General

  • Target

    7c7ad08931468eecb7a250a9108936976ce8b2eaae9489cf2a802580851b9f32

  • Size

    173KB

  • Sample

    220124-b6jn9shgg6

  • MD5

    5a01c407a8be2ac6a004d2c40a75264e

  • SHA1

    f56de4166c29bb24fa8b8a473b65d9405511c0e7

  • SHA256

    7c7ad08931468eecb7a250a9108936976ce8b2eaae9489cf2a802580851b9f32

  • SHA512

    bf308144921c36a8323ef087de74fb5bfd3f3a5d5fa766b4d6796aff84714e81cc8b87b8dd8d89e1acfc6f478b41966cfedb772cf8035b92ef6d4a85e5c4d8ed

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

C2

claudiakilian.de

specialtyhomeservicesllc.com

mariannelemenestrel.com

victorvictoria.com

imaginekithomes.co.nz

annenymus.com

fotoeditores.com

kellengatton.com

haard-totaal.nl

qrs-international.com

chainofhopeeurope.eu

chinowarehousespace.com

kerstliedjeszingen.nl

bcmets.info

hvitfeldt.dk

dayenne-styling.nl

advancedeyecare.com

oththukaruva.com

broccolisoep.nl

narca.net

Attributes
  • net

    true

  • pid

    19

  • prc

    thunderbird.exe

    sqbcoreservice.exe

    sqlservr.exe

    synctime.exe

    encsvc.exe

    sqlbrowser.exe

    mysqld.exe

    visio.exe

    mysqld_opt.exe

    msaccess.exe

    firefoxconfig.exe

    msftesql.exe

    mysqld_nt.exe

    sqlwriter.exe

    steam.exe

    infopath.exe

    dbsnmp.exe

    tbirdconfig.exe

    mydesktopservice.exe

    ocssd.exe

    wordpad.exe

    ocautoupds.exe

    xfssvccon.exe

    powerpnt.exe

    outlook.exe

    ocomm.exe

    winword.exe

    oracle.exe

    mspub.exe

    onenote.exe

    dbeng50.exe

    thebat.exe

    isqlplussvc.exe

    excel.exe

    sqlagent.exe

    mydesktopqos.exe

    agntsvc.exe

    thebat64.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    96

Extracted

Path

C:\24foxpsu-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 24foxpsu. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F03D506B98D226B9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F03D506B98D226B9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: vwGG9Fae9fbo+hvKteJA959eqjLUSYDNkcUVqbTppVHSY86ba+D2ViAOGz8+KxWC SLWw66bm9NDAQHAOqlKTQYjld0Q8vYVdvdHfcyNsMoZsst/2DcQLRmuWWdJEEciU 6EO5uK9B6+bZbFsr4eFioWuGOnpSGEhhP5tsmGhazKzo57O67XWlY8BB6wZ3NInc 6spSEzn2Oz7U5bgHUIGgQZh4G0cxqqq38uVlnM3t6zQo/EUeFi5nZAaAXCQv2cQ9 kDeLM+U0ew8RzXPBTS0y7yJLy7X/D+RjEcGcJm/PoQHOXKudBFOqZWkWtHm+EkW2 HpA8bTUcbjdLE8JQLWGywpQFm7vhh8fvM30NXRlYikVHFZLIME4lfDlSgPWOKbGY OsMOplcwBABW8AQkBC0ijsQkrTlZ3uhAQrAQSxFwpb2spq8I3yps6I8BwUSKFPm7 CSWIfgyZ6wgS6cPST11CSYw5t2P5t4mkua03RmP81RoDLYXQLLk1E/AgsdmDBkqV OagEyM1n7wPWf95fKfLjSVxApCf66XfpwVzxc/4iCeR2WHXWQst5B4vunHOCEEes PyoO786luvxS4A4wqRmLtVs2l7oiWKQZdBQJWlxtEQeF/qIGzG8AbIS6JsVAan0c 3fabcVNqls4DAidMCYJXv3PQp5F4UqYW/QuVEdjztglnTy+vVyvDPaYSl0bj8RCz RWyTQHGpgteqWuAXKLkseGqFpw1Qg3gVvs9OBjb6Wav2TRCpuWb4ieYLnJC7xLJE w0V7kkMgvgxfnumHrDPtCbt6k1G57Rkut1I/WNO1Bup7i/P2W4A5wFKlBLmKCKbF fhyFIaV0uZlScVyX4GTPX+m9Q7TXBvbvuL9Dum2TaF21C/QsiJJJ3YGtBFti1ohK Sj3cB4UnKTMTppRmOUfV//yY8oJ88VyrzFnUNnROKahK9rypvkXGadRyTrZ5c6g9 BKQPItXCVfKaOjXMpvvPHI8pWUD5WNW2a7EQTim/APHUG4h1GMJYTvpg+rpYa9ml BDQtWnF8DQlmahgl54noeX1BPiuXEoUMg6LX1Sxbi8rRGblZCuJG+4Cx2tro04PG O1W1DGrpwEJmJc310ln5dakSpYyGoGNUfgdWIsB9GAO7SczKmzkOkBOcYMWjLdVX MqQsjA== Extension name: 24foxpsu ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F03D506B98D226B9

http://decryptor.top/F03D506B98D226B9

Extracted

Path

C:\57945459-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 57945459. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DBB5FA38B9E834F8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DBB5FA38B9E834F8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rKA3+pq/6fIlfjELnm6fZvsvvMixB8J/U+lrnOXXT8r7jC0wOxPoP7OV8WGtRZso XZ+VLfcauGSlRH8K/32mjemLx2gcZvZCbQ4z/2SQ6uU1e8IqCW7CSa7M9gmNWOeO aBdG7JtxsmxXnqoByu2FBFUh8ainxyOE+exkznEne0IwjsbtYeDhmvYEASvxvxiS 7OYoO1dOv4mScElksGThjM8KXdSzZ/5hSWjK9fy90gtoqUNn+WnMtV4YG2dj1ByZ SE4ak3PaFQVMBDUg66ZnG8wppy0uacj94PZ9bp3zPf6WItOxTaF0hPxuW3JhEiwK jNzJlSSY9XSiIQKCnWVBls71wzTujE76rOEUtMPQ64BV+wpB3OwoqmUuaWGhkK/h XzDZSDo7JIII9PXeb1u3XmIJdVFbvX2TmRzrJIpE82ciII5vnV7d390PjJCCskEe A7Go5OpsNVHwuDOI6KE9LOTfMZ+OLOIuIsmxA15zvDeMRcEy1VIzmY+UzoCpWN2v ud4Bv6nBOp3upCsfqofMbodgeW4sEdwUUaLryXpFrPyXeBd+GMsqdZ+6SYAgauuN k0h8Rp/luS+qLexIqQ0R7s/yw05loZHMUBc3cE7jdtjC8cG5tOfZ53OkTAYJxtSE XKT80V8PGKZwFVy7DswVXfCoknnp3iOpbJblUvnGhMJpFqGRuyHhfo3G9uiroq7R HN6IJd0mZKjobhp5pt9KzoFenlD1+JJwRDSWcl2cxbYJc3Z7iJv+2NQF8yUTKvtd uMv9sa26S47sUbEfs8IA6AiSQ7SzNELgmh5H/p1zrhk7jg34we5JN9GRFe45o6my 8yzC+Cmjm8pccbnhWS+BZrGDbkAj5b6EQRmFCWhxyP25ApudNQcwnniUmlzLlWq3 rb7ge/c+NWTgVsp6uvOPGZE4MPLpDyDIsRSmkO4IfC/f8yalNY7oNbJyYiUgia9b kpXHieEECulLcCXSDTfWB8+C4Xt9TB/VSI/6ny7/Xmsh4ynN3aWimvozhD0sppLf syDcDU9NMvbJKd+bMmg0Av8qMIoTsK/avoTuUvWvz1Mc0zwNf8C1HdyUhnyjlekw MCZdkZLAUajsVMSPIssvsJMesui4qocl55APMMxpkrGGlYU5N3yOkWoYGws= Extension name: 57945459 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DBB5FA38B9E834F8

http://decryptor.top/DBB5FA38B9E834F8

Targets

    • Target

      7c7ad08931468eecb7a250a9108936976ce8b2eaae9489cf2a802580851b9f32

    • Size

      173KB

    • MD5

      5a01c407a8be2ac6a004d2c40a75264e

    • SHA1

      f56de4166c29bb24fa8b8a473b65d9405511c0e7

    • SHA256

      7c7ad08931468eecb7a250a9108936976ce8b2eaae9489cf2a802580851b9f32

    • SHA512

      bf308144921c36a8323ef087de74fb5bfd3f3a5d5fa766b4d6796aff84714e81cc8b87b8dd8d89e1acfc6f478b41966cfedb772cf8035b92ef6d4a85e5c4d8ed

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks