Overview

overview

10

Static

static

10

d7cd1240d1...46.exe

windows7_x64

10

d7cd1240d1...46.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d7cd1240d18dd61b20aff238b8e8556c7c829ff679f1098ff219a104259fe046

  • Size

    116KB

  • Sample

    220124-bah3vshba7

  • MD5

    bbbef8d47b3699d52aa8d32f12ce2101

  • SHA1

    3a7a704b6b0e2ba3f82e5aa705e47af3a2bef1f2

  • SHA256

    d7cd1240d18dd61b20aff238b8e8556c7c829ff679f1098ff219a104259fe046

  • SHA512

    02219436844a229c20f61963e13cae5ea3c57dd9ee5716bee35bb95abca78447983b63ef9dd92afaab26dcb395e78809a9d1a76e21e570e674d7a63e2e7c18a7

Score
10/10
sodinokibi$2a$10$9x0ij8yxhqjlo.h2clhf2e3fi/goedscgnjn/pt25k02zpd70dbqm5079ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$9X0ij8YXhqjLO.H2cLhF2e3Fi/GoedSCGNJn/pT25k02Zpd70dBQm

Campaign

5079

C2

perbudget.com

balticdermatology.lt

dushka.ua

naturavetal.hr

directwindowco.com

aglend.com.au

teknoz.net

celeclub.org

kaminscy.com

gporf.fr

2ekeus.nl

chatizel-paysage.fr

sauschneider.info

nacktfalter.de

cactusthebrand.com

philippedebroca.com

katketytaanet.fi

haar-spange.com

uimaan.fi

nmiec.com
Attributes
  • net

    false

  • pid

    $2a$10$9X0ij8YXhqjLO.H2cLhF2e3Fi/GoedSCGNJn/pT25k02Zpd70dBQm

  • prc

    encsvc

    thebat

    agntsvc

    powerpnt

    xfssvccon

    steam

    ocautoupds

    synctime

    winword

    infopath

    mydesktopservice

    dbeng50

    outlook

    thunderbird

    mydesktopqos

    sqbcoreservice

    onenote

    ocssd

    ocomm

    isqlplussvc

    oracle

    visio

    firefox

    msaccess

    sql

    wordpad

    mspub

    excel

    tbirdconfig

    dbsnmp

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5079

  • svc

    sql

    memtas

    sophos

    veeam

    svc$

    mepocs

    backup

    vss

Extracted

Path

C:\ntq1t-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ntq1t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EF5EC22C8022865A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EF5EC22C8022865A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jiyr5PtvG421jV/DZq04jdRhkjTYqRGLpvGq8BZzGEoHLTz06OBBSjKDj6V50BWY Cb5I5Kq9RNUGpxm0huT08J8vfBK+CtYjOU7tU5Vs6u9UWn7qMmg198wYLooiTh4n o03w7rIlF0YSxffynGDaVX92swWqpbSgdscLm1PUin/LNBbe4x33QFjNNX/G4+Uo cmesj5hMM1yYWM8G2zArcNqtawH+As9tbC3MvauE+zf/uUKFRoCwO8kLLtuQ55o4 wybtY4EGtsKSH++6Oedz+LZH0MSzx1DVo44SVkXsQw1Kui2OD3YmtfnGZqR4F91e FYn67V/4fAgkIOTMhqAxHpdSqruGLCOZXVkhR+8YOYg+f/kWpWDCh2U6mlWype+h n6Y6IqvYKAx6cyGD10cG8vXp1B4zhbeXF5G2ReREp/1cserJW6fENGDkDGj15R5/ 4SmLa1KvKSsgLk+egcC9T5ErvZtp1Th+4SX9LkqJDXG9LQbfA3ZHCrX5hGPQs5DR RWdGBjBfMb7sxLbeLov2E/oLT3q6qGe8w+J5BhgN8IPqgi+YuKIa1tRP/dGzZQiT 3ApkB00rtj7zz9btc79bcMdlFXnSaVUNTHEY2L3P9SFOpW2DmGSYlB67dtyQ66T9 cg2eGBvWW4s3H9TJVUjV6bgiwRpMtYDzFRw4q/8U+U4b3yZqaYFNDr/ry8j/7Y9x j8Z5VZ47KZEooS/y5r8+k9g+FwpQerCGmDwjw/LJkpZCH1bb76e+y08Of0t04pEp RMgoOLv5OAxnLGqADiPja9GS/0SqzvRx5m0m0RJ/5DNDPRKfsy0GGmNr/aO8NP2E F7WvI5rjUSFoZcUu5rAD5ObvXWOEDEqOoD0A4MSRgqKfTpbQa32DgrWHk35YSBEL mlAa8Rqdhomia9kb5/1IP7YvYK7G/tqaAZojrzKnfTiBFWRhNCrzIlN/+1Trgo0x Gv4G79zrbsm/lAZmPf6i2myx+WDbOrVoqde7ZHAYLNlSsbwqt5V4J/jCtvEViV7i RUbHZDHDYPSJ/fe497y0VQNW2TjWpnXt83LYdr/h8rGXOuqIdoPkSoYvxASVeM1V bkmWsdBPHDB7z0SOuDpngBEVcwywtr4WBgNK0G3ebYPmCVd0/hAvoMrL03niAnou viu3KUt8SjUSIRyaN+GJVCFXBVjyYhF/y06sYUS56KxLSjUjgnFONIhBy7F8lawZ sLiza20nXT5O9TROlQ0pX40Qb5K3ReZnlMOE7vAK+H46IXCCPCf6lKxf8A0NtaCe bCXv6+L4MkPBaVOMLaiFQ+TEtd/GPQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EF5EC22C8022865A

http://decryptor.cc/EF5EC22C8022865A

Extracted

Path

C:\pn4628ke8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension pn4628ke8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B98A2F8084CA08BA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B98A2F8084CA08BA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SKNQF/BbQ5LC7jGgXjk1mXYUd15ZUKnK8oj5yp8zpjddpNtTn4czbG2ydlmI6amA QXj2u3VtfQqGPHHd2m3HeXmpO4asFt2kHpX3FwB+mGdGN5s+do5CxqCQKdXszGfZ YN0qWiDfmy2XkOzpN2Kwpi5gyPTuvCApjJVwV+PLevmitZTUefdqfFrgxzlLLIql TPYOW+669wRLsqI4wFX5ULSfiv3MDTqqBZ5BxICfMNUmbPNLG8lWheSuu20YcUNA 8cbDXHnHqOB/w6AcCr9r/vhWXDD/2lgTg8OQy+Wc77nnYGq/i5hdVu0DdiCqowR4 NuYtzXblWz5ss6DdyLBTDjXGaXbzvIZcPQydY+6wvC+t3xWJqoF32SKKBIjzkiD3 AWDS0heYzM3VNfRwwOdKfEOJMYo6KV8Dp7flBXtd4idPkjUijpqaw9qJAr5Sz9bO fNJRZ7TUrqjhNuytGDVjX+BaF7LtKeC/J7/fLqUdfFwiRILY2oP+tBk4mkproZ5X 2ba1xzM0FLVG3AnliN0noBZZ3zPGvXeIIeJA/bDU41yoxd+G8yIlQv+PKM30/gq5 rL2tugTpctljuxr35TGRNlxZpFeefLwMcX0XL4+cO1a9fqVLV0JgPrjV2pTxSnRW Ok3NVYgjHShIdJQ6n94Rrzur6DRjm6DwGo/aToh80qztGTRnwiv6viI6HIUXAi6y rM+RkWx1GylJnnWTCJ8j/t3Qrusg6ZeVaa4YS2U1YJz34wGaVF0zUSdvkGuFMyP0 I/GiF8rVWbu+b2YQ8V9aczXOXiVE38fJ0JIIASYectl0WeJTk4+P1vtmEQOytCNJ /ReIKP+oVnLYFCKwdZIXcpQ+AMcMUX6n0IdZ510JWOMzFK3+5VKu0HgxTmfnMwbV 5qPV8Qtk3ZkPr7cJDbySavh28qsp84EGqAIGY4DG7VBT00FqKmTKalJBWhMOZaci 9zfTuDDcHmO2K0jYmbqFLqV5OiK8FfKchLz64vUtHunDBgpXo2kME1beD//8KDvU tnTg2bHO4LvxNm50ZS0kj2xPuMlIDsxYAJBKAQMCdO39i18/DXW2ENRDKfXyojBJ f/mNzH1kFuRNnlo0zknWiq8jGE2EiBLi76rQSvzm3NT7iPSfuhvgJ3gdtssTgH/+ SYPXieQ742WDQtN46yoh2Tcjq9H6AXd1IllIQSGQzrCR57k2+3HN/P6E+q2x2h15 8eyIif0wS02OVvA3zaCC93ah/pbqRdHTEZBv0G61l7ZoPI6lhVmKq/2oYi6GnDGC 4nNjvg3b4rQZIjamdPxezDTBOcXvBA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B98A2F8084CA08BA

http://decryptor.cc/B98A2F8084CA08BA

Targets

    • Target

      d7cd1240d18dd61b20aff238b8e8556c7c829ff679f1098ff219a104259fe046

    • Size

      116KB

    • MD5

      bbbef8d47b3699d52aa8d32f12ce2101

    • SHA1

      3a7a704b6b0e2ba3f82e5aa705e47af3a2bef1f2

    • SHA256

      d7cd1240d18dd61b20aff238b8e8556c7c829ff679f1098ff219a104259fe046

    • SHA512

      02219436844a229c20f61963e13cae5ea3c57dd9ee5716bee35bb95abca78447983b63ef9dd92afaab26dcb395e78809a9d1a76e21e570e674d7a63e2e7c18a7

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks