Overview

overview

10

Static

static

10

f7c9222936...d3.exe

windows7_x64

10

f7c9222936...d3.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

  • Size

    165KB

  • Sample

    220124-a2en3sghd9

  • MD5

    d3e026324b81c755f9058d7a42e96c75

  • SHA1

    35d30a689c4b826e43d9255574fa09965c0a6ba7

  • SHA256

    f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

  • SHA512

    e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913

Score
10/10
sodinokibi482036ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

48

Campaign

2036

C2

arearugcleaningnyc.com

jacquesgarcianoto.com

dogsunlimitedguide.com

gurutechnologies.net

pajagus.fr

belinda.af

bundan.com

go.labibini.ch

professionetata.com

bcabattoirs.org

descargandoprogramas.com

piestar.com

neolaiamedispa.com

bellesiniacademy.org

cotton-avenue.co.il

boloria.de

loysonbryan.com

vedsegaard.dk

encounter-p.net

thestudio.academy
Attributes
  • net

    false

  • pid

    48

  • prc

    onenote

    infopath

    sql

    ocssd

    visio

    ocautoupds

    mspub

    thebat

    isqlplussvc

    synctime

    outlook

    excel

    firefox

    steam

    powerpnt

    dbsnmp

    mydesktopqos

    msaccess

    encsvc

    agntsvc

    winword

    tbirdconfig

    mydesktopservice

    xfssvccon

    sqbcoreservice

    oracle

    wordpa

    dbeng50

    thunderbird

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2036

  • svc

    veeam

    sql

    memtas

    vss

    sophos

    svc$

    mepocs

    backup

Extracted

Path

C:\e70etl274-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension e70etl274. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C18DE0894BDBC268 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/C18DE0894BDBC268 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: laqSpS7Yzp8smtsgOGhjmEGkoyYov4NZvyGkdFGhuJ8nsVfvCKTd/FlksScr/ukv 7vPHqjCnfBDMh6UnP5gSODMHt5jBNqOKnAhitE/QP0hs0KRqEkQCAOpPtYPQLeaH C4YrFMcp8N0kaGF+yAsnpkQfsuO1ZPaZu84U+hrRYjXaCrpHb4GEPXkIDfKo62g1 VxL0tgmUIFmI+c1HgkvocC34B3zdvZpfBa1VPwJvjWawVHp+ZeBHp274VPLOtRc9 lGT4Ns78vzUVXC0bv41lKuwz5A+nT/Y48r7XZUb3qEdvxBb4TqJzSUUdnXCPHfOs eJ91hh0rkP7Jlc1OC1p6cum5WDRmgGarnidfr9t7fXyEO5sAa3Thzm7IgfySSQXn YT9S1j/yVdOhOnN/OeQmj3KbyhIvPD5df0TgOXJYqbX8BGtCYumKSzRw0SK0FuuS Zf5BG/3lJocft1CDPp0Ij8iSGW8/xPGWYdp5JG3bmSMzmtBHMqQ/QT7gu6CycB39 UGIji33FTo5PJj1Um3K7Q/czcYza4agu+PuiBLFcS2IDdit8N2ryJLdYIzHRDpJ8 kWZPUU/dfxypjsHr0TwDXJJGzXZ107bLFFml2Bt0RHwbGVmH7iY8RpKUCruCUals m1bk25VsHxnp2ANcRT5Ef2jUWa75AN7xc9DX3e6ZikGkAy8vNuqKOXZ5AlTEwKAV /dHnB3R8qbTyg6mCUAxOd8gT6tILQpZkAzzxe+iHD10i6OAJ8RJ3Foi41RyMkno3 xn086U05xZVuA2MJSGkkI9nBV+aYPntoYPsaIOmx18JJlYc2xp/YbgXp+kw6VWdW n2a6JWGLWPgZet3pSMnaPgEEcW3w0FAn+pqddKuPgawVrDgY69n25AGTvDRh+h6t Mix0QKk+upsAwiXwxnkCsIUyz2COJrk/vww3hsVgI/yv8NEM4NW25GUJbd1X80KL oxWvKb2vlTlJDDRYaRXvX8Og1mfu3mBkwlALoxiwce9Ao4QpSU9aRT3VHB1pACOB eLKA7UjxMuRKKazU9/yjyZkZEyDE5+GtCdDchOEFR14XoZ0xsZ34fXt7MUzJZazE E66O8IAInoE69XjCLgcbz7bSL41nuMr76bw55OFCx9QQy1uQ/nsxwDXkvRJtKL7d r1NZsQI7x6dlDA== Extension name: e70etl274 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C18DE0894BDBC268

http://decryptor.top/C18DE0894BDBC268

Extracted

Path

C:\sah215mz-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension sah215mz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/177118F8C7CC3261 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/177118F8C7CC3261 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iLBm3kDpR5/vPGeadWv78QlIiOmLOm7NWdvC83pdjj7q64VX8kwYSLfw7cwBo6/U pKaCDJ629xSzkWdgIHSBkVRSV4ZN3pGUUlkgMn2C8ppvJONkIaZCJ5Y+/OChh4vo DyPiZ+wC7jku+gpTe+Uftydfvje0dE2g97I8paEezkLeH3+H9THHFqWHs8aOQ+RG AANeyg84bwJTJ2Et6D9RRPYie+XQF1I0P0n1Mua/whvvnSaGr5CoVI4q9HFgjEyd l5HJPInnI0FXYp4p02RwOR9pkiho7i3K4JIfI7WublnjjFhX1R0Df3LYX1xEGydJ ZXy6XjgljCDH2BmAO/fGQzpubjgB3e2fdUz1h7wFPX0So7FMdk8U4A4e4fDM0cJD AyYtobGG6broLuHYPYxChm+SmHKaFYZjwuLoUimMU6ei+bY+PX8pJHUSvPnxLogM M9gin1Toz15fN62pk2oUExYtvWtYqqCXHx9bw5leAKJ8yl+jMkBExMWfX//eTyX8 08Qmap3TikzEaAWsea9AFMFJ+zVTPvXPsm5KAjl5C/oLqhZ4n1KAK+sZ9ypmZbxw ZVsNB2b14Dxgn/FwrrVtkDgLfpUw4ZJ1LcPGxi/sMeVvq0eLHdLM/ioF4LhT1aeM gwkmfLLLPHyzAPzxrtUfPeUjAXq5q1fkl120TMUAGEDiJE5dEiuzXLJmtn6AOwN4 EDrgUhn0Cf+gVQvDJxQuQpc1UYUxYhorAqU7FMGA1yQjX5pOREGQN52xGN34zJZW 5zpd7q3BsNSxvLdzQ5uNYnFrtLE0JMPEnyDsB3W6Ivl7zuUGngGauNCsDV5Y/BD3 uIt0fUSXXqDB9IxOtn9X3p2oPjsCNhOoYZSt39jweavSQaQKJsYL9CmEZxxGiN+b T4iwNJo8u/xKCYrtQWEoNgE/wDOgnjG4F15ds2C2VfEoXPgLLzt8JzaL1IypdjDt zkQTya2vef1OOKB7DWOZj7LuWTJy71wnlHbYCEkamiSENvmjsZmkvEvwljSnUEks gyPNzZaGdX5F7iIjoGhFIa4w401JTLYDNGwFKXdTXdj8Fxe/SJfvkkkL4jtOCdm6 v+AahaCNQDpUk2oam1xhogLAJbR20VOf6P9+cvBQe3lbC/AfjyexD22KPPEehgaI Extension name: sah215mz ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/177118F8C7CC3261

http://decryptor.top/177118F8C7CC3261

Targets

    • Target

      f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

    • Size

      165KB

    • MD5

      d3e026324b81c755f9058d7a42e96c75

    • SHA1

      35d30a689c4b826e43d9255574fa09965c0a6ba7

    • SHA256

      f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

    • SHA512

      e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks