Overview

overview

10

Static

static

10

e68838849a...1e.exe

windows7_x64

10

e68838849a...1e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e68838849a831a51c49737ec096e2bae80699b75f6b33080a211d53ea6cbe11e

  • Size

    166KB

  • Sample

    220124-a5wf1ahab3

  • MD5

    0b0e9f1e80edf08d61cf3a7684f90294

  • SHA1

    578af8333b3bb982a46d2b5d829e1d3da4aa0f89

  • SHA256

    e68838849a831a51c49737ec096e2bae80699b75f6b33080a211d53ea6cbe11e

  • SHA512

    52edc319fe82abb216eac1d143e4ffec26d2d8a66290c3a33e35dedd8ca7ddb365017b700c9dee120fd61178b2917bc98a3a1d456c3a3153116480801842d47a

Score
10/10
sodinokibi$2a$10$pdy064jsnifasy3uegmhhu9ahtm21bdbcdxxsxrdiua1z9sgqxdya4097ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$pdY064jSnIFasY3UEgMHhu9aHtm21BdbCdxxsxrdiUA1z9SgQxDYa

Campaign

4097

C2

eaglemeetstiger.de

grupocarvalhoerodrigues.com.br

naswrrg.org

evangelische-pfarrgemeinde-tuniberg.de

geoffreymeuli.com

vesinhnha.com.vn

bargningharnosand.se

promesapuertorico.com

nestor-swiss.ch

zieglerbrothers.de

baptisttabernacle.com

minipara.com

ulyssemarketing.com

paulisdogshop.de

entopic.com

ai-spt.jp

modamilyon.com

licor43.de

sipstroysochi.ru

xn--logopdie-leverkusen-kwb.de
Attributes
  • net

    false

  • pid

    $2a$10$pdY064jSnIFasY3UEgMHhu9aHtm21BdbCdxxsxrdiUA1z9SgQxDYa

  • prc

    xfssvccon

    ocautoupds

    infopath

    visio

    msaccess

    tbirdconfig

    synctime

    excel

    oracle

    sql

    winword

    thunderbird

    isqlplussvc

    sqbcoreservice

    thebat

    mspub

    firefox

    dbsnmp

    mydesktopqos

    ocomm

    dbeng50

    mydesktopservice

    ocssd

    wordpad

    agntsvc

    steam

    onenote

    powerpnt

    encsvc

    outlook

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4097

  • svc

    memtas

    sophos

    svc$

    mepocs

    sql

    vss

    backup

    veeam

Extracted

Path

C:\e5ns3rt7d-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension e5ns3rt7d. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D4444BEEED12627B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D4444BEEED12627B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4wEVOoVE+pJJIpa/KaTL/LpjWZzyit7hkIMbiycUuJxe4Vx3yj8ed+vtQ5L70HK0 h5FUGAEzUrAWayJWpkHkmeXNhuesoQOGC06xnMG3RyXqLxh4zyJXXfNRiBG00W0S kLFXYNgYi2d1BilOh5sk2jpN/J2CgXKdO5XT2fghlFQujyjM424kqA3AkAQXnnnw UqQ2G3JWVO9AN3RKi3aLysDq6cXBwdm22b1yu9Hd7pHYFrkSb1uOG7SN7nwSstRW GYfYIKAxc9lnHqwcZnnWlEDBnFniV87ChCgX3Mf4LNRg9ktlSxIaCfdbEsZEpJl+ 1Ubo/Bqxs0YjmE4M1upbcdYYLeKZFGRns07Qqt/LKHyDPq2ixpzsv/wZ2kJiI0fM j4gU12CCd8Yj8dUzPX0fCl6VCCpDAEC6WEKOZKZ6GDpOZGALSCgjAk+A0oNtJlQ+ 6vn/kogsqkRQ80ZycOE6WvNIwWomHx8AvFVFWJ5H7j1Q/sSlvtrXpcqGTrPVvMkc 1XFIPIFLOuHGSN0WI7ECKvL7cjGzfyfwsv5UlwYCHjijcp7UkeRFCNwrIMeddw+L LIDOtYFtyQqycPXFbEUllOgt6bZF1YRbJb+azeoZfkhbnDkznILi2shnlkFGcA9r WLb9SXRTZEfVq5Xj3gCOdfHuleYANgXt54LA1iXxT21YaX0Bc0UubUh7ds74Fxsd nmDaIhcghasYoEeYLku8HOZ0GCOc7woGNk/oKJlLxMSm4ceznwRJ4twGtXne8xIS AAQfP+JHGJ9j9quQshNSRLb08UwTp/n1Gl366ayd/Jj+DbDpfhLVKBAGnuEnnjsN wHs/UUYQX3C3mNXzw40aGr0CwwcUbi/vd+6rVaQIISMdVwVEhg4o9VuSwmVPIdI8 yvQH7m+MVC6m65erR/7WTtvHGY3Z+wp6E8zg5pChHroNoGIl51RLc0Jm7+VLTsAa 6s+0XPqOYAC2PM4KE9/biR/ZQ5GRUKzn7GHPyXVbpHpMAtkPv9x13fjc0PpmOmUe Yysih2XE4I8JY6RJHJaw7Ejq+Dwbe+/Xw0Kth2YjE2xNa6Pzu16l7tlyOBH+Wp+W csV/UehjuOCeQ4O0PY7ZWSPGTFh6oj6G8vWMAgyy06ium8TzzQyoVS8c/8K2eBUU tNimEL0w+BG+MNmHLokrC96Elz3gTCuqij1m610U6E2j4tdIMGtjBEiwqYbrTLNI pRESeOPY1w9RPCrZV2eOz8rZ+WGK0fVH4iE7yReX/tRRhAdVzkWCO8tbO6eWZ0TV IXYgkfjvIfsXLQr2jLmUFxsEGMj9Q63Wn/WExMhM ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D4444BEEED12627B

http://decryptor.cc/D4444BEEED12627B

Extracted

Path

C:\r72hn8i-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r72hn8i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C5B65160FF185F18 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C5B65160FF185F18 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FVoGwBHoyH8rKgV29djDKGOuo7D2QuA+GAvV46ecpvTl6Fmz7QhX2aQ0n3NGwN1J HYd8VG/SgAH77jCQW4qOypc52rhusUS0vVVdGA5DXpRqzn4GhYSd2d+xXYMJEUOv BhH/1UuZ6CpRF2i6eRdjyX479+/HplYzhs2rw+FjQqJft7sz0uz3yAf4oxT8BEm2 2FmcvuBhea/zCYEDweQZ5nf3vE8Yt1clMaqoyndUOMRysJpeZ6ewkjzZhD2OaZ5u 6sTGbM6GettYlzdEVnMnsQtA27cYAEQBSS93QGq7YB/OJQqNPRjoHgMOEC60Jn+a pa57Z/wW6etUG+vUhXpIyHU+xrAJE1pUee5YEbi8/fv8bQZ6AqhS0StjZ437BhXJ 9YCEW3IuhdolkO3m1B+bA7uP74C1kTw4yDIX8p7AXF6JDLAmEL35CLIkhEZ1deXV +ZqJ72MrZdU7zDfabFD7Pv5NQBvWtUm9i+A4anPqt0/JjVeHz/y03e3XLxOZdwuG BA5tAFVyV7IcNKz9uHqeecOOrV6EKYfbo1ZTkhimZUfrDZUk3GWQ9B44hdDWc+8u AR79Nee0gb5uLlKB/QoFdBSrIqoxuesIGgJv9ESYNt2Y+QCdy/esMhnZRGpLmuys UDLVjt5JVhOiEo0uJkh6os0dXg1FSKEv4aR8O1ee8xB7cL+UTRbFWBO0IIEVt+lK WMJIMw7+cYWfw3qdO9BGYCsR8uKFpRChXMimMMBBpTsNQcprZTddv6uSohxugbl6 mbH7zjX+nbZt7BMu1vux9Qw6jRQEtMT17TxrHOMAopCbBFnGdBh4siW0byej2mY1 SlPG6U0yiQ0O/YFGCkiXt12lMETdKfiUKfJOHqcLlgLWGq7XjCadjtVWcN7CJyk9 tR1Mtqa7RVAWGOGfS06Ewudmwmqy14FPWLcyPUt/xXb75IGas7I9gSWga/Uiz9cI FDDeRoD2erax5Xw8jcOaHXcw+AXkmxWFgglYxruxd/OKla+5o2ccqRSGCEt86Awp ovURY3jHyNavUFz3hhbyTMpWv59LZacexGFB9RpQtN8ILEdazBW3YomWz/vccPfr 86HpSFtp52VlZ0hYGaZ85fL2bgBChdZoq6quVFawXEf7cBzqcIcuCPFX1gebyJEK 8c3BEIy6dhuFv+GaWr8m1wTtzrjY7i+kdh6zTA7JQ6VgbEslmxKHbnfM/yDW3ihS u3irxGSajLDofc4t45TaDJJFZF1+wvXUsz/5X+HxKVc0iY5cx9Lbob0m9U78aTnE newaH3T9VaHF90kqvn4U34lZ ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C5B65160FF185F18

http://decryptor.cc/C5B65160FF185F18

Targets

    • Target

      e68838849a831a51c49737ec096e2bae80699b75f6b33080a211d53ea6cbe11e

    • Size

      166KB

    • MD5

      0b0e9f1e80edf08d61cf3a7684f90294

    • SHA1

      578af8333b3bb982a46d2b5d829e1d3da4aa0f89

    • SHA256

      e68838849a831a51c49737ec096e2bae80699b75f6b33080a211d53ea6cbe11e

    • SHA512

      52edc319fe82abb216eac1d143e4ffec26d2d8a66290c3a33e35dedd8ca7ddb365017b700c9dee120fd61178b2917bc98a3a1d456c3a3153116480801842d47a

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks