Overview

overview

10

Static

static

10

85b302cc60...d7.exe

windows7_x64

10

85b302cc60...d7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7

  • Size

    164KB

  • Sample

    220124-b3w57ahffj

  • MD5

    6244071a79f902d38b330234e659e1c7

  • SHA1

    39c8ea52884950364b18eeccba7bcdfadc263cdf

  • SHA256

    85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7

  • SHA512

    072d42f0177a5772442eb7e07507a4cbb2105df63e3015f1556d56def4d801e529f585b8447999090dc2a590177b0f4b1a2bc63a38d60adb4cba7fd080f6c402

Score
10/10
sodinokibi372372persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

37

Campaign

2372

C2

annenymus.com

bringmehope.org

bakingismyyoga.com

miscbo.it

motocrosshideout.com

texanscan.org

tothebackofthemoon.com

n-newmedia.de

allinonecampaign.com

opt4cdi.com

agrifarm.dk

nevadaruralhousingstudies.org

imaginekithomes.co.nz

andrealuchesi.it

kuriero.pro

renehartman.nl

hensleymarketing.com

g2mediainc.com

forumsittard.nl

cssp-mediation.org
Attributes
  • net

    true

  • pid

    37

  • prc

    powerpnt

    excel

    wordpa

    thunderbird

    sqbcoreservice

    sql

    visio

    steam

    mspub

    mydesktopservice

    dbsnmp

    infopath

    outlook

    tbirdconfig

    mydesktopqos

    winword

    oracle

    firefox

    isqlplussvc

    agntsvc

    ocautoupds

    synctime

    thebat

    encsvc

    dbeng50

    onenote

    msaccess

    ocomm

    ocssd

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find how to decrypt {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2372

  • svc

    vss

    svc$

    mepocs

    memtas

    sql

    sophos

    veeam

    backup

Extracted

Path

C:\How to decrypt a52iae-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension a52iae. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4634E5F7AD213DDC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4634E5F7AD213DDC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Zvkg0bCB9XDUiFkSTPNxB3TfXWYmkg1GblK81LNAFejqOek3lJFR3JYJaDZh26gP PXOLmvbttSHyKH/+k+9NPs2tDqXUB2Fq0p7NhOQbySYbC1v6CJyOl1c0FwSluV3x OF/LVIaJ70JsGq9bte37viYXCn3SUR8LZkqkFnCFvOexuQI3kG1QL09IwWCv0OSV /QBjAUKTUXTWPSXyiQ1/3L0Yz/rm7pfh40OJUBEqXL0iVWpQg7451xC6l0Ho5H+I Wt4keUUrPFR5tHg/xpxqBlW5bBzZfINDH96R+13HaDhUNWlsW9U6whFt34uqclAH jdWYz5Sulw2UJWuvdciseXeQoSIWean0RTZWLqYVH2x3bHs8WEx7yhq60OrrcQ5K S1kjixImPnL4G8mStmKvjPBCGdkAWXIsyJExRAN5CwCrlQiHrjbx95UdpxbsYYMe 62SUcXfFHTVnftt5kjD77XS0rbxyMLQV8AsyMWh8DBSsZ2BZ5Dpzj/E056C/lRB+ RDm2Pzoyf2SqvjSCZh7CoIxjMmlG1b63Rh/NWG2kOG5g4gc1FG7xRIrxqkMWOp5O pSkh46rho+1CR2zlfRoLfe5vb9ITjvAEk5J0VOaO5MyyDyiTg4AhSVAkZnE7lAsw ANVxhFLQjELO58vGpXJdRip++KW1L9AvsNRFze5bnnG1h52XKv+FZZaz5mJ4o0vs /AkdNMyV8ya+RnHnRWUBTG1goaTjOqWXwalgOTAFQGIxaF69VML631GQ3nGjYOSy T2Q5pucN/CvBfHnwtxI7V/ZzWmAkS8yQ64gwQyXSKY+BJQlSIhE9HHny1YutStO3 NyJnf2e4XLRRjvrV/QvDjtk0Tvn7Q5gEpxGUgUhzaPqzHhoyUwc8Gi0tCLVZT37H nzgnuGGWF5wJsXtd8agVnjZibC68bcYqYRe83U3UfrmV41Fdwvr7Nui6l1nkQK2s I4omWn81IY51+j6AsWNljcqvcT/zw8j4l/2tYxja+9726ruqEDOQT4OIQ/aVTdve h6R5EHm2T9aLtbw0NqjtStr4UVU/eKnmVpiY/RYvJ7kE3Q0xEc9HdOQXjkWwp3pI NwOyW0eMl3Pak+KZxDmzy682MeNrTHUAZTsDERjJ+3MX9Fb7iSOU3uUxewhgvatA COlEbQ== Extension name: a52iae ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4634E5F7AD213DDC

http://decryptor.top/4634E5F7AD213DDC

Extracted

Path

C:\How to decrypt v9hy1bf4bi-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension v9hy1bf4bi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5C46FD8B5FBFC970 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5C46FD8B5FBFC970 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0XSDAiuZAbixI1t4Awz7sNxlV/goi5WTngh9E5Ax9biXa6bx2sQ9mxGrYDERb0m2 D0cmAVD/kptoDlSYZCLJud6zjxbGBD124ddUkn+m7UnNRVLhXh/wSglgQSn/yBjm SNhBxuDGMpKO9+a6IkPO5pPxBvQd5nH1JVdIaRem9f7WNCB4odefb6n33vsUqnIg CrMxgHUa9+NYr7weIU1owF/ayWK8ADSdNrCx4FMdyCcQklAuy9HsBOYKcU8DRgUQ n3YgEjW//p4BB510yO1LHbZgjg9OlySLsX142AzqzzZMefOmsXWVvqufkTzOFvVH RzmYW2nO9L+UnoS2F8OQBNmQODejSwfxpikAwiy+JI2UJTit95xpAHXRlSe8pq6R 1Wyge4eH3xcRk9rXLAkT/zJim585FBl+hpEW+vjj3vXxRwzqecbMaJ8D3aGmLkHN vxrEquPq88kNrnRWTtWX66NItdp7J3VAeg9nlqPZL58NAZ7TWWUFHRCDTyInVG+o H4znNzTbO+fpHBG28ovun2i3wT3mTQevVIaLPZkKb6lbNabCdXYfgN24DHyDs5+d hPnShS6bGfpQ/paUDiXb6VVyiXsF3TK6zHVTWBpUebYRVA/fZWCoMlg58eskCR0m zPEXBN33bWaxBpMPl1g8iBQJdFddMe2RCImg5b8tEoWFE4oO28YlDXCJVOkrL5Kz KBoluS/XeBGMzC9vL43xde2sXLpN0vV/CP2aecoy1st2MP90sqy/S3a/UQ3+7ApA DhK0atOqenNNwspSs2YeFFxJfJlmUOMqeBIvomVAFyYEDUuEzZWo307Tw4cA1lrN 9b/S1c1r3keeDyuiPL6eJv+tldtbdXW6SxOo5sifiCh2lqCPepX9lEv2WqoOGrid ipM5Daq1EvNkOPWPQahVwNy7FzPffAlq6VvteOPtXsv83x+rYVILQutSwiFUprnT AK1GYzB1VEsbFyngFFU5DUB72VYSPslPRe5ABNffW0tKZs70BD7YfbkPO49uOsRw SsuSTXL/USo2DN62s60j0JRO5Y3Umvva3mkAHH31WBdbx4Yy95PbYsIOzaDoap8p 0VKm30GTYt+oO9F+Kznb3qkiXoiEo+6kjYEIOagq0Wagb7lnUZbMTgd03nLklF9l bZZQ5A== Extension name: v9hy1bf4bi ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5C46FD8B5FBFC970

http://decryptor.top/5C46FD8B5FBFC970

Targets

    • Target

      85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7

    • Size

      164KB

    • MD5

      6244071a79f902d38b330234e659e1c7

    • SHA1

      39c8ea52884950364b18eeccba7bcdfadc263cdf

    • SHA256

      85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7

    • SHA512

      072d42f0177a5772442eb7e07507a4cbb2105df63e3015f1556d56def4d801e529f585b8447999090dc2a590177b0f4b1a2bc63a38d60adb4cba7fd080f6c402

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks