Overview

overview

10

Static

static

10

c5d96530df...a5.exe

windows7_x64

10

c5d96530df...a5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5d96530dfe3ac2c8330bc798beafe36b05d9c403ad98764fefcdc3157f0dda5

  • Size

    201KB

  • Sample

    220124-bggtdahcc6

  • MD5

    ccc2793bc8d73bd6771379ae5eff8c16

  • SHA1

    c194ebc9a23aa174c3817dd17c8791acd9d3b419

  • SHA256

    c5d96530dfe3ac2c8330bc798beafe36b05d9c403ad98764fefcdc3157f0dda5

  • SHA512

    5f8630dfbcc0fb52a09d71fbd8881244c150c45f3e4c94caa49b109bdfd0ecb96dd8776aea74a52f498ea60fb13a2f5926424d4d065da4ed09b1b7d2415cd0c2

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\dly59kp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion dly59kp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B98AA334B2DA8E93 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B98AA334B2DA8E93 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WuyottCFgVLwlo2Sbv/Vp0c4ooxsvMd/XgJ8S7eQRXXWVJUQ0tvZrLZHBQJgr7Tj O+Le3K9JRtvpRA0g1WpXSQLcWW62sXC08eN0lQyElRHM9cwgwJKcYgii7oVzRTyf DqPRdRzohsexJwHDcSQ6GCk7wL40BA8ddEXgF616HSSgV8cqmhdwTDF8ri+EfHH7 +hiO25BlmFvBWn0VbnLTHwMe+OEJT0A6aQtxjoYTwJbahDBsdXjIJGmJW2ZL88sT n9u8uJ82jbHcGJ4mjpXRQSFeKxzMe9ZeWInFlmGbXT/eDgL75sI664L/G1X7Ngyn yJ+I68l/k2p3lfooqvYWEjN36sLuYGteK12HOZeYmc0KVBoWAAku7lOCa0I4okdw 5lUNJTMDetKHBBP4z99QeNs8xbNuPE/cGhAhNm4UVf4Pzqlp6LhY4Vq2X294aazs GHBmDv7jKO/qLzv70avb8YLJPAP7gldq/tU7Mqq/7u8w4CvC3+y+3GN+4lfpbV73 UU502bJ2qDrmcAmkzCKThxNP9vV63w+kpWog9Rr+enObL28Zvuz4NKyymXaQ2oGq tYS0zLaiPb9sO1DUFN8kC2iQO/YRvoH3XxHSJuJOU7iswFOEjetF/yVYYonnjINh uVpp6iEVF5PciIK4QaKWzbY8MUtY4pOxjOkWKGMsF3HAcCsS4LrApoCUmJBhQY5x ywgubE1q1jEbjiSdJHWdNJ++qVxiFpnG/fvM4kWw/Tj4UXL75vUeHnkf3IW5P+T2 4Ybj60Gv0/sa8uhlJc9cWqTPqO9XnmxdjBju5X2VyzdDhEB5dmH1edSXPAG9hUei 2qmjCocRiRAYm1lfG2bOcdGyRwj6fSx8cNKflvaarEZOwl4gi8QxM7wtEbq6A4EN ProTJPtuWuqEWTMsgKUGNSj1zR8BVlF297lOPpPOfDTTq0bq4Kbd3OTWkkd2Nj3P duF8AiLqPUK481FDWy25hKLqPLs0Uoy9Kifn4H658T1iNp7NKcCMtB3ZQvFhagN2 opp/LvEo18lqj58NYxSwhCXiB1lR3pGHh3aNNnkXMHMfG0UBBHFB545/RdzKRtNE /kkkULuGhDVIt6ZoBwJpPxyis4riKEV/5zisT32RZyF2tEnHKGXt0zd5+OAyq0Aw H2oIJUxb1lR2fEvfk0u/STsMBKKmPAy1u5rkLpXEBh5C+WcQlrOxMTaoy4YGWm5s zdsreQKp7G3LcWj1P+W05D9mpceHOi6uL6xUKFtpSr110rGEkJ9odi+yK72fq+1M 6W2kBYJtYN7VKqsUdL0ZO9juhUbQKchDqHo= Extension name: dly59kp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B98AA334B2DA8E93

http://decryptor.cc/B98AA334B2DA8E93

Extracted

Path

C:\h02s9x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion h02s9x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DDA036E88C5E05F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4DDA036E88C5E05F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HbFdZ+NkpiF0d6f7huGtl3b45yL4ZPJ7sAYPYYkmaPACE6YWqx4y82NMZ1rL5+Ag CADnWLjwNGat4CKrv5Lmp1NjxkVmxZygsJ32e4m4pSyE1Tk+osf0d4nVtSaFx2OP BEZ7l68FSwQgL8AZ8YdtzYkMiZH2d9e8XquHbMMyHY9hR3LLOW22OvBr54rvDvJi a5rNTptJBotTRnnt1+hoxFLp+KRBVIz3NQT9QDJcM/hZ1hvsRtK/zlK4pz9ALQ9y gzYkY7kA+7lxkBN/zZRHPiKhGtwqlZw/OsLwR661EB86+M5s/a3Ldarpeqf7XqXo wCdU7kj1xSMbrYG8QT172Yr5HTz+b5mMrU2yP1wqs8quan2PqZEUEbxXysngy8EZ O9MHCtHfMOPjBXtPA78L2vSJ66Ow3DbPJF4BpN8GTwQNH4LJwTfgJnbNyOVzsJbr w8kQEK21vaDp7XQth0H9VIPNOqp43Lz9/GXpJMB8w/lSLyb6pPuMA08RcGfA1MSp Fu/3S5GVzsLFcVWr4qs7EXTxqhCbYB/15NLmaHroX9OmWxycPL0E4yaeKXUzIU4R EM6nCcnoFCi3dr6ElPNSMhT5gt1OH94+4AL/7uo7Z5yM1i5ubzTP6sLwwkitf7dC SGKuxtPQ3+SAHyGH/eJxYBHHhK9Ko6dQak6k4Sfsxhz4EUWcbGhewF5j6ePBoCYq xfY6BX+rtB7MJDwhAePavxn4GzSW2nFxjqu+CpizCPNNC8XCCatdxTR2QbeFTLdJ xdtGcGoyTOPFNguKwpgl5MUG6/Hle7q4jcvAkELisNNReL35r50LBaOGde5LUR4A TG/V8eFcaMD+ZwRuswR5toMwJp/+CPZGd/YVaYPK/8vM9AXIjpPuwur7rKv765IX g6vznyE5rc5rBLa/knacH2lpj6ZCUve1DI1i65zKAuuQGQ8+NE4AAMVAV//Vg8s/ U8e8tc2+xhYlbvYBdcA5ZF9zGdpNyRri29GiEbm6wwXF4D+rzGyihafONGuGyBzG XHw7P9UnBlcRaOzQpMctBR/r0Gc8bj1NB5OLPw4K65Ntaeg+yud+Z26vc6DykPgc 6sZw4SXKAr/cFP/zj9hZTyS15HfyMMAmPhRqiIocAThG3z9O+R+N6PtmGtGJoFfe CNyb4T2EsfH+z9c62U+Wii94JU+u/ZPA3JPDjgKS8XZiOn8iGL5pKnsIFOo5Zdiw No6AGQJ1mWtEYnkJ0D99KETnnIt/VGlnPSJwY0YlwKgNkq2QESbhK7rJmygv9luH YyWy4FAS7vl/mthx0eEk7w== Extension name: h02s9x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DDA036E88C5E05F

http://decryptor.cc/4DDA036E88C5E05F

Targets

    • Target

      c5d96530dfe3ac2c8330bc798beafe36b05d9c403ad98764fefcdc3157f0dda5

    • Size

      201KB

    • MD5

      ccc2793bc8d73bd6771379ae5eff8c16

    • SHA1

      c194ebc9a23aa174c3817dd17c8791acd9d3b419

    • SHA256

      c5d96530dfe3ac2c8330bc798beafe36b05d9c403ad98764fefcdc3157f0dda5

    • SHA512

      5f8630dfbcc0fb52a09d71fbd8881244c150c45f3e4c94caa49b109bdfd0ecb96dd8776aea74a52f498ea60fb13a2f5926424d4d065da4ed09b1b7d2415cd0c2

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks