmutVMK+4rlW70W0K3 6mO8dPbCdqfwAisy0nT8E4Mm8wymHrh36TBaq03mC+RfNoR8tPHDfJaKiqPgtfdl F0naQdwRdZNJ+bh/vbiFjftyCjKOO2xrvMI2GbeOM1LjN/dlVG06ALKTzVkQo05W x3voxOn835Qb5dTZySy8EJ0OWX9uF6lNSEj3b6PkvyhRkNqqNqaIBWqVbndQqwvd QqxNKJBIAj8caWZt0owO7zoTkl3SYmii9zQz0unD9e9rUdPnKOqoBYiXM0iHWGHx xwmTMoKGXqoEiMbLNrgDmu7ZL16ViXIqTDrnFb6taxeMQ6ryUVSS6jDfjS0Je3Bx AeK/Gqf1oyTOdk5DFNZkuD9JFGa/FynSmUei7BK+TT2ynXWiIfKmPN0B/2Ey3sjt UrZ3AXc86W7zlq9hcbmqMjbpoGS6UrqzC1elUc4UsOffLYUGg5OPbKhO5EK6uC/E aoRORs00nHEHn+kqtxPXJ1ulVPtE6JU1pkb067ZhZ6vz/aWj35TaS9hSGe/HP8lB t0y0XKdikovJXG4Kcuqgt4neHt9YHTliZ9u87Bu2WovXwbJi4X2LC2VBPEbCz0NI AVf+p+n9gCw8E/o5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E30D3F99E2B36012

http://decoder.re/E30D3F99E2B36012

Targets

    • Target

      b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205

    • Size

      122KB

    • MD5

      f2ad75f1f945cf18e2f903fa645d62b0

    • SHA1

      c99f6b459e4bfe77a0c37def0d6bc933fc4a1447

    • SHA256

      b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205

    • SHA512

      0416aed927e99600059548d5e7b9b2f02cb1ec69cf692833da8851f8f03e4ef6fa06772b0798d483461ea8c05a5adeae355fc624b17cf74041b9e700a88eb6be

    Score
    10/10
    sodinokibievasionpersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks