Overview

overview

10

Static

static

10

784df3d6c4...13.exe

windows7_x64

10

784df3d6c4...13.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    784df3d6c486715192e2d957382fc49b3ab4131b419ffbdf06b608daf0524613

  • Size

    391KB

  • Sample

    220124-b7l6sahgej

  • MD5

    2571d43d2de48de0af0b2361408de0d2

  • SHA1

    2a32d26d1952b9d40f40affcf97f0dd52735efba

  • SHA256

    784df3d6c486715192e2d957382fc49b3ab4131b419ffbdf06b608daf0524613

  • SHA512

    b51444c6c50b48da0b905d598a2497f9fb33218134f177bdc63e4ead8c7dd54443296bb4a1dcfc3c1686597c021a4c1c861dd0c1f2161bb6390a877fa9bcd628

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\2uh3ed-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2uh3ed. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/892EFE964B86909A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/892EFE964B86909A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1f/vHC9bJ0B5pk0yiFHxWSffifY7Sbba2CUOBFIck0V9VK5Y4xa+T7tD1sIDdbp+ Oz0G3J2fEhSGXfVj9TSrcFzCtZCNQWx9ibuDG8mr9q2gWgvbQdYhyq4qZeZIruCo O9wwqGNKJix2FAwo1aJaz97CoLCHwFl6IdeWjbitAHHnIj8G4D8D866tfDziwxIq IFmA7w0oDVMjc6eviuJi8CD056ZWSz5eUbcOtnAO3Yb4vF/cxkX3IJCcAlChExFV uU6WTnKys1pWKgabQI0//ptBhRrA1+dKUEM1h7OUowwXxLIM1v0bX0LFZ0wtl9I0 2I5q1qf8OxVmbDu7dHFLJrJskVH4csqkUghvGDZASM8TtSVhCIZ4kaQpXYc/JX/V QyTw3FpPgvCOW1lR1BpgVWhLTb80x+kMb++N+xEKgnVJQmuHV8Yn9zwKrD9JEdQ8 cWILR50A6fER1NyjSDcsuLz5mHO7Ardos2ae4xBqe8DUuOuQzczJ113mn8PzNoOJ 2y9pT3WXsP+SRMjzBKxbvJrvMwQD2XoE8Y0RvH6n9ZZITwktqY0wpV4UPfoYlJkx nnIkzOOsVuQM6Tw1FArjHFqPSZpiOoiG5623Y+RwNf39OY6uUwr49dKNJgZ1G70j l9NV8bGFqBbrXv4nuq+y+Ql1hXlG5PRZjoE4t07ceSiEPPq9xGzRlaUSNDAsf1Bc fZydMK7xl/IbNota+pp1ZrHf3HH8/Z/hr7MUmSjPdtu4MFxKVry/XJFRz2hjmakp W41txuGGkbXJziN9PR/xyk7Ir2oItiCk2asuCYL++r6ynXz+OMyJCnD142eYLl3d 4H4uNwddbRErDGaLm2Hm6/RXAEmuIh+aXdRQ6ivDrkM9pyDbvMOloDKcA2DPAlop VFxRsQs5MZHX/wB+uQq61hAY0IiHS71tY/M/kgxAMku/E8HVsLTYKYPi7XxiH97D aH03FkNB4TJFw5VWIJsxYRl+DnxA93YFWOQ2Gplr6OzBpTpOd1jkPbovWB/Fik1j jy6hTmvMQW+Fge/y0u8RWx7A6iR+lp95w/6KxLv5tpWeAg/EdrAQ9M9abJ9q7PL3 q9nWhzkXvBdlchPnPoHowvN3ZHoHoC4vPTYE5vz3ovPBd5cGxY8rlQNYJc4O4Anr DNbRjp+sEfZVug1WcPvOF/qev0Ywiq5iCzrtC8bW4nMyVBpFNUTcyOOKU38nG0NC QtL/KurtasQq4dp2Q5bOoptYp7/+aovIluVj0FhwEGtuVFqQeChR0w6PSYQ1OllJ OsyCFLcys1XGA17PDD7hpy9/P+Xc0j8G Extension name: 2uh3ed ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/892EFE964B86909A

http://decryptor.cc/892EFE964B86909A

Extracted

Path

C:\7r083-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7r083. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/816D0743C9F854FB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/816D0743C9F854FB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3E2QClvbT4KQ0VYbTD/hq/NciQFenukeOpcPHK9TAxtNHKFW0FzaJxwCoG+D2RFf sZwLmbEmBY//Hjrjwiwk/isnG2pQaT/aI6kbMK/E4BaD5qniK2Znn9QxjS04ZKtT s6WIvFeQTChRlrxh9+/ssqGpXURFscFlMEDPefyzIpKQMaEgviDjo2VefJ3OFkhr YzpGwUsAidnlJTCTahaRoHS2XgdbgqjMnQnNpK12Aldc/fm3Ia6AJlZct9sg91cv upK9vVgQ/ZPh5yAQys2UvDIKJFb+q5LoKo94HIw3BZAlHqZnAR/RmNWRlODhPP/S lBjKxoYuKryZ4RbDyDDOOeH0DC/tracYeRWJgCHu2Slfk9VdAn8r2ZERq4UJQj8/ 235KH1UIPfjIt2YbaT7jWI4d8L2sTNKx+xg5thHWaXO28hWA9V2kluG7IZ694r4e nhUueowFuyrONNxI6wdjKG1VEP8dDXzBUQDwNPQH3sosIIJ0gkKzxHVCwnGmbdPQ BLPQDQGxo12hkwFRmvrudukR7pSd+ASQAIwJHNEwzc1LIAwaboFZElTxQ90nK+ON fLw2l1cIGo+6J6YajSLFuMvYVk5WjHUINEUC4WCYjJHV18hTdY8J4Sl0q0cc9ICx V6VRFSUwLHgPyTcUtFUiuZy9RZgbEMLA1T2nWlor8SNxLvDp1G+ES2BO8vmhj+U7 mgCJH8GAepE4wclv7QkMGfS0UasEOSkeb6SS9//2EBHyRJqPGEppmT3qWf175wgq DPoCUHZzTtp/zC62q+ICLCqS7Qcfyn5y4k6FJoO1aMYgUVGREUgg9IjXvSdlYsha kEFgsBxsy1JWnJBo7GZyvoswWTjm+mie3KJyXlQdyd9oyI0Y5ABfB1qcf3+W4iyQ ABazx0eoQdHNsKBkpLTlLtppvfYU3/KSH4XSpQ2GkjnwPOsFFh4t5Qq1cObek7Ur sp6T0uz4ScfTBXzLSdXs6w6t4d5esCwPrcTKii71wxYeBa8FRhol7nMti9MB+cOF jffQp4jRsJg2M0ng2R141gcKYTYy88CGWwVuJocLBOu3FabOtHv+MUw8eJy9yFXg 4R1N3v2bOVQD7nQr5Gw9Ndb0F3bJexl7CeYktm1bxHyECcml2I/gPUure3CRAfxR yiMzVYnQr5fzTQyc13+rcBnLYaKFavuhO/CnKC5kbiJRIui7oVTSpSjLfzxi7+FR KE+v3zyWeiIn/PR5INogwT9ZsmuWiAi2smNlezDu4sxaLyq/Wq1BThJmyqcbas3B l8xUc0z31JeY+sP7Cmw= Extension name: 7r083 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/816D0743C9F854FB

http://decryptor.cc/816D0743C9F854FB

Targets

    • Target

      784df3d6c486715192e2d957382fc49b3ab4131b419ffbdf06b608daf0524613

    • Size

      391KB

    • MD5

      2571d43d2de48de0af0b2361408de0d2

    • SHA1

      2a32d26d1952b9d40f40affcf97f0dd52735efba

    • SHA256

      784df3d6c486715192e2d957382fc49b3ab4131b419ffbdf06b608daf0524613

    • SHA512

      b51444c6c50b48da0b905d598a2497f9fb33218134f177bdc63e4ead8c7dd54443296bb4a1dcfc3c1686597c021a4c1c861dd0c1f2161bb6390a877fa9bcd628

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks