Overview

overview

10

Static

static

10

da2aa8adfa...26.exe

windows7_x64

10

da2aa8adfa...26.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    da2aa8adfa412f7d0a6a31f9bb67efb4baf7c0d9c1164418272771e3189cd326

  • Size

    207KB

  • Sample

    220124-a9rzdahaej

  • MD5

    92282d13690015ddf3c1f9bc969e7f0b

  • SHA1

    87cbe493d820aaa6dc8e2310d94d54efd419c594

  • SHA256

    da2aa8adfa412f7d0a6a31f9bb67efb4baf7c0d9c1164418272771e3189cd326

  • SHA512

    e59330abec4ed3d9b838f58629731aaf8645285fc51b354b205616eda49fa302c69596262e2abde77d592abb7c1867774d72d27122f3225b039bdbd5920ff015

Score
10/10
sodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

C2

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr
Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Extracted

Path

C:\8h1800-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8h1800. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/420D1A24C0647F3E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/420D1A24C0647F3E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: O8F3GvmtUE0xdJENJXTD4Z3oNMY4FfRovtTi4uCBZSS+AZfuhRsqerK+tg6NpAYC 2gnM4Gjz6gH/JsENnZUkrEEESlpqs4O2BxMWnc0p7oHxd6HWwBawA8FmINW/5rRK mWKzEMtNBJccWmTnUEkvDGeCweT/J8LIjUuVlb5Egl/YXDjiU4TUVdwbf9OHDa/h onFBkXg22DoxU7zdwlGVjZLm0B0WrObNRARxoNz3plrJsa+SsxMFx/9NGRbxJSMR 6E2HzXOANZjVdeI4Rm943dCR18dRWNqbF39GCI/GcRY1cX8wehXh1O2GX4Y/w+EL 4iYrpZQHXehIT/JUkGXJri+JB9gWTE6RfxKi3VorPuejqMbHzfJ40nnMYibdmNPS +qh37zreBXYaijy16PpZtjFOwumjHU8yZcui1q4lzO0He8OUYdmP+8zryLOpTNV3 /9gGTvNQwR34V1fo+WzKAQVm88axWOJP5POoDa1MhQTNHJiGbajANiftsN2zDxvG qCOmVYofDrjjfZYhDNYBJgnCZQFFPYAA/9/9e3RE2vF6JrXspoW6NGreasS3ipbr SG3PqULdT2DpFWmn+9kMlrBdsjIw1gcFOKAdasllUxM/dwY69jhUMQmqs4dw6Jny wl3KCKoVqzVL22C5i8Bgi6BA/bG00yQ24s7kU/MA3dgqAjhoBaX0mRz6YTMh9BaD zyJcVNFwVIc6RMZVITevn+T/brYSE4JkxcTFDhdbrdTAAZQYJvsFGe+wd1AWB4b6 RPPkQsPSWHWJORW1GLDUy/J7ZXq+rGMMSnZAWMJ9Vt60VgHE9p/ncNZ1uo+4Dfc/ sQORx7ejysrolV5zSlqVJRty5u7qJzCTRDmsR1vCMK0H6oCw/9rYL3EUsTQtPGOe GcjL01L2bs9/qU493qYac5udTWIgWlvpZhn7Tvm3/uje0sR21hMh3cKkyalKwvrg fDvVT/4osaKr/xm7gLryVjgGkiOzRobXxxDMzR99+62vOmH8DybwTjIzAxldy/43 bXtUn1BJtzElsNoc07k2KzJ1nCV7hIckWvv2x4hVSM0OdW92i2WRRBYpFiozEJ/D BdmEbnyMl9rj2qj/cosrL9gj2/TzD19PtWFZFqbd0JTH9fcuGlQDSwTn7ytYi0Tb viDRV1l/976aSCk4dTTJ+TD88uwMvop0FUPlI5gJ0oZ4f3jeaDLRG6V1i5aEQt0E K3DUsVgu5u9o+Ibo32/2UuRZPOzX1JXOAxvrAkd1Rbp4rkKt+YdyitopdHTMQYEF oBW1InRNBHfjyfwxhwVad+7wFJzF6xGn ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/420D1A24C0647F3E

http://decryptor.cc/420D1A24C0647F3E

Extracted

Path

C:\gi87x69el-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension gi87x69el. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1F946550DA1BF7FC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1F946550DA1BF7FC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xZvAef00zNPtlm7e/tuYG+cbGFL6K1xzCOWrHKxdYAnARLn3ZxcnOYotlVgNnEdO pSrLE4cAOBwzZaWnwwIWpu//0CL2pMWGqZE/PnjvvoLLHpqlI60sQzvgTADNF4Du YNGrrxG3iIwl8rOtP1PMh8ga7BrSHEU9m6FcF+vmNJyCtbcgcH7J2n97Z6VBDKKQ xFsDR3rQZ4GKbtoAFGIcHPX9oBo7JI7QQ2fn3nhICLZORyuFRi4sGQxiUek6sR/Z oXMq+c4u3mb8iVh/14W9f/KNMrA7UYHgM6aXllKbdkOwvEkYONjgDH9ZOSp7eFf7 WNKRPQCId/Usw8I/tF5hdBLbnn7f8LO0h8UAUecXllLx67UKzv+84eQZj2zTIhLr ncRkf1B/XH5vjqz88vG5KEZUQAjza2bVBzCZdeDZwRIOpFHKzlgeeUD5dRGZy3qs 9Je4EBzTrdoCLQq3r+MDkGn4vjQ0iL9gBbQckLlhBFD9dIUEkVkYREGXKg2ywqab zICVc3A4rFTzEqqs//do7s05ZXCySLlX0+Zxw/4Y4MlFSED7c8yJ9SUmS76m43cj FsFSCF5X7JGS2gzCVgtpHQpDKpPPrFm1CEcIz05CJoikMPoxdULWI4jmtn+VIOPy g35wVDYLV5X8+tNZgRJzP1yil24/upIkM4k/G0IhkyMCF9032Xt3mGhTQ+dXL7pz zp33YtsX5MzdXiFcAt/JHHI+1L12Y8FMfu0zUQ2iszfZgen7i4CX2dSLK37YJFw2 0ZsRLNBxt2Q6nk8N21CdMqAp0nGxbalGg7yh9Ak9iXa04IG2mVUWJYDUgdGgOVWN vP1AHkes5bs9TbSQzgpjM65ctaf/g+M2M1TAbYAKJfcaWgczKfaBpp79aHyvdYnx nEO+/jbLLj0C606NqF8XAvpa6f6M11EhFNNGzuChquAo324idLdKbB4QXbuI3W3k LGnHGpdRcBxc8beX7X97d/cNBfRO4xgboZfmSv2k7sIgBKqMH+U623QNgpR9J5zS iIW+IuEOSvBSlnFacHS8Vte+lGctHW+e0KHvIRT825rBmvQmAdp2WW1bjoQZ9xgL Ns4X8DNROarvoOLWemJZVP9Gxw90E1c87ktZbQs2EaABfmOjTynMzW9Y0PB+TuAz rvWltReo14xbROUBFIqJgm5t3lO02AnqhsSnW/V629c5j+EbWTgJOtQmPFv+56AZ 7oK2uPJERCJ8ZxG5aA6qft8PNTqgql2KM7/kV18Ja+9GECMXcUUW6p2tbitsXidH AQWMm3lUm6P4Wlno/9vmzja6dk7IMQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1F946550DA1BF7FC

http://decryptor.cc/1F946550DA1BF7FC

Targets

    • Target

      da2aa8adfa412f7d0a6a31f9bb67efb4baf7c0d9c1164418272771e3189cd326

    • Size

      207KB

    • MD5

      92282d13690015ddf3c1f9bc969e7f0b

    • SHA1

      87cbe493d820aaa6dc8e2310d94d54efd419c594

    • SHA256

      da2aa8adfa412f7d0a6a31f9bb67efb4baf7c0d9c1164418272771e3189cd326

    • SHA512

      e59330abec4ed3d9b838f58629731aaf8645285fc51b354b205616eda49fa302c69596262e2abde77d592abb7c1867774d72d27122f3225b039bdbd5920ff015

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks