Overview

overview

10

Static

static

10

eeeeb1d683...d4.exe

windows7_x64

10

eeeeb1d683...d4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4

  • Size

    118KB

  • Sample

    220124-a3yhksghg3

  • MD5

    08fad193fc03bad8132bd791155212d2

  • SHA1

    5c56fd5246f3680f4576a9e633fb76acfb15f994

  • SHA256

    eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4

  • SHA512

    d2e3460998d409a530f5435f9c7693d1aa684b5016b8abcbfd86530cd2ed2fd7849094bf2be865e2f75179f557567265b8ee6091c39d96d7cb8c7b89a9d2835e

Score
10/10
sodinokibi$2a$10$xncqaihyuwpzep3x5yw80u1d5ov1cpqvphxvcthznfuhdh8ly1qvk6602persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$XnCqaiHYUWpzep3X5yw80u1d5ov1CPQvPhXvCtHzNfuhdh8Ly1qvK

Campaign

6602

C2

argenblogs.com.ar

iyengaryogacharlotte.com

cityorchardhtx.com

onlybacklink.com

offroadbeasts.com

philippedebroca.com

houseofplus.com

satyayoga.de

miriamgrimm.de

mountaintoptinyhomes.com

dontpassthepepper.com

gratispresent.se

outcomeisincome.com

advokathuset.dk

jenniferandersonwriter.com

myzk.site

thee.network

fundaciongregal.org

ziegler-praezisionsteile.de

denovofoodsgroup.com
Attributes
  • net

    true

  • pid

    $2a$10$XnCqaiHYUWpzep3X5yw80u1d5ov1CPQvPhXvCtHzNfuhdh8Ly1qvK

  • prc

    encsvc

    xfssvccon

    thunderbird

    sqbcoreservice

    isqlplussvc

    mydesktopservice

    infopath

    winword

    powerpnt

    synctime

    mspub

    oracle

    wordpad

    mydesktopqos

    outlook

    tbirdconfig

    firefox

    onenote

    thebat

    dbeng50

    ocssd

    agntsvc

    msaccess

    ocomm

    ocautoupds

    visio

    sql

    excel

    steam

    dbsnmp

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). In case if you will not contact ,your data will be posted online or sold. Also media will be informed! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6602

  • svc

    veeam

    sophos

    svc$

    mepocs

    backup

    sql

    memtas

    vss

Extracted

Path

C:\930gf01-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 930gf01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). In case if you will not contact ,your data will be posted online or sold. Also media will be informed! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AED38EC1EAB0B437 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/AED38EC1EAB0B437 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IYb3tycJlU3tI13LCe3nBWNEsMDDvgO8SyFojojyCg0ko4avLwmBumOlpCy8jzeK Kl9k6IQrKWkOQfi1rgyZuWhwEsJMugDPRR4ZoAIq06eRcfrR5QfpfiVMw/eQL1te KxcDw5BOLbCsT03ktzJWLZ+S5+fPDBukiYbbuJIcDEvtiHz5n3rwbrNxNiXd7kew UCqQpjhmceTh64F0Ae/0mVQbCWuXswGjDdi3iMitCPhmDovRr0zfwS382TIU0EPb q4VRDq9CXDHiCnrbw5pM8uFKFdQzVWQSw4JhqFWJ+BNOiUONfboq002qf0eqXdsq b29S+eVUKgsyv7uW33X6Ip/1VvV9Ld/qc0jR34LSxkiK+zw03yehlYaI6xnV6EFC VA4w0xRensGnJiQw+yXy7OyRdYqQejtDuokBPviOwg/1WE1vliFTxRaE7As7e2xu UkKC2vn8eg1iMlM2CnvCk27SfSfBEOBm7k+LnQsWIunKu56u6P04Ntv4kjDPF11H AzfPoLdks9vJAqPCKN6573EUbo+SqrQmft9S1USAMf0Wb9oOgmGFD8krMVxOnUBE yjbyy1NzOw3Od2c01Wg/xWanDIqjTkSp9hNdUmkkKWcwFOt/QlWU7aMalS7q+gEq ji9NmoZ+wYg8VwznhMFlIDSIbDZ/izR83pQ27Fs8C5hnVBIPbhZIcyETXWHJhRZj lPFAnJnCiVcUeLfcV6wJbdbnHQKRt6mWX3/yPadehfDin1Z4vji3jDA10cw3CjyB wXnjMouOp7ttKbO4XvdOQ7CYdYuzuyIt63kyJoG3+RAZjs0nEYs9IBFaXjJdzbiZ gTlXz/m/w6lxdJ5R+VafGb08dkRO3JBaffqUCYG6Pb6T/lacyJ/0IZw/zgy56HTF s11azeSyE2C0+Q368GFFoew5Y8z/FsDZxlEaChXn9EL1IRD5JVixWEdVqlImmU4f tto1jhe3uPUKwwkHPmSP1m320v8fafCzGSesgxZzcD0tfGvc4VnbF13RMAsP26kX gEBFOeUy915PfO7AtUaboKHuyJ6XAw6qtF+9GRElMTIWk5IGQaKRmv2tjiYJBCqM CZWIzHxKtLZqqo+b73DR8dqTAlQu2P/ZIqjQH9shToLZ0wJJggTU5cNbfccVbuJY ApJ8aX72uUzIP0y3q58gB6y6fjrkt/99KBViQtHAd9f3YTWCsROXwnnMXGwHctMp 4tuD2SyIxtZrAPvhHOqTrl2T5MMiD20opiLaHSY0p0dHnIG7uYYV7veNgHq6u4tn 0XZ3cG5X8BbpNRp7IhMNwFCwkUjL8cQb9gU= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AED38EC1EAB0B437

http://decoder.re/AED38EC1EAB0B437

Extracted

Path

C:\0u8txz0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0u8txz0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). In case if you will not contact ,your data will be posted online or sold. Also media will be informed! [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78AE43A9C61A1316 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/78AE43A9C61A1316 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lGiIIDnUaMnCWAgbG7DpDUXtaVBFXp170npfvhL+1JykjBEZyifNNnz6hJHtqzYq KgbPQ0inw+8EugsRclm+/8tpbAM13UCh+1XRl3mdgILM9qf+zPqUYHa8IqRp0jVv s2dBK9xsI+GHuRsE6+9p+T2ag3BF/aBrHnAwr4r4PUKCEZBOPtegGyTzvwrAHf9J 1CeskZOVmCazV2+bwJm/lzIMKT4NbkYms095nxEmBq/nQ9X/3ZdU//x0YlSSKFvO zz0sZ0rZ3+Vk7MGuE05YzIC8drNoBz4TetUMO70nyVsKXz+nd5DzbKmPqPvYLvvh ChqqePwzzN5Gd54tuqJ+NThb5V/bSRA3OXQ6m/1TjlIxI7aXCOb2JQjjQujUjoao OMq4cWTz+zTQWooma/lUj0O00tX27F4mRSiLQh6f+Tq341es7wN2kCHgDYrLG/Ct s6Soek1wZoDWx4RFKUphGzu3dp+77Mb22kt/6IztbdwUfu7pMzEZT3e0iyyoBfR9 pPRQ2kj73kwj87us0l7jF+ENhPalCScgg8VaEhcxad6YXvIIC0pjt73C3WoekqYK M4IqhfyaHJ4H9V+0FA9MW9du2iXzE7XWMYdfmMKETSGc7zAjmXmh0DGwtAlFJgWH jEylXoqKTdFSKzixPMJAR33/BRsCOyfeAm4hVvv0Yeb79AN3KFgOZw3gzVLS0zg7 vwWBFpf+ATsD+aH0CkYAv+9OreKgUx7wbUNLP7BHobI5WFh/shP8UBMlSkFjAFnH Mv4RY8haLrS+LG5wUwqXnFcCFcah9FabbTqBQdznxpyFImCDUCmpxJa24fZ+Me7S X499ArKvEMXKFtlYqWLkVCexK1ioPlTr8Zt+N62lKN7Y7FiKIV7AXQI/jRvHAStE c0mgk2iB0xfn6hClAwBYYAnCjpSAg8++5JEiiLCcuYa/GQH5yqdbDpLxrMT2j1Z7 +avNCg2RkgBYpy+NZmh54PmvjbTa2c+s+w2UNp0+5J0oi66vDT4crcHU289dUL8c WBbinsPsP/Lsphgauetzzm8PnYQLzTqP9jNVNj8jICvbW1Gn5FGhTeKP2/5kb3W9 pq4w7Ty6qS3deEhssAstwEKg9qS303T83LsLG7kl3M5nClbg4dBLmnhvW7UE53Qh LeB51GSnDXCs9LR20RayllCHAkVKcgLift3Id0OcqnF+zWHTbTs6du8wj2GJsmLd 2XUhuQmhfKs4woC+XCh0n2dEKoxKboW+/0jNWEfkhvoJi9yj/U9vLyFj24ZXdeYw cmyha2XdA+1qfT/ddI2kXTC3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78AE43A9C61A1316

http://decoder.re/78AE43A9C61A1316

Targets

    • Target

      eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4

    • Size

      118KB

    • MD5

      08fad193fc03bad8132bd791155212d2

    • SHA1

      5c56fd5246f3680f4576a9e633fb76acfb15f994

    • SHA256

      eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4

    • SHA512

      d2e3460998d409a530f5435f9c7693d1aa684b5016b8abcbfd86530cd2ed2fd7849094bf2be865e2f75179f557567265b8ee6091c39d96d7cb8c7b89a9d2835e

    Score
    10/10
    sodinokibipersistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks