Overview

overview

10

Static

static

10

c274a1456a...1f.exe

windows7_x64

10

c274a1456a...1f.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c274a1456af6b5b74ea6290e2f4a559d88124d7222b0c8944e6f68cc12a38b1f

  • Size

    171KB

  • Sample

    220124-bhny3shce4

  • MD5

    36e5aa57f009b1aa6c98a2fdc2fc1d76

  • SHA1

    fbc3e16c0ebdee76baf76624bdb580a2019c3ae6

  • SHA256

    c274a1456af6b5b74ea6290e2f4a559d88124d7222b0c8944e6f68cc12a38b1f

  • SHA512

    ecbc344cdccc4ac6caea0a2d3536713093e09e21d62d2a14387d3a97fd8be5b6ba80e93eff925bad88d36be0b03c389a3879b81f2a1bbf7e7ef7edc5a5301917

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\2k3yh10-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2k3yh10. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0C422721B947C4ED 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0C422721B947C4ED Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: O5rroQVyauUv6K9FSILsx+GCdpU7ybHeqzXaukRs0ZheGJrtKyjrSUn+qeC9+RZV PBK4PyB6/wnUtCNHq6GXm2LMmfR24I7apEtFgp3CMPOWNgiLsgSNzqgCKFZ/etNo SHBmycoBm3Na2jtIHJ/UBLsM77DzYkddl2mVHHGP6/xA/59XfIl/TcmoZtL2slKZ ZjX6CBmZ9GM33+K/O51HeEo7+VZDHbozXdBfm+accZdEd6ihZCXrUOnvYrBv1yKa Gk9IkX+IqNnY0XJgXKqH6z1W1rxVvc6SwdQ5xsnKxdOHSjjTy36bbQIzOiMtcJcp wcyppQcqBrviQ8cBD/eFtCIG6eXICqTrzDDazs53BY+ezZ8J91WZgOu8N/nq0Zi0 yJ58eubL0T1TZuya5jRijSHscvOfqcRy5VsMa3RSETxdxvLjI90kjyoBOLihoJSl iKIKenJZUECLRK6S4Jn9G9WMOC970zqUgojzUqGLCBVpx++UJyTNS00CxNXQ2O91 qtQ36LGul+5UsJoCB4ocfwWrNTt+eJeq7GlIguR3u5yEnR2DHppHAWsYQAOU31LS bnieumYqCB+D41C+FFfBIbypvnb8PTRhsa6US5KKw+7v9xI3hmIDeUuoEOFhXa2g PaGUQs8oacy5JplWZ+fDuIEm5cnL75zmEaKGfGviCaKcN0X6Cb+/bHC8Q+eBgN9H qCwLZqO4cuh4JeHmZmqS9xxiy/WWfiBJpb550yxNY/m3A85Um2MviFpw9iXsk9yb JpqyYRml5YWD/Ng6L7v/7jDud0n/xyexQn8Y1VZy0zekmMTdxLM+cGRMvlRNf+kN rgU7YM2TetMMDJq+n+qGCX4P9eQF3xXnFzKACDO1muwqBImpzi3JmAkRRk/XTYeU XMYB4XCJsZQyJW9bNT7WC67zfCL/Ri8frjWOGILbjzy/qPdbP5PAqeNXwqnLGzLv qlEDG63Ouk4/iyvBKBBcjlKYNCERsE/HONX7g3kBNrY4QjJPEJqGIvjes2jNn0FX ddO3x8PCmKvmUcp9yTYX+LMuFV7LT8l4P3wOnNQV+QRmA1yuI4IWbNbmJa6kfvxt XuE9ukIVucNIs2BcDxkEM8i64k8m4DhiiRbat52g4/zs3XLXLC+tI918VG9AwT8q zYUkY8djIojCvgC7i5ZHlQQcK5dem2eobaX/732L2QUwbVvBCQCTv2TXcsHsh5u4 wXKNYWDOaOaePJWlZnH2h0viaPfsQs8Jn4XTcWV7RHNm7v2qJXYmflYs7hnisnTL mgGSSzEnOO+JbDvorYEF1XuhUCuVig1uEZM= Extension name: 2k3yh10 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0C422721B947C4ED

http://decryptor.cc/0C422721B947C4ED

Extracted

Path

C:\0wa8f1p85-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0wa8f1p85. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DC9C2280B021A0B8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DC9C2280B021A0B8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tgQZyqiNybNCLBfExU0CW5X1q4NsVMskm8BORLoC4vEkP0pDIMKaTU/sY1yL30Wh +wjTDGuZ7Vnge9KnhvitXTGfYVo5M9p0JcEAaoAtkwI7s24YiVKa8n+uCzCxpK87 88IQC0W5T8qdID8ulRmzr+OTcN9dQNkvACZll9qfcG3a9nFNC7K78wNvnIn4/fIW XKnhEaKGIPZuN0+qW2V6/uPbkj8Y7AJuZyoVAO/JReuKt70sGl+FNKtOzLC+HWfv +Z7rutDtgNsrQA3dl6dbdoTWIVF2ajd13GUA3Vlx3bHjBEhpEJRj9WRNoLKAvubw 1LIOLFaVq8TJwFMhvBKkbejTpT+XlbUcWGZXV1y2p+cL4sX9gg85im1Se3VI4vJf r3D1INhYAD6OMt3tYIBn8C63GXsf/Chp6RmcZ5BD9syix9wjbIZlHN3/yica9wTE guYlrTfR5GUYPO4Bgl2bVW61N9s7DN8/vGxSXGGWO1qUpwX91WmCsuUdWH2411S9 wxaT4Rxx4Jn3YFhAF9+/D7Z+S+73+9oCEvknydhVIM4xC0eoTh8UlxQU7HQMAsBk 43Z0z9951YoY20CYvYVM0ATth9e5a1EBS7xK45mbEr8F5lKs4++iscdmZqvqgrkI u/EO8D3XJmX9hOKC/YGlgAbPJgd62F3kyqHocCPl/T2MarX0m0rtGN8KrVs/w1oc 75qwUtXZum9LergcphL3pTM+jiKm3KpDp0z65vBuCwhq+qwTU50mpsJf7k1tRZjM 0V4zTM0Q45LAIhVA5D2fKlromsaNc0g814RvTSFmnuxk/ogSmVaRundMQMN2As/A Afoei6ltiXlQKuI7wZ4Hk9R9xWCZZoqalhJKGLDcAbQ+4Hmok/IyHSps4TeMlQQp Oer/EvRNGBztgwud8KcOVUa3xc6yIb3DmK5PbzJTl4/QVYTypSdMQjW/z439j7JH glJ82tw8ZrgrQomgIjmWBdMy+m6Y9/Yp7esZSe9lefZJ475XE5lxcjZ+iPrX0nG3 SHv94DdC+i63h1jJfYv2/YQysPf/DuvIVas+1Eu+QbXvtFa/pck9pecMO1LVy+bE XTJsxIoa1yaUH6JNdZjRx2zbWVs6V1OOj2N2GDR0itTSD8EZKmJ+IFSuXgbBdy4w 4hFSJcjZQFCvNDJxLCaGnsohLVjwXIFiRkJlPGUAWymiOqfqXoOQSi0dt/bljXMS fOamn+jO3lpK5cX9NzL5nxS1WBde0pgbx88UklCILyx4N7F+0RUxZps0MGJq1kmN iVDLv4k4hVBdWC19pzchjuYQx9byuA== Extension name: 0wa8f1p85 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DC9C2280B021A0B8

http://decryptor.cc/DC9C2280B021A0B8

Targets

    • Target

      c274a1456af6b5b74ea6290e2f4a559d88124d7222b0c8944e6f68cc12a38b1f

    • Size

      171KB

    • MD5

      36e5aa57f009b1aa6c98a2fdc2fc1d76

    • SHA1

      fbc3e16c0ebdee76baf76624bdb580a2019c3ae6

    • SHA256

      c274a1456af6b5b74ea6290e2f4a559d88124d7222b0c8944e6f68cc12a38b1f

    • SHA512

      ecbc344cdccc4ac6caea0a2d3536713093e09e21d62d2a14387d3a97fd8be5b6ba80e93eff925bad88d36be0b03c389a3879b81f2a1bbf7e7ef7edc5a5301917

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks