Overview

overview

10

Static

static

10

712d0fd25d...39.exe

windows7_x64

10

712d0fd25d...39.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    712d0fd25d53c83b85c62af64f50196bf68fdf85001e2046e7016b78055f1f39

  • Size

    164KB

  • Sample

    220124-b9j47shghl

  • MD5

    68fc8d4638edea0df94d5b9dff7bb4fa

  • SHA1

    c6679e8a7d47078b148d70bfe24a737ecf914260

  • SHA256

    712d0fd25d53c83b85c62af64f50196bf68fdf85001e2046e7016b78055f1f39

  • SHA512

    cbe0e3568215ff369e395c4a4ea4e34e08d0c0d3566bb6d1c0d5fc420086ecbbd87f7f69e4730c144fc66bb6a0d46fe71a2a824e4b3a2b76776611523a397038

Score
10/10
sodinokibi13978ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

978

C2

cookinn.nl

sytzedevries.com

frimec-international.es

pinthelook.com

k-v-f.de

agrifarm.dk

affligemsehondenschool.be

tzn.nu

enactusnhlstenden.com

anchelor.com

profiz.com

basindentistry.com

bcmets.info

birthplacemag.com

sprintcoach.com

the-cupboard.co.uk

silverbird.dk

rubyaudiology.com

baita.ac

ced-elec.com
Attributes
  • net

    true

  • pid

    13

  • prc

    encsvc

    thunderbird

    sqbcoreservice

    steam

    wordpa

    xfssvccon

    ocautoupds

    powerpnt

    dbsnmp

    ocssd

    ocomm

    outlook

    visio

    mspub

    excel

    firefox

    mydesktopservice

    isqlplussvc

    onenote

    dbeng50

    winword

    oracle

    msaccess

    agntsvc

    infopath

    tbirdconfig

    synctime

    mydesktopqos

    sql

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    978

  • svc

    sql

    vss

    veeam

    sophos

    svc$

    mepocs

    memtas

    backup

Extracted

Path

C:\k7xe3y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension k7xe3y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6739C61237045711 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6739C61237045711 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KiOHrUKJWN6cIFTmEvcuxK4ayIW33U5hVsKQaikqguW/xNXe9M6t+9LLj1ppOlSr 1QRP5kaUt+jwlyK4e9QxdZLyl1UPbaLiI/jlaf/MPO8FoYUeJfJ/3az3JkkBG9u2 6yFLndFv8qzko6DrcwXquB8YUkUwpNRhJCSvPtO1hXwxSfIT3v9/wuTlRPxX/bY+ L3muIqgRSuqtbso8naJzVvpF/RBayDTmT5yRU3SS3p2+2TrKbfIARl1ROYFGuzs1 Qpw4LMWso76r9ocqHKJqZ05U0l5QN4NN2ewSxgB+9Ef/Z3ORlVYp36RsnngI6mlP nZN3sOXDHRrFxS6LSYWWHwmqYxHxmbFQCvbbSSSGON25ANDlmV2WzCTjEe7/ZAAS BjxKWDUQAyYh3QSmDmFYDB0QHICKPtfLMtkB+jL6xDx46O3nhgKCoTw/g1I57dud ky+lNWVdV3ngBrO6O/9QXnVeRHz3ypQLXa5m+SsMGxoC2zSnuG0mOH/oCG52AJV9 Mu8pCAg2+st9kPLoOTX7oMj3KYhIw00zWaFAMtNzOx/BZwNsUGv0sMH6DGJfCkXl Chc04ncMDj0mURNqbFka7giHA/GHSWJ6bfZoFWCD0EYCX04uDE7BMKvaT7U9d25V e1uEEO6AQO1eA9iJ+JRtJRkvALRQZZNAM/MmZrZkBf1p6bKiWEb4zwiQX94/6wHz aVLQXLQB3Z8WuSUZaWiFgagRlSaK1luPT184LoutpXhXVzVyaP+dunxWyqf8dz3L f0ch9Xt7X51EI8G+zd6j3grUWyKqenVkzIRuqRQAhnqny95LFS4Qj5j6b1K8J7MF ZjkgSDvWGGjJKb4HRpMinMy90yukC/xGcKFcL1D8uJ4tbPQHJZgNa7Ra93cJGKHN Iqh+qLCPYYkiAksnNb8mYvUcDcPabCNsZVKDLrJ/O5JVjTKp1hu7aJJZ2Pc3p4Ek oGP3+mL3x9HtrrE2l6aEV1EgL9clAA5Xmfj6QEhb2N9OELsTJjT6AnE8Do1k+gbc If0Vuo1LOQaB4ZRz1P4SqZ8FbTOK2y28mLUa5oAHP9wX6p/omIqznJJYI/JjrPJi 0l1znMhhnkeaSdtwSxU/Ent9Lv/a8Y/QEUrxI0575ZmNHMhPoqJpwqk6qJMO8hUZ R6g= Extension name: k7xe3y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6739C61237045711

http://decryptor.top/6739C61237045711

Extracted

Path

C:\inib8ey352-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension inib8ey352. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B8D4CA694F07AAEF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B8D4CA694F07AAEF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AmdD69mXHN9njNtI4BybZFCkqPBM2BwL6zPLqpnVjrOXZRyxQiO2mOAQ/mVNFPM/ AAiQIjvlA7E/7DtMtFAdRny3ySiUKlcSpgFVphuSldFIQr+MYE1/GWdpXqC5EZv8 UdB8hpvxYZydm0l/j7C//Cb36xIcmAp7qGNow0zcHzDMQbUWsrSgej5skcuJGK+O v/X1LuIrdv/X6LF13JQ9rfJphU1TXTshZ/rOoq4zjhNWUyQprSHdCXiqw7+JExRM r5IgRlok7/IGY6mSVMtnuYqqkTV20c8+OOSQKHDH600Z6Lm5HeteZ9ZGtXocL1tf OnCr2pW1wI0lnFKxIm49430o89CmtuVTMevoTrgtAM0VftiQ/60FmeKx2Sr+YE+a OCTxQCGWpCJV9au7zBNKqxm0Z8D5Y4+Iq/wLfz6zHf6a9w5pC2scPq7lT2nLscqt /RPX17Ri0fhS4+kxy61/wTv9FGA2rVY2t4GMDWKi6kZWXNN9Xp++juJ6JYSHrrCG Dq7UGFQWDOWGtmjcVDL8d/W9lpTwK+9nnNJoMR6Tcb+th4eqHUts+frfcTajKlNp czccfloWkj8xz+R1udRGV/DCHYJI9Ed1+ZT2hHqp/MaBRS4mcHeqcYIkhkvqHLlO zsOQ4CliylpsgDfLPSQNeMkorqXuk8VquGhaEuFGF6Z23yi7rLVndKeZgYJHdeT5 NarpHvEsQCf/KSoXkM0om8y3Kx7tkmvP3EvnfoScH9tGme8SP6JGWwwtxlK3IVXt RINfIXXx3ym90Bg8M/I2UiLefc4rOCVuQCzSpg3hrYtWu0/VKama9rIkS7Z8usMy ktVry3u0M3+6zlmbRsOBKvg/WG6+XJQIR2kFv4NfQsTlofYn0v+RB8wmy045TwJh yckVGofG9AsFnI3SohTwdtvdQewVq5jx5ec2rl9yf6OjS5cu5g9HWhh7rM0NeUBt g3j1dOp3CY9+1fADIuJiCrgbvui0VsF2gKvsX2NhwEUQD3qPGalgHve9xm7yGsbK uljy3d//BBZVAokNLB89HGUsgwiM5abSbmKvLTZUm0d/JgnMzhVqNneFG3UKqrCO wq7mv907lLQRSAzIIrfe8WoSs8oxZx2Z/tyG/aIWZ/CQ3b/Og1QZeqjwqd7D5gwl ZSI= Extension name: inib8ey352 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B8D4CA694F07AAEF

http://decryptor.top/B8D4CA694F07AAEF

Targets

    • Target

      712d0fd25d53c83b85c62af64f50196bf68fdf85001e2046e7016b78055f1f39

    • Size

      164KB

    • MD5

      68fc8d4638edea0df94d5b9dff7bb4fa

    • SHA1

      c6679e8a7d47078b148d70bfe24a737ecf914260

    • SHA256

      712d0fd25d53c83b85c62af64f50196bf68fdf85001e2046e7016b78055f1f39

    • SHA512

      cbe0e3568215ff369e395c4a4ea4e34e08d0c0d3566bb6d1c0d5fc420086ecbbd87f7f69e4730c144fc66bb6a0d46fe71a2a824e4b3a2b76776611523a397038

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks