Overview

overview

10

Static

static

10

8409dce48d...d2.exe

windows7_x64

10

8409dce48d...d2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8409dce48dfd91faf8dda0c60d0d9b019da85ae10a0d5cbeda248484f0dc2bd2

  • Size

    175KB

  • Sample

    220124-b4d11ahgd7

  • MD5

    162569afc65b043310a3fd0da36991c0

  • SHA1

    51a9114fbd20982eaf86a75f3933aa1aaf6679b3

  • SHA256

    8409dce48dfd91faf8dda0c60d0d9b019da85ae10a0d5cbeda248484f0dc2bd2

  • SHA512

    9acb804d3920e3db54c355d86bb7a3eafaddbd93d06d56a1720246ab7fc812e84015d0ea25812e06c68420b6b473cc10de447a11aa18f737bba45dba998bd639

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\gdov8jwr-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion gdov8jwr. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A88B5FA3756E3A5C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A88B5FA3756E3A5C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bGx08Xe6wEebrTw81VPt2SIFzgPEg+eo6fRQ142aUUotyAMeLSrT7jqRJwFFO2uE 7Lf+pB0oMLAPlp8VdOAxCXDECCNEaG6AfiKByTIQB15fC618lVpkFFXYjdWPM6BS E9Iqcogt7cvCwFxc+K9LnyPu9Hj+FWY4YVu1nBDKnUK0xFOZTmet4Ca0KhaZC7kT ptZy5uG021phD7Wz/PTA9m/KbCsVxdd77xsVV9sSwh2UZOWiJIotV3CzHTqqN2D1 ayshMb9BVj00zunBiI1ap5jPWgnZD1z/6LP43Cmeib3vaIPI4w0jYcFm7aEPNrwQ tUXBfAsTyBElsLjbxLBuQ48F878qG/NCHMAyxVbcAtoWFLVv9XnmM7jKcOm5AqeJ /FToKe8XgDys2gV4jKLgpUtGwz08QmE5h0tRXQ9hiNQMrADEvbH4vkpZXAFtOJB/ wWh4vEfa9ycqTr6KQDfgWV/eoQyRWyq1TZ4uX55yR/8kRpmK/zM/2g7f8R+9NG75 b2vpjPLRscqsKoWgblej8gtZcwq2pWHNU51zX3vKx8jrGCKKGxowrtfjQAYVGWpp 1M8igMIBd3KTdWAgvPA1GT3bXqPwuMDqqUMOnXFzhMsTcW8AFoAe1NkRiygs2Xtw TSnD/Zgv5pAq0VlkV8g1dYgJA5f2VQqiI2/qqfb0431LVGvLdpwzNSC7bLZFAo70 0Hv18VvYgmkfrW5lebWW5OPhP4iNlINg3VD4gWkUJfJJb1z+R04+KR8zKKeHmkdV +LS0XOiW6JUHWzKLFf4hdGxyvmCuFPFUJqeMXd6zMS0XmNXJA2XdkWixtkeCDScq h8vjSSokSHgdOuNCrecOwZwxQli3ZFxjkRsYlACIupnCpWE9Nln5YZ1TsdylmQh4 bqLeqsIY9x9OHOWF7sISxpTsFNYmioaEVcKIZ9ygMxhje/Z1PGaPz7uBlZ2nznxR lf3OdAgwx3AFv9QLTbfJ1z9+29l66LwERDv2lMReaqutRkKLDB8ZbfDNWahBU1UK IKOT/KeivZyHoFQZd6Guduj3Bhe0R7N0QvdOPapQ/4pIXllfaHuT7aTpege2dan0 LmQf87RPqHzDs6BDKHI/jG8lgVQfENF48+NNWfpi+QitIFw0qxp/4rlmXuH7BV9C S1uORV4LJua/S0IfhqHlbiZEZqRWuLdVIaQcPcugvswVd4Fds18+qCWdQ+dxI1Nv IWsek5Z3s7GzPSaBM4H+t/bOlvtW9S2f1+BXqUTfgQ8CMiSjRYzmiuvfMUvypnxX QbMz+xOyoVNHrYPQQtYxiOYHB7qHFr/8FcMKtg== Extension name: gdov8jwr ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A88B5FA3756E3A5C

http://decryptor.cc/A88B5FA3756E3A5C

Extracted

Path

C:\d2x4ge4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion d2x4ge4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/12CD80706B838DFF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/12CD80706B838DFF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3bWRptY9Gc3d4qaCpWH5QSqhL3Lsrpw7SqMR/1Nhc5l1dkcHzugTXIlGi3lHwz6u u7oeVOb+pTctOw/A+EVgRtlH2znUpmsDfa++2mp6vjE0c7VA4WnPlYyfxJ8J7scW 25MYpR2rTBadJqqwMGXy+bOlONjnWrS1Ah0IJLbHdKSS9+NyYk/ur6ETpMfdOzwQ oneTRE89HCKhzU+m9qZ6LhsgQqAlz263Da8NZxD4nb565hcSg17nbqPktx5zWg3U pxV+RqvCN/8vyss/YB8+4CWHn7dtXHokcBiTZJyYxWYXAEXfurRktkeKP8F5qjO8 CkaAxxaXWRiCgsfp8oP2LL9IFWZgwuJTi0c6b5jY8Ie/jsz4KeHQDe9+QqR49J5J NITM7eqRxvBvp5A58LhpvwlTWP8ZyNsa3MRar9v/EjCEqwJ5SkTsMtpyLseSSG09 7D0pPZJkso6X/BoRKoFmb0bg3UZNmzYhYEbpw/W+WAParjZzvNktT2mAQdBieJDn Ktgx5btHrDfwObZqwjs5AoEsa6g+l1YKA9uIlTyBjqazEyTjihl/FZalJe4GbUfV FxG4MElcKUbX4oKZZCMluObH6BUJTaYoICEZxtli2S1v/XQ1MyBIGkywplcOEOym gqY9FIaFm7gGhAYa972KJj7zNPWPIsxadCMZS63jihliAhsaIJzgOSIdzoZR6XeV /m84bFJoovKBtr27/R1K7WnerHm3DXnTmFu6fKMlPrTpx7HvI+ul2BIwbnJp0lvw ukksy56Bs6KZf0e5Tu7kDgU+flqRyVP0v4Dx/rLEo4SKdztdvK0cIpe7xBwm2Vz8 U5k1E+hW/VQ/felus+UqTgaD9Gs3eoB9K25FidIz1/bIe2b8A7VCry/Sqh8lS9oR dmVnttVt4/ecouO4hyNIKKKSSx7zkeLfIDjZEZQYkBPmLALNnp2oUEm5WKWA6+mZ JWT4iB6/toD7QqrveZLValNGeBHsuiKtmZHFGu0EAW80zI24ctHpT2u6sQzaLjSZ dCmoE9NPEqTtD3uAVKStAp/La8nshIaXfOsq5LT19Au4do7i7MR52aiwLTV8FjqT s29USMp/9mztVZtBzQwVQRK9d0nIjIUtcKjUe2qoYEHgXwiCwSXmgL0rmD8Wz09Q wdvoOgpKeW1/mnDMcYe12db6owIwlljgjtdTZPuR2XybKM03P40Jhv0nEyKVMAYw pPjb7JnQhLp9dEj+1WUZzzVy9+4LKigjWVE8e70Jk/vIijqYgHUUmMWa+cBgAt4Q cU5tVrAEkgPKbibdhtysixnU Extension name: d2x4ge4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/12CD80706B838DFF

http://decryptor.cc/12CD80706B838DFF

Targets

    • Target

      8409dce48dfd91faf8dda0c60d0d9b019da85ae10a0d5cbeda248484f0dc2bd2

    • Size

      175KB

    • MD5

      162569afc65b043310a3fd0da36991c0

    • SHA1

      51a9114fbd20982eaf86a75f3933aa1aaf6679b3

    • SHA256

      8409dce48dfd91faf8dda0c60d0d9b019da85ae10a0d5cbeda248484f0dc2bd2

    • SHA512

      9acb804d3920e3db54c355d86bb7a3eafaddbd93d06d56a1720246ab7fc812e84015d0ea25812e06c68420b6b473cc10de447a11aa18f737bba45dba998bd639

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks