Overview

overview

10

Static

static

10

f45cb3e589...e5.exe

windows7_x64

10

f45cb3e589...e5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f45cb3e589349f987092a654178e84520ffb34e1cd4a879b5f57ca4c570ab3e5

  • Size

    116KB

  • Sample

    220124-a22tlsghan

  • MD5

    fa3516c08b30932538bb589f27530b26

  • SHA1

    017f0cc7ba64fd5add231f47aea15f3fb331e31d

  • SHA256

    f45cb3e589349f987092a654178e84520ffb34e1cd4a879b5f57ca4c570ab3e5

  • SHA512

    6f2d70f312e3593ed942f340fe052212a66dec53f2ff4f626738a1ad8e9530846fefab473be11ae4af37fcefa8d0abfb78d587164aecd2249071f43aad6b1960

Score
10/10
sodinokibi$2a$12$f6p7xeaqggfclm/hufl9xeugmdw5fvv2ouolfby.tvb7qmcfohlcy7710ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$F6P7XeAqGGFCLm/hUFL9xeUgMDw5FVv2oUOlfbY.TVb7qMcFoHlCy

Campaign

7710

C2

marchand-sloboda.com

myteamgenius.com

spacecitysisters.org

noskierrenteria.com

oslomf.no

brevitempore.net

kindersitze-vergleich.de

maasreusel.nl

effortlesspromo.com

noesis.tech

schoellhammer.com

stoneys.ch

rollingrockcolumbia.com

makeitcount.at

blood-sports.net

balticdermatology.lt

woodleyacademy.org

tanciu.com

petnest.ir

selfoutlet.com
Attributes
  • net

    true

  • pid

    $2a$12$F6P7XeAqGGFCLm/hUFL9xeUgMDw5FVv2oUOlfbY.TVb7qMcFoHlCy

  • prc

    infopath

    mydesktopqos

    isqlplussvc

    ocautoupds

    onenote

    msaccess

    tbirdconfig

    thunderbird

    winword

    powerpnt

    excel

    visio

    encsvc

    sqbcoreservice

    mspub

    steam

    outlook

    ocomm

    firefox

    thebat

    mydesktopservice

    oracle

    dbsnmp

    synctime

    sql

    agntsvc

    dbeng50

    xfssvccon

    ocssd

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you are ready to buy decrypt key for unlock all your files, please write to [email protected] We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} http://decoder.re/{UID}

  • sub

    7710

  • svc

    vss

    sql

    mepocs

    veeam

    memtas

    sophos

    backup

    svc$

Extracted

Path

C:\i61lc66267-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension i61lc66267. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you are ready to buy decrypt key for unlock all your files, please write to [email protected] We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. umcXWFqLKm9LpYmK8Loe9dxJgTzZTA3bo99x24GyLuOG0tgEFEVgz6p5h2oq1BGQ IYuacDn7GgpOQaSaUHgheEVi7diPGvLBOT/n98zVMyGjHPsuFdkgB7c4RzeUeBIq W2aPShpt8DRUN0jUwlyDQ4FTiwEVhA45JFq4nXquOQm4MW0Kh73wzxko8Vwo9h9t USPq2IBGv1J03bmtV6UGdRxL2bAMmBNQUTzyBOtomh2FKA1K/WG8yHWx65CFTKUK 4OduSDEQ+LaK1yK4dxXPBfQ8zaBTkXV5JoXsLc/SkkOT5FsnBRe6AW4uRkYqpzxp crjGKookPuU6Ki5jL8X4kk5ShI9NlJrE39EkIbBHnYG/3XsBqQ/iQNwIKfIcjoD5 DnfxUafudLQW7WJ90UFLwkV/livfIQwwN1vCPZBLUUidslO2s16NMgzqleV51dig pf8aFbKGG+QbvmPrEo4vvpyAgXwK23Nc71gwpQ9/ZszH4mtF9ui4FSADK1vpPM8f Yo1vchXX8pwdkhfCSEVHGWFZnD47zarFqeFlotIiFdrJIk8mesIYMf8r4YzUK6fS CxVSdImHwEhlCXVH17JL/WbmXjjngV6Fxzby4KfUGQcacb+PrFRs9MCaBo1tfFLb Id2DKH3Ic1oPBCYIQtrwGYw8HwSgGgjYFSLephI8J7vn+dGcUF+TgVp0lGTYtQ8O CRDw2BslyJofUTMox4pEvuyYd0zt3SkEjhi1MAD/dk4SmvpDTVZsyY5zgBxfm4Hb 7CpCqAGbaG0ALAY23UVEY9HFjNfpwZdZ+hvlEVzCBQEznGsVhWKSdyh0HKXcdouE Wlgvn41yQm4cyUVNhziGj5O9+GVN426NXlBPXBB5zyHckiBsjpMk2TAvk8cD6w6+ L7gQ5YErmJRqiQPzWbqEYGOXswJobT0h7yyTQrfx3UvdPFqpQMgJXw5532705wXy 896QyR4UMXLVV2YTFjPQuQmS8EKrTDUDcU0QKymgSOCbNct5QkTq3ly+pbO9oMFW epom1Hp66p40MKVnXBzePGoa8V3NHDzq7poCZAxaLaiqs7iNWbA8rZOF8Hng9hPM 88gjXCyRfjSRI/4xId+y6BLkxEMCspgonKpCmk6SrxMYiilPUrQC77UBsP0RLvdf T+M0teEBIvownezVTLzAFimDK0oKrzgRI/hJL56+ZWJ9gHxPTp8bOEt8fUZpYyV+ ThSLlgniM+WgWsDr5b+ahA6o91irjkCZ9J2LU/R7jvMkCpda81GsxS9CWqLQAkab xj7eNpjXHLG7vSgQjzvblf68cKGbC+/pI5kU6oU4uB0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBA683BF12564B97 http://decoder.re/BBA683BF12564B97

Extracted

Path

C:\164eki8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 164eki8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you are ready to buy decrypt key for unlock all your files, please write to [email protected] We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. 2jB6G19GdI+tXZLkON28e0YqRt4bvSYsrml06MfYGvZYxng0BUwLR5G7xM1qK7LQ 0oY4IGTAz9312CT2xrFUxREQ85Uc+j1jLHyQBb1zAIT+iTlybfFQI9OCtOI/8e1a AgeDHCAHZjBTh/RYEg4oi7LVvT66edZxK+Nt7IuPxgSOkQw06yRFKLotrK6xBwZf fJWnNDycUQeb7EKzJJ1U11zT9HMUFWfkUbEPp+XJJGGP6UOodi6dWAzaDfn6tl6E c3ceAedb3g5sGsC4dOQzHxE7sbobjbhizKMBPI4quQQ2W621NHDkITsHQpQHVwOB wQU3i/HI3wx2xDzPeqGG20A4h/0Srx4eLNGg9Y8LbZPa7ghPz3fOAbyEfsba1mRr 4+5MMg5p7eMLJvEsLYJv2U9KSmL3mxesU2aIs+uqG9RLwjtqx68AftNBEpZcrhiU TBB1m8e5jU4ATad76ggwQ0yXWgOYmRWHX6Gj36mJCrdTJan3ilplr6GWeboINqv1 WN/DqYgzNkHBa/WJoFdh4WGmgjuPLali0+nt9hoKdU7WGqnrG5rLdPBzjdd3TbOC 3JCpcm6HrFh3TLwoO3Yw+JmH5aDXzjVNp5VAqoSmUlfp05HT8O5xVPZyYu4Vigea MIiTH5NRPLvxJW2BFocRL58FSh275WKMYZIDlVSQ5FZS9g/bL+cFO7EVFQVMzA1V kRnwnvqjlVKrnW6lZnDMrWBVYBOo0Bq/QHpbj0nK1efJ9vpJMn3aE+SqU8KcMnlq rncvj3Lb7XTGABbG+I9KEt3DXK34eHhVPMzTOg+GA3OWXVdVioFempaoQ74zrzOy mYzziDfuwBwJVxt/jSniLVqPA7KO0n+qjdSnU1kphLbEBdQV1njnG/0YIaEmafyk Vh3Qi0Rb4JyS9f4KE+E+VA6eRjNKs0EJt1VGCOo6gFMVNa/UfWvv9lvsAle0k2tK B1MvYAT9ocJthYfiWEobw6O8239Pmh6Nym1xIpiVNLkDV3ldfVfz4XwRpCH8Gi2o KMeAgiLQvlW1QA6T27+nuq/O5lQj6S25+Gsboh1L7WIDTh1e/oSfk/zH70WgAgEQ Q/bfPZfNyZG8f7NFLFhoku8ZfIapNa01TSs3UabFP15g2rIHpg37NvPDGYTsWZRR gtyd1/o04pp+n20t30uD9Hcd9++5tL+UicJOWd595smhONFA7PYhkYvj5jDLrYU9 AkHtU7LBnwbce4qtXH8+5a5t8UpdvK5YTjhBzLsj+WaicLTsgW9eLZh9Sr3uVIsr 81jNbzI5bZQdIHpiMWkdTbsV ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0DC9440A2C4A9C1B http://decoder.re/0DC9440A2C4A9C1B

Targets

    • Target

      f45cb3e589349f987092a654178e84520ffb34e1cd4a879b5f57ca4c570ab3e5

    • Size

      116KB

    • MD5

      fa3516c08b30932538bb589f27530b26

    • SHA1

      017f0cc7ba64fd5add231f47aea15f3fb331e31d

    • SHA256

      f45cb3e589349f987092a654178e84520ffb34e1cd4a879b5f57ca4c570ab3e5

    • SHA512

      6f2d70f312e3593ed942f340fe052212a66dec53f2ff4f626738a1ad8e9530846fefab473be11ae4af37fcefa8d0abfb78d587164aecd2249071f43aad6b1960

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks