Overview

overview

10

Static

static

10

fc5b75fdac...02.exe

windows7_x64

10

fc5b75fdac...02.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc5b75fdaced81d3c86db1859c5dd1cbd0bfffa569e7e9fd1c48c63d1f962c02

  • Size

    164KB

  • Sample

    220124-az85xagggj

  • MD5

    04371539d80e8a08372d3d02ad1a8350

  • SHA1

    eaac845a1f144a191a7c58ca55d85cbfd6dc50b9

  • SHA256

    fc5b75fdaced81d3c86db1859c5dd1cbd0bfffa569e7e9fd1c48c63d1f962c02

  • SHA512

    8cd569d70d953ba1aeea36c7fc9391e78e86b1d6a8eab4a01de3a8d3922c741329e15338eb989f33e3bb9e118f7cc1fa31a473d820a4444ea6b1a5f0c8cd9ec4

Score
10/10
sodinokibi13963persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

963

C2

sweetz.fr

rarefoods.ro

docarefoundation.org

cssp-mediation.org

julielusktherapy.com

queertube.net

wribrazil.com

ownidentity.com

charlottelhanna.com

molade.nl

phukienbepthanhdat.com

coachpreneuracademy.com

ikadomus.com

hinotruckwreckers.com.au

wademurray.com

test-teleachat.fr

breathebettertolivebetter.com

perfectgrin.com

tages-geldvergleich.de

apiarista.de
Attributes
  • net

    true

  • pid

    13

  • prc

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    963

  • svc

    sql

Extracted

Path

C:\116bp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 116bp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DBD4F15EBDFD2133 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DBD4F15EBDFD2133 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: crf9meK3qhz7+h/HITAFtZzKInB+nqE7B0ywrTkVb24HmGyP5K5Go3McnE9RSwYG eDP7eaqcJgznIzcXrq7N4YZ+J0pd5Tp5Zw22geiRSzIaR7t+26MuGlZSViqw0/9s tK3/BwIXSxebRH+EGX0nvv6aBp7N2aoEfqEy9z227KPVQgPkZehi3+KU/GOaecF5 VuK+HyYM6YqPqJBB4x2ejGfbf1WFcBONwI0hiouiLmA2SpolWNmaqtqNJ1SbMyyM 2IVRhVdzTN7rzBxHD84BGvbh7rItChoMIjl3BYiQtjhBQdeuABK0IcDcHwSpqEut ar6RDFO59VGJPPCh1kuSCe/DS7e3J8kcGypI50yzXLwN8/JPga6P0qsXvIWLJFo5 TN1cjVQ3fbmEp5DHGRZohbJ2nhwZHC1WRG1S5vgqPwHwkryf/OKr0yQYU+ROoYTS PxkXyw4CShkSal6gUGP+/27AI0jqoZzhu8ecFdCkCgBFhGYhdNX9vmCLsSHkSODH NzGIx1wt995oMnKn+6g3KpSbKQkq2KBiMiJ/sj1dKwf3uwcn7+/qakThsW9JHT1I +LBzXCyObkaXZapK3LL14eAGyXDjw3AfSu5lYOvXjgTv5XyCKcFUWtcvmlT1Modc rakIgzS352CrRkD8jn/P32yx55XPe7ECV0DuA3jrhcfNVVJacgwLBvjoKdaj0rS/ DTsi2s23ThTqvThausaynWlZFFwx++YIVR8ABeetRkiplWs+ycahMPj8+5goSIov sA1/CvYmkMFHl6vCxf01bm/miqEzTCWVDxCq05bmqY+TI4T47GXlYQOCwkDROSEI lJOKKyCMk0mO1vZITx4t7IPLRPoffnBgic3lcQehLEW3RYzEQ3Qv00/OMVgte+Fm v53KZvaRfCpJMPOuUwnBrEyH3Hqcpgjh6gQqDY98ieMfE4GzdA9nvS+yjI2STB8E 1YOaQ4jazenPFYMFZ33WGAS1CgihkE3LGAJ6Yd+Avllom2fL4DRgEHxhQ58ISoOu TBf56WZ3E/7wFYevmlx1Rpm+TJAPTthJ6hKNWVC8j9bjXZvRIumDMtsSjGaT5XGM XMj1jExf+ZDpvYsz+ts2CJgJmETYaDTM1lpHVG+rPES3CassRRBBgxqlf0RucetE Extension name: 116bp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DBD4F15EBDFD2133

http://decryptor.top/DBD4F15EBDFD2133

Extracted

Path

C:\3s4w67-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 3s4w67. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A6CDC5FA0FEE79C4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A6CDC5FA0FEE79C4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DaksKOYZMvXvfsFKfNJBqdPbJ5KxsihHnpJ3dtNDhQq0MS0gY2h7IgtOTTs/9dCV yQ49l6j2wXNemrw9KCnlxAXF1D+u1As+x4uebt/kEU2M5ymlAt4VKPa/cN/N0pvA SIcw/zcgRgXfpAKgEIKVjstT1SfFIhiVAkVfwgij/ENKa6vZCTkJfZVqPdK4NWuV L/WpgTl4qrDVuqDIxtdlU/9xI2mEjGk1jrjcjMecFJ6iNKG8Jtl/1PNeeHy+HnAn EfgF4VnnZQnij8JZb5R508ShEBPIwXlsBIX2rztThPx/tOjpnwtyp8qzq3u/FNk4 Nh/4/EUllb6NXnYasm1PXTtSD7+uq922pI/xFRztlmSxHPmAmbiLuDc+sizLcBI/ WAtdEUeuqnhaetqZK6pqFpkKWdBNkdwk3bovP9bzjnsAsHZXHa8RKnuX4Sz0MpB0 muKzz96f720dm6rracS/5oBrqbYh+ukzCkFNeYrBSZB20zkJb+xJv894tCcALGtv hC+uPqDRh17NSZYXu9zPnWukeGqapZkhEiQXa1PBJL3/r1cH1m/TVdP8oiZceupX fMlplqnY5I1r+ffFdqXIrQeePaG5rW+OdOK1nKkGfNPeYuj46tXN6ST7zhP1StNj Xg6q3pSioYvSAaQzVhyILfVn5FbitTHqUUtOKPZXnVDkjVWMZ7syEHMiEFE3caAY XZHhi6w4claT0nKSDZHc/x7cDPTGoVlXtOEMmS9ctdrBdgLMnMhniv5p4W9bLT75 KyaVKAx04Tq0tvgYmIeh3/dRgTRAafSrCww1dxuSQEuIS0fpNJy7J6mwbdieSwl4 cgtngEGlPOMfe3Y8ifBoLOIffHpw3ajb6mejldr7w2QrCurtkC+2/kON7lj1fYxR y1Cpt50RL5cFMHdJCrABdhT5t6BgoW3r0FxkBtXGymsaQcTu+2ZPhwfJd3Fhd/nF kfUnVqVU7hSec4E7Mr77w83tYIzBtz4ugB0L7hGyJ+hhZeYJycm/1cpZeVaOnUoO lp20GckH23xFYs+eHuj56PgBaWqihMeSU7I0Jd6+MH0VmAIKUyr9FB4rY0TFbAtn MRd44iJJb3EfQNPMe57zXmKJmGdFVKyz8JuSKRM/tOxpASv1lZKl6Ayb Extension name: 3s4w67 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A6CDC5FA0FEE79C4

http://decryptor.top/A6CDC5FA0FEE79C4

Targets

    • Target

      fc5b75fdaced81d3c86db1859c5dd1cbd0bfffa569e7e9fd1c48c63d1f962c02

    • Size

      164KB

    • MD5

      04371539d80e8a08372d3d02ad1a8350

    • SHA1

      eaac845a1f144a191a7c58ca55d85cbfd6dc50b9

    • SHA256

      fc5b75fdaced81d3c86db1859c5dd1cbd0bfffa569e7e9fd1c48c63d1f962c02

    • SHA512

      8cd569d70d953ba1aeea36c7fc9391e78e86b1d6a8eab4a01de3a8d3922c741329e15338eb989f33e3bb9e118f7cc1fa31a473d820a4444ea6b1a5f0c8cd9ec4

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks