Overview

overview

10

Static

static

10

f582a3e831...a5.exe

windows7_x64

10

f582a3e831...a5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5

  • Size

    165KB

  • Sample

    220124-a2qrcaghe5

  • MD5

    08402b4bc7e5527315b690e6ee0c1565

  • SHA1

    76062deff96a613ea455abc3014b531e5fd13aee

  • SHA256

    f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5

  • SHA512

    12638ca4ff87b239ccc519376c7043681ac70f26b8dda16c6b308c11415facd1da00f3e3338d9a258373c2497bfc0b1a900a787340cad35691ffa4cdcd9af623

Score
10/10
sodinokibi30128ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

30

Campaign

128

C2

professionetata.com

wallflowersandrakes.com

mike.matthies.de

descargandoprogramas.com

marcandy.com

bychowo.pl

glas-kuck.de

koncept-m.ru

5pointpt.com

geitoniatonaggelon.gr

cmeow.com

andermattswisswatches.ch

khtrx.com

medicalsupportco.com

bruut.online

protoplay.ca

claudiakilian.de

leloupblanc.gr

vdolg24.online

livelai.com
Attributes
  • net

    true

  • pid

    30

  • prc

    thunderbird

    dbsnmp

    winword

    encsvc

    sqlservr

    mysqld

    onenote

    steam

    powerpnt

    oracle

    ocautoupds

    mysqld_nt

    tbirdconfig

    isqlplussvc

    agntsvc

    msaccess

    sqlagent

    firefoxconfig

    xfssvccon

    visio

    ocomm

    mydesktopqos

    wordpad

    msftesql

    thebat64

    thebat

    sqbcoreservice

    dbeng50

    mydesktopservice

    ocssd

    outlook

    mysqld_opt

    sqlbrowser

    mspub

    sqlwriter

    infopath

    synctime

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    128

  • svc

    veeam

    mepocs

    vss

    svc$

    sophos

    memtas

    backup

    sql

Extracted

Path

C:\2r320827-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2r320827. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D4D2742EEA64D18 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9D4D2742EEA64D18 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zWkSSG9+MUXoMsFRa1RzDnzvbRelTRXlweVRuTG4Id7Aw1N4I6x8huTX433ISJPM LxkWuIumMkVT40WeOLQcqmVzeorA9Cmcqa9WSHD0CVq+hDFjUrGYL9Q1wMvOqJYF b4kbR1uVq6ayl9KBMb1+oKdSoU7Gh8UwJ7k0QLRDlgW1aGSgzR4wmqdW6UX6Dn9w YRSWbO1IeJLjfLgYSgGH8EDtzPHNZhRZhcfSS154lpiWnlLcBDpLvPRu35SvPmkU 39UINrM40G8O13yRUsW7MyxUElEhwbi600eHQZZaki6ORyrOSFecGT7y/jTizSkg WJKv671QeIKBZYYAfKSE1xqRQaIx2N0URPBGvnau4UBpVMgTx6wAIlSUtzMySw/j SIy7hVIvUGwsbl7pFAjvVPf/cCW6hVKI8MGRXA51IyCxJivn0zeBKPaD+5+q1nHF TBTcos8w1tNHkLbNzUkUA3yI+LeaWaNfjQdH+m69+nUhpM2qrpsY2OSRpF0lZNjI EGqjFgYzB2tMjhH2D/QT5lyBHQW+m8C+wfwA+SvVcqf34zl8/Z/w2ZZxrTAFfo3I ugdbXrcbN19ysNghaLaJSITcNHKD3OlHrXA5H83Nb5uzgaCDDNtM3nfwHMJ4OmOy oXHVRqg+2Eq3eEVhOVYVv1Is5oLZNCgJA1MFFiS+Gr3evgBME5C0OIpeJLPiv4vr dOpLBhJY3ezVIy3cTQJP+SrzQAikFFmfSvl6SGRETytYI93voVsD7T1jXZXunwtq FTKRv/+zbW45eu+Nbp5kFu76vgL8V5jM6jWhAtl7MrD1d6gvpodQmf3/hz2iTx6t PmKnhxZymWZv1MxL9Jau4ZBA3y0yZLaf06aeJu9VM1jBddN5LLtfL9VqIx/ob0MP YGTxVPvsFGryHPVW6RrUq7dTrM2+x85g5RaklGCViNiYpTBjAoGZsVZrKs+2R/vq F5AtKi2Qj3NGw7Xw4iv6UgwWomivYPIy9qKwf8x4eE61TRI4+oGtA/abPfnBKHBG +FSnlmwoqE/qsuSWGqdRt/OvGPTkco7kxhTJzGYrGGn5u8dlYe/IOAIZnnBPVUIp qNZngaBbJwsdAco8XCkkIfTp7oaRhw+/A6G7KytlDD+lIycfN6DmQ6Cp8nGOGLN8 Y1kJn4/a Extension name: 2r320827 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D4D2742EEA64D18

http://decryptor.top/9D4D2742EEA64D18

Extracted

Path

C:\98ip629-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 98ip629. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7130F6F3EEDF344 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B7130F6F3EEDF344 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RFhMzKYMXJmvuQaVJdD/WRpd7mzrzShY5HIvCnudTRf9LMT7SzzJZ8v3VN4IBzSk ZL13enK7mfX8GVmcUZiOUOf4bazgoIhtNeqVrKoiZoKNw9+2QoYjWF4B5XNEgjf7 IBCehnkVgyYPzgVJaxNjQWYM6RuQDNPNR112NNKSil2+MSmjZ6hQzyWXymxP+4tR w3WNvHKSQv6/USmbA5wv8CAf3I3O62EgCbLVaySyR3S1kYPDywNXNFqkhtav8f+n udt7MkeATOmMQHYlCaH5kHw4FotUMh/jGNi5G0dGPLneNoAI95oP6YSgYDva952U nXcVG9JeSZ9mgKTqxjf79LLRJM1EpA2KX0Ak9WOTvkQltkPQXObHQRWmB6xtSptT OWUGvN5OnJOy3/tzs4CxDsy495iK1CapqwJfogAT5eEIEHzXouupFB0zkS2c0Q9S L/Md9DEZSpKXjSUmwt9Ym8EUFNGa9bG8MrY+CCiYVcXTNVSm0tDe3TTBRfbRDKNx T29eSdi//3kT76qCqXQ4sxYYpWlG4668qP/W3ErAIByB49ODDdOz6EI/vun8H6yN IoqtuYR604Nv0mfIrRWvF2NHGwktmKlrN3Ih8e2BzDXf8F8qBHTZuN4zKGJfpROE lRZ5tMVGLZvpObSLgbb4KYZxFRGfJBex8i5mz0VDbwYclaqf+ngpaO1pgmv91aOM qbRsOobq3fo0KDcPXOl3a0YtMEZueeWPE2Y1VcZEm4zATaRAufAWKVBgPciYuetW 3+ybDB6yifnFl4ea22MZuSdsEi14URX+/JMS9ItZsS9ZmUC5MH6/RNEx8w2AnOTy xX5xj+vRwM6b2UrQyHvQfett9DEg4HoR+/FRzfwM63+fPZ0+UVvSe4iAdC4N/4yh 5NAxPh+u0A1euIW0QZSehhwNffTUiaDtEa9coJEyt94YmpSpitj/wlgRXneOtMCh Mbv/WW3h1GfTYdd/9RgrEhfxqAVDc4ON8RTx+fUrtcQmm7K8huhTWd3GLn46H+eG qsOdA5no9Atz9H9e/qocB4HS+0o3eflx7KOmBBFFZrwz9md3j9c4a8HAAVx046Sx kjgoSuveFSoRBE3526oASu/0mYdOBRx0LB4nkieFBwgWY99a4op6IUt//d4= Extension name: 98ip629 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7130F6F3EEDF344

http://decryptor.top/B7130F6F3EEDF344

Targets

    • Target

      f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5

    • Size

      165KB

    • MD5

      08402b4bc7e5527315b690e6ee0c1565

    • SHA1

      76062deff96a613ea455abc3014b531e5fd13aee

    • SHA256

      f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5

    • SHA512

      12638ca4ff87b239ccc519376c7043681ac70f26b8dda16c6b308c11415facd1da00f3e3338d9a258373c2497bfc0b1a900a787340cad35691ffa4cdcd9af623

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks