Overview

overview

10

Static

static

10

84e13ba678...8b.exe

windows7_x64

10

84e13ba678...8b.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    84e13ba6788fb5b2834c8cc86ab2475ba2a17172f7b8fcbe9ac64e5c7e9ca68b

  • Size

    152KB

  • Sample

    220124-b37a6ahffr

  • MD5

    8ed9fac8f73ce65170ebd9eddf8b3c47

  • SHA1

    ba47bedcd134c5ff6a0bb1c725fe64dd1285dfd5

  • SHA256

    84e13ba6788fb5b2834c8cc86ab2475ba2a17172f7b8fcbe9ac64e5c7e9ca68b

  • SHA512

    1b4ddca8b6d9599410be42b24b26ca2ef118156df140849e6c79dec23807dcd82762624b966e3bf4dfba04f604963426126684c57dd5b409fa732a30b08224e3

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\502444-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 502444. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2DBE1A3640211F2B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2DBE1A3640211F2B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: k2gIDadrqr779R4BZ7jKROnJAUZJIBeAM2wDbJwT5v1yFEMvrXcO7Y2NPFJEA7IE fzhQ0iMUgUZwN4ByQ6rxEN6ohdZ799nc1g+SEyLhx1SswEC7bInP8P8Jvd3BIp+w dpvHdzdJ5E6a3GLwHZZxbASfdJPnpE1tgUDg1Et3tnChFI7YJc55n8MlEwX2aM+a 5L4Yd3bgmP+Rg4ZH261ClcaeG28QPyD01FKX7z5ECzJ6PZzxz3iUz1E3vl51ZTgx nBXzdtRgzVDuN1SP4hG/64bE13YnbWtMEYjryt8W66esQm5LCUa4C36G5eIE3Mmf yWBKRRf6HbMbAVeMrTOfw/d1Zz9lovl92R3JUpi/Z772sUi5ZedcU6/VZwUdnB0k JUBQQrB4JP3y5PD2bmag2njswvoblpON292BhMd6KWk2l5KI59b0g0K/KUxN3/cg ZEftWuRotNkK02OB4m7d8F5ablrKs3GXliDgso/reBMcmlx2GWnPu0aOcjka0A8N 2tXir+4trRFez2pV9RT2Pa1bUuti5VHkUNU8p4EdYPvsPoYIhpDIw8L//1ExKMUv Slj/529dGezvdyILIS8TRMOvfrrRB2ZX1iH7HJuk8pVTRBFJARN30eQXS+Ya8bpa /7RCkKzyeTFrudvjZrYcTm6T+mSpbt7pGc22AMpWsJoAi08dNQ5N3PhgK5cj8D0L BSyBTFNfTddDQw/AiN/vKXyuEboWn6OwHAjkfs7x3pgB349LOcdLd09uTAKmytyh rCMVYCnACJ9eYNbjU0vjNyfrwvP7EFzEKayZgvvqHjyrD+Lw8LffonrAWrowszn7 +P1z3EOPU0f6JDkP2xyU5C7XMBSWk4Tq3ZowF0eJ1EKVOQv72f9L2M9SIG1v69b1 Xo3q45qi6nIosRLTiMXvByHp/5gysCS6cDikRrPyukV+qZTzw+Ked433NJxK/Wwn QOQ8edYjMWr5zB2jb1RmBJ1qgNvyME5+A5LxsDdGeDk89Dz5dRbbWOq1ZU/3FbPI K77tduIBKxwJ02TDsw5QzeUJT05HAys7ige4p78Q+fjZ/UJ+1JrXJt77rfIYHtrj M+BYKPJtEpu1iqqx4upF+oaTgzG2SGp9axY4U9G3j+jG5sNnxeG6lRsacHQiMUYv r0NWObj28bn4wOlpTNmW7XGubLsTxkOYja0scnKuMyple3pIzVG+H61+4uUuglH6 IQsMcbGgo5xQlIRiQO509MGtiD32gwz6t0jY65ZT5X5Ws3cBTtb2/Nha8PlmIvV5 or22fsmuroIpV+/XDYPzTpVYIfWyinES Extension name: 502444 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2DBE1A3640211F2B

http://decryptor.cc/2DBE1A3640211F2B

Extracted

Path

C:\5a0eu-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5a0eu. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9FA115C863239C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B9FA115C863239C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ig06wL9gdgsMqdTyybHFho9vJD6pojL6d2vaDBCjd2QljLSJ5/RR5H621ujgnnxE kKTm0gHxsqyGc5asLXFOJrr1u2FCh+UMmiyA+AauzohoHVvmVOuYQ2xcf/YERdTX Mx5Xn29LNTp5WPUQlI+G6BKJpW1Ui+ngrz3oHHY0WEs2V583yYruRXcbkr45JlNy u2SVc1yYG+eRnqffJhlrB/PuZWAtXhfQxsDkVi+4tDJRQMiULle4s2qkJf8jNHKt uv8QbCOyw4tU0EX5w007ygcEwpvrIY4SyxcdSl/On3kWBSYqQPtR/Tafi7ymUWVW KniU3G+Itlek/vXhAhLsKra931lSw4b0XCDO73seKUPMfIWXMZpK6PbPcXZjeW4B wzKzlqzmyN3h3cLzj2qoXkaZxgaG8gp7uprkpk5g67sF6mbf17m9nUlgQ1R27mMW MoLSnbwebHa3x+T0Umz5MIOW7VOgYWI000azAlUZum/nmnaa6Fro1rzNGAXLH5tq Sri72CK3dOsXhRfY2//UfBrby2syLR9JBsv029hDiz40FOZvTDB+v/3OjRY+lS9u 5ERqeylFSazacXRJx7Q58kFN5jez/8t1uGG7acy3HLb6yF1iMmnQKvPK4/oc6E1e 8gnREHG3oOsBhcEv969Tc8/kUrkvUln4AbyyRgeitrHGeZRQWiyAQ9g3DM/0LctS Eh6yqM9AC2Mk7+ZGSKI0LczKafm5qBEoPCH0lsNwti2T4avSIbrHINnu0VqOlk6a IUwljSl9UO8gm1YpkIXCG+IwT6W23/2L/YzrJ3q37QEyYoyWvcoLrgrylLL09qNc sSLxRRhk9RzhDA/OWfJP6ktATJV7uF5FyIKOFZ7bajQB3LChVuA6maVIIQGwIQBv 8nMGsTFX3YuYBYRKDO9DYDcLjoDwtXfzUMCU6DcGxrP9r3xnEod6qxV/DLBb2Pch tlhdEKPUZGwokWV8OmIQHQv5m5SvPJZpQ6xDSH1GGtMtNQKV0YDTo2MTqelMSRaB LTUWX8WaP01zz6dJFMr/oHeMn/v/v4aUJHbcHkDbI0uMiOWiroH9NTF65bsXxifO hmwg5J2VSCbIERBDIAVm3BwyAjwxxMEr5SYvMpcg4FG12Ibb1bnFJja2FtnKbmqV amBZkqLKWSRKAIeaG+f83vwTbYzNQ3JPpNl4hFqDFM3SaQniw6aAjHDaPdLKaEnQ rZXn8rG2Kc/pv/W2EY0CGAo0pITtgumaBEfzDty3LlbmE4Xau3GY82gqC3CC8nQq 8BQ6yroZCaczR+iA+8U= Extension name: 5a0eu ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9FA115C863239C6

http://decryptor.cc/B9FA115C863239C6

Targets

    • Target

      84e13ba6788fb5b2834c8cc86ab2475ba2a17172f7b8fcbe9ac64e5c7e9ca68b

    • Size

      152KB

    • MD5

      8ed9fac8f73ce65170ebd9eddf8b3c47

    • SHA1

      ba47bedcd134c5ff6a0bb1c725fe64dd1285dfd5

    • SHA256

      84e13ba6788fb5b2834c8cc86ab2475ba2a17172f7b8fcbe9ac64e5c7e9ca68b

    • SHA512

      1b4ddca8b6d9599410be42b24b26ca2ef118156df140849e6c79dec23807dcd82762624b966e3bf4dfba04f604963426126684c57dd5b409fa732a30b08224e3

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks