Overview

overview

10

Static

static

10

ec9950b211...e1.exe

windows7_x64

10

ec9950b211...e1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1

  • Size

    165KB

  • Sample

    220124-a4h5aaghh3

  • MD5

    6edc8e537c6cf38e56fcf2af79980344

  • SHA1

    024bf6e1cd3084bb453b1826f350e853b1951727

  • SHA256

    ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1

  • SHA512

    5e3cead37cd53c3003f68dd5c4fe87b30d7edefba3ab48a86e2efb2704060b74008011ff0157df26fd161ad411ddae0296f83cfb5a6affc10e7856285121f518

Score
10/10
sodinokibi20808persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

20

Campaign

808

C2

so-sage.fr

hm-com.com

epicjapanart.com

rubyaudiology.com

nuohous.com

domilivefurniture.com

orchardbrickwork.com

advesa.com

cainlaw-okc.com

livedeveloper.com

funworx.de

dinedrinkdetroit.com

queertube.net

nykfdyrehospital.dk

scentedlair.com

supercarhire.co.uk

palmecophilippines.com

jeanmonti.com

mollymccarthydesign.com

eatyoveges.com
Attributes
  • net

    true

  • pid

    20

  • prc

    excel

    msaccess

    xfssvccon

    mydesktopqos

    ocautoupds

    ocomm

    winword

    powerpnt

    dbsnmp

    onenote

    steam

    wordpad

    isqlplussvc

    mydesktopservice

    infopath

    sqbcoreservice

    tbirdconfig

    sql

    firefox

    ocssd

    synctime

    oracle

    visio

    encsvc

    mspub

    agntsvc

    dbeng50

    outlook

    thunderbird

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    808

  • svc

    memtas

    backup

    sql

    sophos

    mepocs

    veeam

    vss

    svc$

Extracted

Path

C:\vp3bu-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vp3bu. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BD8DF666A5CED4FA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BD8DF666A5CED4FA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: M9hTd4xcCeSQf4paGjxcMTtSADuzQIgJ6kHptrssukb9NMN99DTqA6In/lX4FQs4 PUl0LaW+gvnaR0jyyiBFe3kY8CaG8Au9Kdo5DxYX7TAfdsjkfZDIIzYrRctv9M/J ESBVzsBxnOOKfoO4rZTJjTwsb/rmlZT9cw3P7YjmL+fM63yNrZMl6DALwrA2wX2F pV3A2AO9Xda9DcmNwaIDEYRBGLtTZTyjE3tKY4rr52UtjqAI0fyT9KXxlHJhEdtp eSde/MdapEyyj4dtZM49D+OqbFxdwErnyyAFOzHqEOiDwFvpXsZsToGqnir09OXS +2F03220ZfBu+cpVcdpoah0vH2av7E25uQ0LJDkRT0jSbDxVHuyxLFbd63TcD3LW 9p+5eVcUvqVq+D3sjDINfy3+nBhIMBtpRCN/ptTxHk5Zg17idQrz/6FBdHFvh384 6NOKaAGjpfBsK5SOMDXDV/tlI+vRYPYAaXF4bNWW477liRX10NLY2xlCBU+qOREw JPh9WkLbtGliPBaJ3ky+9UNxMD076I+CxNV3/mVczyCAxsDx3bSlsQKUnMTAreFs TqK+OFtvAwJDW5NkjSO4zliS/xiN8FfqXwlGO4MBy8DWEMMgxb2t/csKIm8khX1s /5g6wbxPwu6/A25B0sCMZPPgh0p/LXJMKkCP19pvxgVmuxH6jYDtcydr9XJPBDll EPKH1JOUyseJ2WC63OV6HR95GFeIE0cqBN1ykl5FqR9rbT5wC5/rSTPM7Lc71YJE 97x6zluF0JX3YoMuR+BIPrTyESRdWMuiwocK8CVVOAIvUdvT0Gt9mSryGMRtLN13 u//S0okS7AGyt3HgmJ7KgtMgwa4uYI7cB8JCajcWLBZFN7SjF4Ua29OaUnOBE/zX QDJ+kRBOn8XgXrYI2bGGlQ2cdfQ+xoO/EaKnOP0IPxex2XuzGuTJL9NnzXuh0F/R y64RdwV5J85oq25Dnv9b92oOfXfHf2iPaE8UqP6+HHaBrX4dLGGEX4lNccMMKd61 VKIvTb4WlB/rqf/1a1IIYJ+IG/PxevnzJNUec3ZJiaNN4TaaGWUdR9X8co8smzFq lcbtZIQCga/YlknlN/k3bkPyn3Irxm8/p85QYcux/c9gJTwTpsh4VOj01al9bm8F Extension name: vp3bu ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BD8DF666A5CED4FA

http://decryptor.cc/BD8DF666A5CED4FA

Extracted

Path

C:\fkr31h99x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion fkr31h99x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A124055E5D1D8F65 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A124055E5D1D8F65 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: loObyBSqgfhDwGhJxtXX/XjsQMBIyRhNzDVDN7DtJNRwYu6K2x5McueO8DMBLHHK GNwP/3gGUQ8SNC5dtjfHXA5InzUFxXJimuIq08J2R8SNQxbbnD9DEEFuiPbMMk8k zfe6HdXkIOrDWtNIEwrv8NZU4q+giUa/BBxEjsMyOQj/fZ4D36PIdcaM1fEJosJx j+XAvJayMllWmNESsCsHkmTFCemiNS+E2OHjpvY8KwL873Br0/Hsuw95yXQRTYXm /E0DHAccIWCC9ZU8Y03ghVBAwhcskGti4uox0AnE/HSo9psOjL1BDiBqaKit/21l jxeyGTBLYl0xwzz3JnwE73k7vcNz+ZohgEmEmwt+CrlvA3vABOiEESSXtPfxctBf JO9YfoEiMWJ6onrj377iXnVnPjokwjJwToQPehQtO65RudXZFvddoerdI6QpBV7c ACXmdyMrc25exl0vl5lYuAur4WwqIkePGEolVyVZj9lhPNiAX61FJ6P+dRS1jk7k pxMm8/tVRmothOwXXpZOlWw3Io7HBnq9bx8yBBILsgH3T/i7Nm5nYnhtASMKI1v+ GBJ0lRZuDykfCTkX1QzqdZhoBz8+gkiwIaEIa9QRt04AKrOdH+5vAb/Mp1o1CIB1 HfzSFQsRZGglmN5NE2nO6VFrVrWaGUwBPx6PZqPPtn68OUTPh9iUkRmpy822BR5n WojeTE4QdzZagh0BOQpwc5cBHmCykRoCU29AT8BDTSYkGnYlcGe1qRr42Hdy2KLw TjDJG2uq5mt8PYcUEeMXVxu4rr1yb3pXmtywz9Etwciypw0Zx4R0BAUpat8ZkIVt o2aCrYNGW+Vz06VIBomfW59PqmsjUFvOyN5OkNQtVVgJ5Xat9zsQfg4RGbGA0/va FFi4DzKOT/8uGnJOQmaDFoXMji9+7fEowoKnhD2KSo4ZpV1q1Qa5+1/aUK60oaUN mlJomUCdANAT5qSdlc2LExAcTiQ9MOEMELlxXPK7V9nZWkyxmBOzkHFQgtUCS7t3 yh1S2aE/Bt2M3fv+7+VF36lSSYanaZBm5H8P8wR+uwo8a/2bFcmIKNhQlOfKhkxe Wor6F40ImIOtTKqYNy5+5qtP0Iy2ExVpS3PeOp7qJztCqvQElVg8wsMbF2OpdzHS Extension name: fkr31h99x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A124055E5D1D8F65

http://decryptor.cc/A124055E5D1D8F65

Targets

    • Target

      ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1

    • Size

      165KB

    • MD5

      6edc8e537c6cf38e56fcf2af79980344

    • SHA1

      024bf6e1cd3084bb453b1826f350e853b1951727

    • SHA256

      ec9950b2114f7c13c3395c6d5f0ecaa520a0dfe62b1e33c56c746ceec97881e1

    • SHA512

      5e3cead37cd53c3003f68dd5c4fe87b30d7edefba3ab48a86e2efb2704060b74008011ff0157df26fd161ad411ddae0296f83cfb5a6affc10e7856285121f518

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks