Overview

overview

10

Static

static

10

7204096a5e...15.exe

windows7_x64

10

7204096a5e...15.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15

  • Size

    207KB

  • Sample

    220124-b9dmeshhc6

  • MD5

    151ae10c5420285797f5204d4b3c9666

  • SHA1

    13e33b4228975bac515d68513f9688f9278875b7

  • SHA256

    7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15

  • SHA512

    041d9bba9d0f92364204d8fab856bf9cf09240d94c6372003eac21bce31a3924ba3512413e6c27762bb798ae3908be5060ce104ff40206eaf85d15def8efd907

Score
10/10
sodinokibi1999ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

99

C2

luvbec.com

eatyoveges.com

innersurrection.com

campusce.com

anchelor.com

medicalsupportco.com

photonag.com

rsidesigns.com

o2o-academy.com

hoteltantra.com

gaearoyals.com

arthakapitalforvaltning.dk

ntinasfiloxenia.gr

eafx.pro

smartmind.net

delegationhub.com

laylavalentine.com

michal-s.co.il

stathmoulis.gr

mariajosediazdemera.com
Attributes
  • net

    true

  • pid

    19

  • prc

    isqlplussvc

    firefoxconfig

    oracle

    ocssd

    powerpnt

    thebat64

    onenote

    sqlwriter

    outlook

    mysqld_nt

    excel

    sqlbrowser

    dbsnmp

    msaccess

    winword

    dbeng50

    visio

    ocautoupds

    encsvc

    tbirdconfig

    thebat

    sqlservr

    sqbcoreservice

    mysqld

    agntsvc

    xfssvccon

    mysqld_opt

    mydesktopservice

    ocomm

    msftesql

    thunderbird

    synctime

    infopath

    mydesktopqos

    mspub

    sqlagent

    wordpad

    steam

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    99

  • svc

    sql

    veeam

    backup

    memtas

    sophos

    svc$

    vss

    mepocs

Extracted

Path

C:\v1zz4aj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v1zz4aj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6693C1C35B0228F2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6693C1C35B0228F2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5wyc5udixfNWFLEnLBm5i0iHEip7kxCM7O1Tyrz/CRqVwPPE5P5Fyuw8LnmbRjec WiBp6hDR5v+FpubC8kJrirMscLYXEmrQkXQfdivfyYru/HMZmA2rzzuvQdTxNe18 DBcGX48TzKcbfjdEcJQcfxLSoyZCgDmH9kadeK5msOT/HB/ETFHJSxv+gOj0LZvS yQQqcofIo4Tj+KtJgpTBjlqa0U6AssVWi/OT4ir6Z7KEFbEP6mxCB1csMcqfs/WZ KVODVeHDkxkpAZK3tp1Iw1E5zWTzkEUDosJpFB9/ut5E5GS0YAsU8JldE2CcF2IL XAoqYMDUFmg8gYf/0n/jTHByecKDYw7T4wN6s8GQTSmhduKwxDVmLWcxLCQ1yN32 Z+AjsYu0ZqR1NTp5/KXaN4KDU0CiZcCuvBuz4CMVSf/lXM73Iwxv9Xu64INpeSr3 qvE7PkUPcCsAStPeV2wsCyYdNojDmJjIxnn76DLEITCwawdsVKqJE/MvsMPJfM9b BDz4CGzxCCB2P7DufWZ1+2FFor1DSGjHsguNaGGkrNV5T9ylRrOZiX8qclT8YtiW 9kfgae6A7j1NhnBeDmt5Tx9sHH9WNaZFCa2NXedpQi/ZTVIyFdpf0sDCVs7W1rdj nsp1yw2LLCFLSOAgjirvlulAMAxZ5UVmBiMC9gNXHo7lzwr77AWHjHjyc31t1EuE vdxDzOmOq8vY32lHGuL/7hvx2u5E55BmTt+0jxLMicN41geLe5MpBjsBVGsg9aTC JYcf/AqFS0wAm+qlxDp6iqpLxI71PQUeM7HpWqXH7YHjewTuSFODutvf1Pyz54hL oGRI3TGnYn6KjaaCm18ksnQbubn7O5OHNCOxRZZddrV501GMIx9DAF2++nDjhhF9 oynzaAh5w261NZQ/gU+rPIfZy+aZPdQ43X3+zPsHJmYdE7sv1TpE/9fTn+7L+76n QdQu9og3NYTzPGSREhyDALqzeBCnwsJIVsLexxj5PDaykse0/3bLra/JQVrSBDWY vggcdhOxdUD4oev6JI0/keaWJNFfMfLPA8CIJnd4VxFset0lX4c+aeiEyUlT6Ow2 Sg+3wrzcVsowUQikKi+7c/xzYej7Cti6YNFpVoMNRWzwqs8boQDsMDwM/j9Luncb 2G8= Extension name: v1zz4aj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6693C1C35B0228F2

http://decryptor.top/6693C1C35B0228F2

Extracted

Path

C:\976a6gt-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 976a6gt. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F76D1875731C2BBD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F76D1875731C2BBD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NsYNFN1VN2i/IbXtxbUcG85bEFx2dURQSiSttbESyrP0KlB732VA7W9pU+8Qofvn ctiit3gL1QvXiTQx31TkX2CTqD1JweQDwi3HcTAfP7zdiq6xmN5AJtxQFTTE0tkO 1v+6Ozs2tcMExYV/uQH34o+JTpJQalQTPv7L1ukY8TJ66Htd61zdIB9UbS4AunFV 6TXnPKslUMJS63T9KED4gTXxHbQaaL9jveAAJsEFwY0kr2X9p+cso0/dP6tUe5hk fcrWQV67rBVoXGLBthRwX7TXBMqf1nC994fWkrJJdcnd+julHNmZw0z46+/R3yUI 29aYUj4WcOs9rzqvpHKOuww8G63qPRiAor4nSvX/GwwagQ4GnKn5j/CdGNkRYCrU R1Mk7LyBG5yIluXbj/zddGpVXyyaJmIBRqGVVPZp8+uSnb2WpUxiQ2j2w0FAIKHR iv//Ft5E5LkBmixRt2Fp07yyfzzfonwwSDH0fDoIKkrbRt5rxY1g0Pi22L1Pug/A uB/VMc3ZIT6gA3TivvfC0JI/vrg4PN4Lqxw7rt85rn0cvKq3A/iYClubGquNtUTM ajwsQ7rB9NlHKvjgQ/aD3eZKQhxHZo/RcmZtmzyWtDoQi9N9Kfgbr1zLxxMjDErp ABVdZIDt6psBOc7D048TFEVuedU0eZzdiDZA7XlU7vHJOe3L2I/ozIgfZchB7k59 k8gRiSR5Q9BQx9vzYONVisfd12Qg4E34mpg6CbsNjoVR8c07Hbh8lLaYM9bMLAKN e+L5slYtt5VhbTbkzBXuZmZHfbX4aVoQBWKQuge9Io8Olu1QWtJfAAxDZFIsHkAa kNP6eaZH2FPCGLLTZZw3DXm0QQBCkCTJ6N+DsUGH2U9V4u+b1VCWMrN2h74mXABa v4hp+DSZKf4eblo9UxeyfYe9RhnBsPYU6TE7ZW0DgndmTJuwdpc2eEvLF4sqZ7Lg +fHAQr39FM8n7pRxqViD+pvruN6iua5FE6H7o7fY68X4881mveRxlCdWSkOwdEaB ZLqLd0/Ay+7FgUp0gUvDMDJibCZE21N6ibukz3viQCC1mblIoVG5pf8HI9kBckeT AKUaY5yb6hP8qkkuzRY16MTCnce5OjwmDKAiVaBbifbA1RGxZ5ILjXXV Extension name: 976a6gt ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F76D1875731C2BBD

http://decryptor.top/F76D1875731C2BBD

Targets

    • Target

      7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15

    • Size

      207KB

    • MD5

      151ae10c5420285797f5204d4b3c9666

    • SHA1

      13e33b4228975bac515d68513f9688f9278875b7

    • SHA256

      7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15

    • SHA512

      041d9bba9d0f92364204d8fab856bf9cf09240d94c6372003eac21bce31a3924ba3512413e6c27762bb798ae3908be5060ce104ff40206eaf85d15def8efd907

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks