Overview

overview

10

Static

static

10

85f0d23c08...dc.exe

windows7_x64

10

85f0d23c08...dc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

  • Size

    165KB

  • Sample

    220124-b3ssrshgd3

  • MD5

    4dacc5edb44b305ab1f77a33b3e16362

  • SHA1

    dd413b4f2e6c4cb8dae4c41d95ef5ae92c1eba50

  • SHA256

    85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

  • SHA512

    e4140ad7c232f01045de0ebef18d8048d73ef7afe5147f1c744d2b90c1717ac70259afc494a9f708abf7cb89721d784aca19cba7e1f39bcd09834ea80a0e46da

Score
10/10
sodinokibi162931ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

16

Campaign

2931

C2

juergenblaetz.de

sshomme.com

gavelmasters.com

haus-landliebe.de

imajyuku-sozoku.com

barbaramcfadyenjewelry.com

neolaiamedispa.com

wineandgo.hu

mediogiro.com.ar

arearugcleaningnyc.com

satoblog.org

theater-lueneburg.de

natturestaurante.com.br

magrinya.net

vitoriaecoturismo.com.br

suonenjoen.fi

scentedlair.com

charlesfrancis.photos

sber-biznes.com

drbenveniste.com
Attributes
  • net

    false

  • pid

    16

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2931

Extracted

Path

C:\b6b7f-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b6b7f. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5609023673922008 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5609023673922008 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Zd5vItIFBeNxCVKRS53diUR+LzzXMdH5YHkpCDMjV4xH2xjB9EbdX/wMgOZgRZIt yAISfhgXRvnrmc9UXcjv4oIBLu/oxYmoJ0AF7pyurCQkPYKyiaYgQRGUd3nolE+N QmnYZSlpLSB6HGvwSdxoSXNYSrPQ3ml4iLIOqJEVIE+tPQerx7W3Pp5DLPVNOW69 9x+NEBJ3RG8KRhmbeZdvoCb3vHtpQOJy+39E6gyxRhVtcs6yKZYkLxsfuVBiYsZs uPhgBcGYd+bdQpN60PqIIko3ILT3fwL5IvJeXbHbnQHTtCRHLMgUOk6g7kcL3ImT 8U8v0rRqIzsGzM9oGuHYVKUKkI/jmtkzrBFrtwUCT64eZ69ENJn9074ET/nQssaC AQ+NJsd5DUqA+JuBZt8aK6NR7ce76v8V8mEUDGTj92l+BBmtA5BB2VPW06THjA/p 5LlFu0EL2/4LIyuR3psDfM3S5/c1X5U6RJOgB2ecFyiiCi2RrPzkaHNCmZocy7kE hro0cC6jWGy2uYMwnIqbj2Ib9rrej3vwkPgb5E3CyyeAqhVIo7KGtzRNUeZPeWgF KnjVju5yGamV1f8z8hN8xAHuSeGe6PLki7jiDBY9aZX984Jn/bhFYk/z/Pn/1aPL 4vo9VKeN8LpVmXdNh3ZHhLRM7nzg7CIuCQCb7rZ8C2Zbqp+YHblMsCqYwWg58Kas mXJGfbvzLjKwrewp7v3cSvTWvYMzYAxlokaUHFPbYXGHHDQw81mPWoA2WW+71yRS 0ve10g5gld8S3ve9RRjhttSANO8ETJWODuxFbuy/k6GOV9EoJ3EZWtY55yL4v/yG boCPvG2yKiZQNfLf+i5so+dv5vEi1WcseNavcm4VZNkGuzIXQOM55sgzzNKksvM/ OMm9uT7eooGY3XkoXQ9MZR4/K/hYQThYGPFD8+3bxdRSQxSp5DCUciCDy5q+4l2o fPhfj8ApqjgrhCtwFmRkVGYQPkoByb0QfDe/lSnzBSrpduFYdeu8Ez/lWpTkMjlE xiUoZKMahyV6BpamvKPD/4KOybmjtRWIa/y5+awNEnd/JGUIAPJu0KnfIkoRy0e3 ELsMUVldbWZLA+v88hen9UeirIbpYjcN37DcKaJPg2zLyjUayaHp8Ydfb73gKQx6 rzo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5609023673922008

http://decryptor.cc/5609023673922008

Extracted

Path

C:\us3a1w3uv7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension us3a1w3uv7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B7594A48B1C47AD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B7594A48B1C47AD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: LVL+XPeGwBFFuOD1G3Eo9loQmFAxFoG7UBkusr+4YLDHo+obBIQSdEttFAXXYwUf UjrSAInRSnF2SuOqAlr5EG9eLwR+NNhDoIsL7bmtID1Ftpa5AtZKh132ZVPi7qGe ZaGjqvrx8kLl0u32fqZXJywQXZrvziCCzCpWCS0v7NBHfhgIml8i3hvJp9Q8z0Jg DwpxJORsBPvPQhs9etZq5PID8JCTrh8XBaXcWrTfUW7wmTMKGbo8Ic6xIngPzBcx g8o2b1Ye6Wyz2+iyeBs5TZgfpA6pC0PXtc6FpRe11jVEtdk5TBIIfyh5kx8Eh0e6 1idEDWA1q8Bnjhz6xNLO8NPGyrSlRboUcwSgRLGVkoJ3Rl3BJMG7qo3U41oaCh+5 Pbm26VoEV7QFImZTMxJ1Pe88Si9K1ugNYqCMjMLeH+TEYndo9Pmt9bj53pjwcONe 3Jm/SdXR4CKKreVCi/ruHvzXpsLsbz+uMKBaAsPW7A0e31N3NEMMXPVYWmYYtGri 8mN6nUqZVMufDCH9xA5NFPGsiAIfoSukva6o7Er5d0yISk0quROJSUEorlumqrQd y9jDXa3XFvjbtGiZhr3dSro0GJ4KqH9/L7Nk3b0J35bN5ONyZlrvvkv/A83LYxWL sejvnXJtVO8kBN3lFDSMu6RxYbIhx6J+A9efpUnvcERIdn7gnT4H0mBzT+xUOPkK 51ZSpN88HgPFK7vP3jj8366rLFtJKFuiMuLXhFfponP3dmkw3Ypab72eRtgtnbVg Db5p34ogindr2DWn4ezrxNeJHA9v7ozSwSLgAXL5vPaQ8MWGRT8s4hZ3fVSjvwbI cF9HDM9MYRbmsWw1GuUny5Fx+jIuP4PNRxcg0BTWgR2uyxPTGsWxe/d2/nv3ENvk WkFFwCFYEeH0H2XyvM5niM//heSLd2tiP1zXahHXgdp/WeCAKMjuL4+07YMI73Wp UNLgAKA6My9ElbU0S3u9uCvfQLm3MFsmtVmH5ClSfpeNTPXqYs4SuZMePVXo8xQn euduJlFLEBLwuFbEGHe58VXaN+XqDQny/db181INpJVnzRM7TyyBoa5+I3E1dYYI kLOYL0usimpFftFKGvtDpPVJQp38LeFrxcIfK5ewmCQtZIVUfhzP/gJDV8Low9mZ LriCOw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B7594A48B1C47AD

http://decryptor.cc/5B7594A48B1C47AD

Targets

    • Target

      85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

    • Size

      165KB

    • MD5

      4dacc5edb44b305ab1f77a33b3e16362

    • SHA1

      dd413b4f2e6c4cb8dae4c41d95ef5ae92c1eba50

    • SHA256

      85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

    • SHA512

      e4140ad7c232f01045de0ebef18d8048d73ef7afe5147f1c744d2b90c1717ac70259afc494a9f708abf7cb89721d784aca19cba7e1f39bcd09834ea80a0e46da

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks