Overview

overview

10

Static

static

10

e4e37b0aee...20.exe

windows7_x64

10

e4e37b0aee...20.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4e37b0aeed1c936b5deff847927f6ac1de71e17588baaf7f193e1ab1ff88e20

  • Size

    164KB

  • Sample

    220124-a6d84sghgl

  • MD5

    75d6a77eaef1bfdf9477aabe6bbc11e2

  • SHA1

    63a87faa4dfa557dbaa72bfc5222a04328259fa5

  • SHA256

    e4e37b0aeed1c936b5deff847927f6ac1de71e17588baaf7f193e1ab1ff88e20

  • SHA512

    73c866bef10f8bcf1d03ee4c8c898dc251217e35e3f1d1cb1b4aad4c9aabf3e93757fb0428b5da61359d6a73a3595aef2891ae88955a6c2be0a70044141a92c1

Score
10/10
sodinokibi281467ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

28

Campaign

1467

C2

ykobbqchicken.ca

ncn.nl

davedavisphotos.com

agora-collectivites.com

qwikcoach.com

cotton-avenue.co.il

sprintcoach.com

lunoluno.com

techybash.com

theintellect.edu.pk

anleggsregisteret.no

angelsmirrorus.com

aquacheck.co.za

sachainchiuk.com

cap29010.it

nuohous.com

loparnille.se

wyreforest.net

graygreenbiomedservices.com

ruggestar.ch
Attributes
  • net

    true

  • pid

    28

  • prc

    msaccess

    isqlplussvc

    dbsnmp

    mydesktopqos

    excel

    mydesktopservice

    onenote

    encsvc

    infopath

    oracle

    sql

    winword

    ocomm

    tbirdconfig

    ocautoupds

    ocssd

    visio

    thebat

    wordpa

    agntsvc

    firefox

    mspub

    outlook

    steam

    dbeng50

    synctime

    thunderbird

    sqbcoreservice

    xfssvccon

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}_Wannadie.txt and follow instructions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1467

  • svc

    memtas

    veeam

    svc$

    sql

    vss

    mepocs

    backup

    sophos

Extracted

Path

C:\thimaoc_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension thimaoc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1059C3934B3F559 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D1059C3934B3F559 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 17gHElxf1L7F1G45jAyp8jieG04RSndn9nT2LN4HkZstIPwipQcm0I/0CX88rqFg SsXFgKhLypgWYnCXVaTsujI/qxIALuTrS0kTjlEbkdTy6hSmqS2Vc/O7ttLmApGd Y1yBB1RX6LGOEoH59kD1FZZhMzmBnDLDecoHkgOF6u69n+hSwMF8IYmRNPmLngK/ plmCLQRzLJK8zd/2vYNd5RJakgcvwJEVMC2t0ADUxuyskMzet0HCSjrPZLQlRa28 6oUG1ZGM7NpuUZcCeiVH/VqaVEcxf235Y2rf3onZeP3ga6d5jb9vu6PrWaHOpm4T CHyVqPt/XO5lvA9gw1XIErxa+CVzi7TOWQl3Vycfo/z3udaR6fjF39p44/1xOVxD NJlzFPIBm524bGyZ48Mu3YIfVo0FHvZM3DXGUSY9WPymEbuKUzvkQdVj+JnFwYMR jf7dGlEvmBVrOdU6DNIKXaxXWMfYsawQVYjfl3AF4RdKx1ZMxWVTw+cZ30V+ZuwK O2ikNWiECrcg3qjmwldaQVFzjvWwdURZdIqZO6m++D0aTIA4HWyOaKta/1hvGXBv q3OCenf7CLyTtY4RkcaGKGTgrZGB0LU0c39hRH/6A4DYg9e6OpZTBF35+/HheATK Af0M3C21eTOeRqoD3If+irWgxs9QytRdSg4LkJXf+ch61AvtqBJNg4lJuUXdDK0s miroONk8hVggNBN2+2ts0+4uRHCxfaUC5yFnyhqFgbTF7iYF3+t37pqEp088OcWs u6kPP1K0TiLUQ6+u91CO7OIAWGttk+iMdE2jheuj0Rn7QEksnbBLLadZiQ5S0ZJJ 3eMYeFqHCypK3c6+B2dB3BSRar04HIqArCyydanzx30WnBVwcctQDp61yTBosRRk R6xcn0eZgp1QU+dVPkkUK08QGOHFbKkVq4j3zX0WIgSNGVaX2eiwfvnhYrMOMgVb +FtWxBhiT1sFE/1CG+7SCDDflUa7p22Wq6LJT1xfJciK/4CxyxkzFDepMRVd3dW5 MAATP7j8A5BgGhJRe7RSt0Mu0/ggYI4trZNA78KiwPMnOF/y4o/w0gqvUfOW8e3v 6C7gsjCJ3ZM2fWIk8UQDsDB0l6vBBf+7AFPW9lJ7nF61B5sTf53cRNVdDlHNORng KHRSaVaS Extension name: thimaoc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1059C3934B3F559

http://decryptor.top/D1059C3934B3F559

Extracted

Path

C:\2srre87_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 2srre87. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8B5B166F6975878C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8B5B166F6975878C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: sojWtOra6kwcS3oTZFY/r1UDLKsMOF4Y3MimsXzCnEW/gCdZrl3e2C/rseDLO6Nl LRUQLehdhZEX60HBN5NjrYQRwbwXhkvxkDwvlLaVnWQ7eiMEAESPKxA3cCHo6Dg1 rj/9BgCjbg1ZBHIY5fFPOLQJ1uc6MgG1nzazXYV0IWogbfXUD9KMN91xKGwaSxsQ ZsFbVQusGgDDpVy8fZzwfjfDzgAF+2OoH4WT7rK53+7saXK4PMo97I/2ZvYzLS/6 aCu/BKo93ARNKvacSJtbxxGu7du86a4TAOPNAqArlYWZG9LtgZhvZrWLJSeH8DZj 1I2T3ImssBfgx3RyxaT78RrJJTK02XEeb5KMwDbCLeTliEy82d3cJZPxtTeGno4J urwT/AM4SFEw4weLnZrvjNap+DHFRLy80D44UE49cSUEbHTelDNgwSBwbgXgy8qX k0QEJGlARVmHeX+IkNEQl9tXKTqHTlpTe8ykykD4Qsr3WV5EdOFs+j3MAtZTkeGG MfPe28nm3TBnizUYFPgtv0kBMJ8o9qMkDD4bFcnTyiTBI3P7twI4PchDDiyUrmg7 F6l69UBKSH3wRRE1/8Dj3BHUi8rsX2VgjysS5CSd9RRhYt+lnT2gN5RE6aFsQ9Dj shWKHX2dleAVakQeuA183VxM2oL+pq0DCswfftMSYXhIcRkQrRwyAShFH+TWcA9B C1xuB9Qcvc/mRwdpjNmUbh1FpzMmz4MfPX2DpComiU4Q37odCEFhJrv2uJq0Z7Ct tiU9zVa8N9jh4QLmUdJv+ENl+N/Kzusc4q8qkuN5r/wLFr9kF9ay1UCJ8Dgqg2VN PlkV1LxEx5+VymQj5Gsyi7z+ImNrYXGQpLTIKj/cv153raogD0Z8OCRGn4jlNySP hg2IZutjuwn1d/gCWurDeUe5yYzg7t4XHviXrWwwyftINA1CEMy0gVCvCa3wRPar ujO61jYeFTsEDoRaTiqyG7SBWeyp+tqvLi4Kl31yAg+IDlOvVyJuqF/IXTcnPdUh hLYFNcz6KxAkxIftiwfr+3xumf5qCHtCX0juia6g2nXIWxbCazkQt9Exjfdp+RmG nYPb2WMt0LMe6q8EkJO2NNFduvO7/A/FDghZwcW9GYKi2lH516vYCRmudCpEOw== Extension name: 2srre87 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8B5B166F6975878C

http://decryptor.top/8B5B166F6975878C

Targets

    • Target

      e4e37b0aeed1c936b5deff847927f6ac1de71e17588baaf7f193e1ab1ff88e20

    • Size

      164KB

    • MD5

      75d6a77eaef1bfdf9477aabe6bbc11e2

    • SHA1

      63a87faa4dfa557dbaa72bfc5222a04328259fa5

    • SHA256

      e4e37b0aeed1c936b5deff847927f6ac1de71e17588baaf7f193e1ab1ff88e20

    • SHA512

      73c866bef10f8bcf1d03ee4c8c898dc251217e35e3f1d1cb1b4aad4c9aabf3e93757fb0428b5da61359d6a73a3595aef2891ae88955a6c2be0a70044141a92c1

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks