Overview

overview

10

Static

static

10

d21256e08f...f6.exe

windows7_x64

10

d21256e08f...f6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6

  • Size

    151KB

  • Sample

    220124-bb8d5shbaj

  • MD5

    0ae7acfd3b1c657788f687da109f4d73

  • SHA1

    423619fd388abb37d11c2ff7ed8e08806d3e4ff6

  • SHA256

    d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6

  • SHA512

    e1ade9d2a3219d23f2cf10ce29aaddfd5a9d56924e744a975107182e6f7abe2ab4467e280e68a8fee490895d99b68b324d5e1eda6668fb07141112cbf8af7f17

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\c124l1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion c124l1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B91CE75219894FC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B91CE75219894FC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WSKJdtKOTQnVeMd71vTt82Uw7/rqYTUMYyjJFKNk4I50cx/v8uraKj9Zju7+Wl9k 5wlpBooCNDta1QNi2b+kHrvW3INPFsOlMTaGW+T+QyzasOsEsJ1uWtcHvDGzgTtR VVMJ800NGPtlkqhq3hXXCRBdYL79OjhyIPrW84+4KA7KncEEaHa2RZOX69nKBuPZ ly6Lmy8tQPqmqIClK+OhEV21a/xWNNll1YlZtCf81okvQOY082Qaz6sbGlQNPqOn Nha5O9ggohI3L/2vHVkEAw1DQ9eP91x/hJ7/TAlQ1hdvjS3F115sj6JNb4j6jKXv 9AjKJf4/jsZIctaS+UCNRJ3J7EiWBfk6hy0vCOmoBSsu0/nNWenXvxjuj/q1Kjv/ I+k4q8U6tvitap8ACLkppDyHllIUG7uwR4hUve7Rh92nXaQIps/bxf9YsVwPvEhq tdTMZB9REtreA5aVm3e6NfRrgKfGimR1nMic6PTVKdi9KfqcK1ainw4/m5AmkFV0 6Vm9axpBIP2hgiktKGFobKAVGzNGKKA3R7Qu+2+ow0k43jmXgdK7KSR+3LMgY/nS 6nAMIVRJc+NbExVYclG1q6qXoDHuTfoWTJwK9V/joFpk5PFbspGHuEvTOXw4uRU1 PkPKa8YnMG+9gEFKwf78SZeXQtkHFR6f9XZ4DUdwFAPOTvih3xa5ioP8H1zIa5c9 U2GAMcfZZYy7quya+lvlKHX3z1ypXsyqNFXU9IZdFIgQgbcX0YZjqbRXDTBM3uge U2vlYoWKUsyzt4Gj09AErrD4KpDE/dhsMqaP2paeqXihrkSpMb0nV3p5yYNYKTgH QI+HIRRi+1Ibjq92knXRi8n7KEppjXD7td4Hmx2EoD0CUpnY+6oxbfzCi9BglnBn G8z3X4tev14f1+3UDX8Bx7eqtQaMddZzNnqPJzJEFqBF4m0UO37BZxPG72/g/mJC GT037PTo4O7lIeEuUmWBoM/bLpwHAL04E9r99RMy4xvhnxGEPsmU5bYIIgYe+ZNe VYifQ6v+9t3bdMrMhKH8sMswI0Df+J0iUfdKeGx0rOu7U4dcSc7fLt18NbJs3RHK UG8H106njf/i+FKaYQ0qDHGPmQax81m9aDWygAxFWSXdP0ehy6WD0cpN5Vuj5xbL 0zXZwga+TkdO0hKPI2NsCbTT4N7OUuOV92Z79kKsMpAZTeK+A53FAYIgIAxB3nT4 6clQKZiL6qcSRcU+QVl3yBPnBxZ6aJqYp9R5CW+ImfYqHhMO8/tyT1lcd1uHcAgg 9ZbHSu1gWE46zCRRiyGjcM5pchQTVVKk Extension name: c124l1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B91CE75219894FC

http://decryptor.cc/5B91CE75219894FC

Extracted

Path

C:\6282h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 6282h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AB65DD7B4E539EE8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/AB65DD7B4E539EE8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: x/PqKY1OblgU2EquT73mO+R5Sq0K18vAADeaLeyYsJmiC5CzrwtA1IPcSNgOAzq3 08JeXxZZ6NutXOlcq9PvhyfoYaIUoGH65E5YXnbYfAAUD/HoKEp0XLipazWOu6vJ AwbWdv8lCuoHKbAcWFSbwvm6+KCyWmuhdGeXgzyoUYbImoCc5Y4eKhVk5utfP3/A NgCY77NLbJvRFctahZzGRFe8uj2DZ78sugEwMp/JHdzxmVmIE35D4+XpWry+L/dh bF21iYLN/tRfPWTy/d91EH+24T6wQFhLew4UOlgh/XysG/QW/c0TzXA7hCbvtz/c 5pKL7cEw0m5OxrwDYhHJpp4BKbIyvi2Q2xOV7AwcBk10xy1nM6zhcuBdaJPDn+xG md+ib5eqOYUChGXz2HVG185OtYr8eIhjG0qDyximUr0BD0M4sIiJp2cAde5/pIvh Gah1F/jnbCbulkP87JA/nobrX9gJc7VjaycPvIQkV1udOIk/xofe5hSS96E6Aimv Fgmgfw2f6mEyYZmfqkQzx7hped6ThCN/8381JXMt3vChx5rjUkXu/vJGJvuiMpUE A4jk/Dk1FCWqOIuSJRv+0dCtPI2B4Dr9KYcdIP0uXu402iktgdXMEfbvNlLm/INw cpC7kSdwXhSuQvmxlPo1nPOvnmq0fzESpIB1557dyQWLArkV057sCCP1aHlYAGh6 vIqum7oxj6bELuZTKdlwJuCk9Y5+lI+ungDIT6QxJ2+w5X8x1OFHD9qxGBa939Tp OHL3nG7uI+JWOYCqei3wTmMlFZLgNvAx/ErSxNg96ZoTATPUzGJpW8krNoRMvbxs wsusg7KrVe8wgX6tKxVeYY9isxSmkR7uvs925PO2jv2QO6KJGs5R/N6ijZzk1o6o gtlzvYLZed34r535sOnaN+52Nqp03uGqqbw+qK60lzK3VXWtgvgyT5RaI2e+oZ+Q CmIg/Aymdus+6o2R7ouoXRUM/DUNR0W5x8zDQzPA9x8rd2Fzz2P7vXcr2oomsVGF W0Gdq3iipEiS8+NGfBNyUqasHqFjugv2IERs7oD5xn18/2qjlqWhkl2+WrJdatCP Su8ydouUjfKQaimSAUJfBKGklTE0/F4074rYllUchyGabq8niE6SjN/ZEgLM5GWL gQpEjDN7ffmCK80VsBGfeb4btwPOpxX/2mJwvTaJMOYpY4WHARhbFcDXzURVoj/X 2Rgh8i3YvK0BQLmeQXo6EoMcG9QT2tRtOXu8m35R41ah4EZkxnPkIapwpqoDGnkm ijPr+mWKgUdvF1e8/cs= Extension name: 6282h ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AB65DD7B4E539EE8

http://decryptor.cc/AB65DD7B4E539EE8

Targets

    • Target

      d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6

    • Size

      151KB

    • MD5

      0ae7acfd3b1c657788f687da109f4d73

    • SHA1

      423619fd388abb37d11c2ff7ed8e08806d3e4ff6

    • SHA256

      d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6

    • SHA512

      e1ade9d2a3219d23f2cf10ce29aaddfd5a9d56924e744a975107182e6f7abe2ab4467e280e68a8fee490895d99b68b324d5e1eda6668fb07141112cbf8af7f17

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks