Overview

overview

10

Static

static

10

c6d72dbc8c...3d.exe

windows7_x64

10

c6d72dbc8c...3d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d

  • Size

    160KB

  • Sample

    220124-bf2r6ahbgn

  • MD5

    db42f17991a7ba10218649b978d78674

  • SHA1

    afa39b93f64712f108445122fa3ba532b56ff261

  • SHA256

    c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d

  • SHA512

    d29089f142e9a2a8d2f85b0ea9428d7c9a47d21ab77e2715ed8ff6417e6dc250841cbbf194a1e6e684048a3714cc3983c793061f4cd480664c26a76a41789065

Score
10/10
sodinokibi1936ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

36

C2

stagefxinc.com

birthplacemag.com

clemenfoto.dk

wineandgo.hu

lexced.com

fascaonline.com

eksperdanismanlik.com

skolaprome.eu

lgiwines.com

floweringsun.org

rivermusic.nl

lifeinbreaths.com

deduktia.fi

angelika-schwarz.com

mjk.digital

justaroundthecornerpetsit.com

sycamoregreenapts.com

aoyama.ac

datatri.be

dinedrinkdetroit.com
Attributes
  • net

    true

  • pid

    19

  • prc

    outlook.exe

    dbsnmp.exe

    infopath.exe

    dbeng50.exe

    sqlservr.exe

    encsvc.exe

    mydesktopservice.exe

    wordpad.exe

    mspub.exe

    isqlplussvc.exe

    sqlagent.exe

    firefoxconfig.exe

    agntsvc.exe

    thebat.exe

    visio.exe

    tbirdconfig.exe

    mysqld.exe

    synctime.exe

    sqlbrowser.exe

    ocssd.exe

    mysqld_opt.exe

    thebat64.exe

    onenote.exe

    thunderbird.exe

    winword.exe

    mydesktopqos.exe

    powerpnt.exe

    ocautoupds.exe

    ocomm.exe

    mysqld_nt.exe

    oracle.exe

    steam.exe

    msftesql.exe

    sqbcoreservice.exe

    xfssvccon.exe

    excel.exe

    sqlwriter.exe

    msaccess.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    36

Extracted

Path

C:\69x69l2qo6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 69x69l2qo6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B13206194413D5FE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B13206194413D5FE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: O2aI6m911GOg4SfZ2KbfjOJgAKZI5kstjSmCehsSNDp1PPiVYPOC4ZKRPHte3HPi 9wTDwOpDIgwBSCkGJ9Qaut0HDrOiGoVUhtnseGQOoWPkAoIQbQW/7PlKSCOJgkhV E+UPOVz0/F9oroZQpVmfFFYnMhuisnlv5XATYUGSUr5O091hAFpBnIFdXe+Z7Fiq 0Wf+PFu2SqG8mfB+3IuXVBSigYZ3AFzqaoQi9RtK1r/GbZH//AsCnourL3myxm8k D2PlKIqvisEbVM/ZHw08eGYKa1U7cnQD9J0D8x7NTPX+fxpk6rbXuUUYS0M2t+6B X6jWy08jp9BDmqW0ehZyuZMepm23cRXZwGRHZ8ND44B7IFJ0j+5mpOK0R7ZmWXt8 KMQr/SZSrdTNV8XHOqXhkDf99mKVioJPQtip5Gsh6PeE8GCFs7Ny9RKaIbL6gGp8 GWf3d1Ds9aUTfTnCPamyJos7mfLXJaCcRUaEJ6jEArhXBj43IJfodxOJxGxO9PCj fRFlzhTJxurxaJbE4x5BZk9nLaeYdgwv91qMa/1vAXiuop82abHCsBDBSdJ39ZpM 1mFlKCtUul/AX+P0LnMRRylBxF4qN86CAJbSj2AdFHEmvKb12/jQEABHw9xefgpM 7aj0tHVe83cIv6l0HFyt9XipqTOzfBXRJufvqXEeKNMnJsV1QR6Dt0ggkOmEel4M 3KHR2ITIjXi8++gDbLLHXXcDL6UYGJlhAxEIHFCUNmeoPyBhRV28eozY7q4SK9gC uOW4AImIS2ZW6LWxYpM9uoFxhh87yx0934EXMkFH4tDD07UHqP4CAIhlToato2t/ XwmIEp82eZ1QPTxBrwrbnKW+n+Ljw6RZz/bpQv35Fo3MmD2E6rQ4QcNOEIp5yzGe 15uP1G8rOZOOz4gWQ++P6lxy7CnjBGzv1DiFVciEmnnc644ZD4EOE+cfP7oOTXGi Ny11grTNnz2znc6MpS/Pe/LkQ8iX7LLl3p+8hjfnUhWOZ8d4W0FrbIolpamYqg3m z9pIxsIs6+eshapa6N+2e0RdBBiTG4xujMbNn8aw46IMfpPA92fq6VSZtLLtsX+e cMKyGapcV1dfeykY4ZCa3Fib2vbhXCK4DMbyhs32KTv+R1UJIrPf28A5rC4m/QeL iQNboRSf1pA= Extension name: 69x69l2qo6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B13206194413D5FE

http://decryptor.top/B13206194413D5FE

Extracted

Path

C:\k077id74l6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion k077id74l6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/714704A3B8695BD1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/714704A3B8695BD1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: H/LW3qeKeeLRk0dNXkUWH2KhcOZYw6ViSy6WnJzA3rrEHPIW9JW4/uGdWwv0ur3t WwieU3mcVZRo8ycylGO/4KwPoEir+zukzCiXT8J4QXpVBnOIxNHX5qmKjQSL7SJa 0KmhvP2zgekep4408i3zogf2V//59oRfPjK0/Y9mArQapeYieO2+exnN2do9iDwN oSoMJhJED4zyv6uPlxdvmKoAZMsBSGY8xpr1VUtTdDxnHlZukQLogaYhnTBNi3Sc +BvoUYIM2egDS3pepj9D5/Plt0XgRc9VQwJQ0sDLD2TkWDOXNSQSa2hHIYOuXXiV Z1IyOYGVpxgaZtLW1NHVPMXEiiCIjq9TIT848nG2XW/tSf+kMOOtzTkj5ReEm8T6 jrS2sJFSphiW0xiLPEP+S03e9OFflN0CMb9R0D8hPdiLVZ2b9E4wDDbaGvqwfvSv 6TRtTYv+uZ1f9XZ4C2+L/J0Ay4dcXkeDwlygcssEVbfnuDzziukkYizfPdHX544g 7gXu67Uf7ZcWI4QQ0eR15D2u4vbQJxo70BbJ0pEKVZGTuq4R769DRuKUqLJu182s zav5Q27PMNOwHRUF1Fl+5M5SLyhF9m+U5Dw+xgVHJiczfBsy7Pnmz5cFU3W1KfF5 +gMXiNUqiSiSA7yS896x8xXDO/kmIRqa958+i+/G/OOMHGLFjGhwtjkO+49LqH06 zpfBLofSXPZYkzr55DLeTXB+YP1XQXk3JhSsoKYaL0XsHePCd49wlL24LaEvWhAD tRDHdSgDFPRbZaG1Ki+JUfHt7xyiwhdppJIzxqhd5lmUzwm0szTdWGd0ekRLFwq6 fS/i8SlcHpoRp/Ud7Kwj+foNC8RPNI2kVARm5v85WFcAQ8Qlt5s6Uw4yrcTtyi2X w2b1oHFI3+m/DW/XOwqwYFDVMOaVQTb94TDDUuYR4kMtdagwK5qmX/XTsfUMflX1 VEvxAqxqdTaM8t0l0Vu1WVUkvLBW0BQ4qhCb1x40RBjNpfQcB2PPjeVctX1N7Ulo ecgw7FT+KhnPIm8XGtVMJhQBZuF/omEbM0AZCZ30h6/G329prJh1E/2ahWmUFKDG pFeOYkc1lmriIZCmWbhdENTkJleGWUXf6wqxNSnF0JO06fm50Y8MH0kpLN1VUJBJ Extension name: k077id74l6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/714704A3B8695BD1

http://decryptor.top/714704A3B8695BD1

Targets

    • Target

      c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d

    • Size

      160KB

    • MD5

      db42f17991a7ba10218649b978d78674

    • SHA1

      afa39b93f64712f108445122fa3ba532b56ff261

    • SHA256

      c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d

    • SHA512

      d29089f142e9a2a8d2f85b0ea9428d7c9a47d21ab77e2715ed8ff6417e6dc250841cbbf194a1e6e684048a3714cc3983c793061f4cd480664c26a76a41789065

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks