Overview

overview

10

Static

static

10

8b5ccd1036...ff.exe

windows7_x64

10

8b5ccd1036...ff.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b5ccd10362353e7fc250188505b369f56904decf97719a6ba9ae9c6256f07ff

  • Size

    115KB

  • Sample

    220124-b182zahgb3

  • MD5

    d259da118d8670f47f2dc3c86dad4d8c

  • SHA1

    86a80a1379994a1af1b6ec6a6858405ff617bed4

  • SHA256

    8b5ccd10362353e7fc250188505b369f56904decf97719a6ba9ae9c6256f07ff

  • SHA512

    85b18f49da34f8f6c25c977c8a433de60c9d05f0b03725d7a9d63e443fa58b809eb5ea17efd26214e797898968fa13d2ad2ee6c40eff035ca4323c45c3030803

Score
10/10
sodinokibi$2a$10$vshsck77dv1p8ibrehd6.ov3efjdqqnzqwwu/y3hd6ekdfxntlpww35persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$VShScK77DV1P8IBrEhd6.Ov3EfJDQQNZqWwu/Y3hD6eKDfXnTlPwW

Campaign

35

C2

the-virtualizer.com

osterberg.fi

abogados-en-alicante.es

alsace-first.com

eadsmurraypugh.com

modamilyon.com

lbcframingelectrical.com

notmissingout.com

tips.technology

foretprivee.ca

hoteledenpadova.it

mirjamholleman.nl

commonground-stories.com

binder-buerotechnik.at

first-2-aid-u.com

rollingrockcolumbia.com

flexicloud.hk

bowengroup.com.au

plv.media

conasmanagement.de
Attributes
  • net

    true

  • pid

    $2a$10$VShScK77DV1P8IBrEhd6.Ov3EfJDQQNZqWwu/Y3hD6eKDfXnTlPwW

  • prc

    outlook

    dbeng50

    encsvc

    winword

    sqlservr

    ocomm

    dbsnmp

    isqlplussvc

    xfssvccon

    thebat

    mysqld_nt

    powerpnt

    sqbcoreservice

    steam

    mydesktopqos

    visio

    thebat64

    msaccess

    wordpad

    sqlbrowser

    onenote

    ocautoupds

    mysqld_opt

    thunderbird

    agntsvc

    tbirdconfig

    synctime

    excel

    firefoxconfig

    ocssd

    sqlagent

    infopath

    msftesql

    sqlwriter

    mysqld

    mydesktopservice

    mspub

    oracle

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    sophos

    vss

    sql

    veeam

    mepocs

    memtas

    svc$

    backup

Extracted

Path

C:\f16u50mh0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion f16u50mh0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E86EE9312504A82E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E86EE9312504A82E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bVoMmltFBz4ViPkIFD9cC8nqWcmc3oe8aUFkuwZbAWvaJbwsaauXcjq1/qQMLXGx j933fcxhPZfX3cFiwPi9vWvkrMF+Fo1tYWMnSgAHZ26DER3tmyLGDBV4xCiYjzaN 9RUikLH8p1e09dJ+1dV91QvgYQiInvABK37VhFjaWYRVfWLsTInyk5xxCF/5Doh8 ZW5do4g7wAECvMshryxzdW2ROhcK8FQeDpEHQNJu2Mj2eRd8zBLhyJBt7w6T1XdY bTvsrMOmNuWOoMQGZBdod0DIMLMPO7GdKIVXTCBxnwydzYwz2QQmR0WLXamvzfhB 80PnbY4EgZZOumMSfPkEqymW3b0ubyHsOZJ5/IqD6sLQc2UEKjavDF13Yd4onrX5 bAp/6LdDQck24Rehb1Qkz8j3+OnbGG1RWc84tU4vQQAZ4dk7FcAp6O0oFQhNpV8B 4OziB8gY4EsiyeYXRC8PJyneMyIwUbzVQ/+0OQpH4OT1JbE9yEggnnPrYYHxNqL4 G9qWJfyK/202ZtkM5fMa/N3nwRUnPjxoyqCxpXzVS3AZgnPhE2zKAOfSxgSN29qY u9NCDvkK7S/Vu7DsvmrLwo+BhTwQaFprW4QeD9cvoGan9bo/RjVgEYha0Cpbkyg5 1cuA1AHdro9pHabKJbfYl9UMwrfnxZ3mYomduRBZOwY3DTkXzkEz+VT1yNqiGDVO KXHS6v9xxWNtB3BOkKTPz4wBNtumIWOG3Vk5xZwPAPvD1PW5PtB5rZsZFl80/AJp eKFGOkooWzJsX9UcQGgv8bsl4DlSXh3ck1SrarjNO3wVWNa3hAAcwW2D4aPM7QyG MykeFTvwEXxC1x7LWdYtQ8rD0y5PyEBYoqAtc23fjf7TY4jcMZITUrbX74nlxezF 1WuwtxBpSQkpaWifPzuM1TSSst11Ri+1ajiy1Ajdkqc2rNrXtddvFOk0Y9t4c9jq CtK2191DKsW2Ue2LIUCzlgD0v/fAH5csHjM887ZvAC0IczgER3NpLfeV3OBPLXA7 65bfBLT47UPlms5fU3hSH0opPMEqhpdXXg/ABHsm4aen0wtyyiHhV07eBCC2ZRfn jTnYCF/8k5LyaaHBEaOXU4t/jExpG0d6UJUYOnUoQ6o8tyY1qpfPktT7pg5hgZLl 5c9uEip275ERRUjUyW9LcrToVY6wuFK9wDed6SR9VyLsvJTVRT9AhJp/V9b08U7N L5mBp5MncEah1Zk0BvkxArlcEQjBQHbbAH3UNk0bhgxeYcTBAvNHhDoARFVAJ0cO lopBLjYAHJh/o+2zFyOH5xqp7shpTsHqizk= Extension name: f16u50mh0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E86EE9312504A82E

http://decryptor.cc/E86EE9312504A82E

Extracted

Path

C:\3t72p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3t72p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/745C85F5D521E06D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/745C85F5D521E06D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pDxRrmCwxgNKQC2XdUSAoHAcFW0A4cyI0YWPQOqcllt0TYybfNTfowOPCHKtg34p V9pFrVi+93yARPAEi9vpX3163zy0s32xF70FUqyulyDoF99zRMOMuNgf/Vv1QeFg Y3yZgSIzYNdRa4q8G2m1HtXW3zMADj+DAynFVOyl9Zg5r32DE85QrWhRwAjpOHL8 sRoPmyD/n9Q+15y3NYYiTbOwySi8JmbiO/LXn8NFYPQwbuG5+w3bNkSanmuA+gUq xx0a79Q7SmAOc6mxfLzQu1nh6u5f6lu71nj/TAXezqITPS3QaPJSQYLQRRDUmXEa jJZLZ8Pccb1vnEvZPJNoQa5SYGwpJnpDTq+MuMjxBb22xSfXYAGHH5plDvNQZWl6 F30gxby1tvO19H7iElMvxiUTUxqUDiEu2cH+uEzk8EmpQpH8smgE4WhFTZH59Z79 jSjJWikVVHS9ORVd1dhDNm03GkySQ8H/5F9BEqZkvXHZFJY2gfjsmfjg/vxkrGlI L+QLTbRmmYeL9m6o6CZTnOoOGKp7RnHdq02CAhMuFaGAhGFxhxHCDyALPR96hMk+ T5BqRAevvn6i1VPVqxDlFLzAsDz36halvDzL6PrHVOyxxFE5bF8e82rX8vntRepU MWy9csOu5K75oS5dR0KT1yWMp1BB+OS+Nyhsyx+3oW/5usSHx3l+NHE2aWOn+qdc VRL0PmVehEWWlRX68PTOi1mvq2BFY9uJlacCONjzdqOrzlBrJhudBqAYD6Spz6Xh gcRUs4FqY1V5cbgDC6uxBU07lFdWnNF1NeOmVNA+zolo34Tvdj3Cge3HRY2FeMqN mfD0dlhgK4rxgCZxm7N2h42ISUK9LnX4HSkuEoHkvWUCUNRSk3VCIgAbQ542KYiB 6FAruhH1m5RHXOWKAeZmMAtrwaM5w6dk8d+pRBk3in9KuaL+s7IXmbW/P5+RuuDv 2YHOAcetHxUHIHDvrMaV1ME/RgL/dv9kO8M3HIFwQ2q7mNNJ7JVNKaTOBGNZPgzA +c5VIJX6xoGgaA4vUQbDov9hMJLgu/nOASoBSjHTB/RFFzsB67Cny88qCfIMCGqi rFwrINbRZrxzQRQM9itpctSI5cmma3k1zc7DkM9ajmkLA+ZuRTajjHs7SALL10dj xLfSHjKwmWCR/G9AmvPWvWroYmcB9zL78juGPPEcg6UasekOuDPP/s/GGQr0LCRF pPgWtY7d7fclHooWKsRMjLFqT/MHLQSIuXzqDwTpIWHXx6rVhV2Gkz1HxEgme0E5 qXdt5dSwXoFb/Q== Extension name: 3t72p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/745C85F5D521E06D

http://decryptor.cc/745C85F5D521E06D

Targets

    • Target

      8b5ccd10362353e7fc250188505b369f56904decf97719a6ba9ae9c6256f07ff

    • Size

      115KB

    • MD5

      d259da118d8670f47f2dc3c86dad4d8c

    • SHA1

      86a80a1379994a1af1b6ec6a6858405ff617bed4

    • SHA256

      8b5ccd10362353e7fc250188505b369f56904decf97719a6ba9ae9c6256f07ff

    • SHA512

      85b18f49da34f8f6c25c977c8a433de60c9d05f0b03725d7a9d63e443fa58b809eb5ea17efd26214e797898968fa13d2ad2ee6c40eff035ca4323c45c3030803

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks