Overview

overview

10

Static

static

10

bd4bcc8cb3...d4.exe

windows7_x64

10

bd4bcc8cb3...d4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4

  • Size

    160KB

  • Sample

    220124-bjzrzahccq

  • MD5

    369b4dd7a6a31aff7d26acdc52716f6a

  • SHA1

    9b0e8120f2a18424789242fb4ad02d858a85049f

  • SHA256

    bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4

  • SHA512

    bcd84fd0a23455700a86c17a2d27eeb48fc55a4fb1df84258559f1bddc7ceae36f4a67f040a9a1fa61afecc0ee5f4668028975359ac8d3b03f60d0f18660889e

Score
10/10
sodinokibi13240ransomwaresuricata

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

240

C2

boomerslivinglively.com

brownswoodblog.com

t3brothers.com

clemenfoto.dk

internestdigital.com

four-ways.com

modamarfil.com

alltagsrassismus-entknoten.de

leadforensics.com

lisa-poncon.fr

purepreprod4.com

parseport.com

ncn.nl

web865.com

webforsites.com

alisodentalcare.com

craftstone.co.nz

jax-interim-and-projectmanagement.com

azloans.com

basindentistry.com
Attributes
  • net

    true

  • pid

    13

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    240

Extracted

Path

C:\i1470ceqd-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion i1470ceqd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D86539D37C2088E6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D86539D37C2088E6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: sZNWqhv3PQr/sPTfXf08/IBzPtDpCKVsKEjWjw/UaXoPl2sXaJ5lkdcsbjDVlHvF p5+ZLjoMCV5PHPl9LSVJtUlRj+YVCzLUQT6/f2eANSMCLcH0sUVCS5A0Md2Fxhaa aKOqGkGCE9ifFuJsM1xd97vzfYBtJan5jRJR8B0C7o4UfD+VYPWXNGpFFphQyDbX rTxEjxN3JWoFES9MA1v2MZfn9z41TQY7QNm1AsqmtqYpnVDUyYg1c/FA41IAB/QH 9vISPzkEv8cqkEWWwBnJ0JvfaFQxgPyoutBaW7GHRBukSvoJI5kFuuyQROnOwblU UY3PQ0lielscEC5jY5H56CoryQroVKeLCIluu6Jdh7zl3BHktdr5efT3vb11EBq8 8tEzqEEss6yC5s/Qe2FFLC0FKf7uh6s66D/UNwwmmopf0bLsEXbehA7FFMLkJV3/ ifd6GVB6bPBFUyqGB/diVX/zcX12ibcn0THQKCTs1nkhJ8+Hdxr9OeMBGl7KWl69 NkqR3Vo8PGXMo8ZzbidgIYWo4tr5vFubwvuKfDjl1Xj/bvtlQ66E9sukyWTvwib6 3P4SlNGbbhLx65bD+BNaW3+gusxCcqfbxJKyI4T3jaTv+Lm5sEEpLddmKPcHe+Gc tnUdh0eSoMuPVGYrXOXut/mcgBvKFz8Mt8cY0xL8v1Oe3WOGM3i7lNQm12AaDkMB OtP1AKfhatKAIQeWRRJlw1SODE1Yx2ylm/hsVmjri1em93uDOCOooaiTQwAdJROX IVRql5bQEu9m7qMlYiLeAbXtTP8keGmrTgQpGsxWBgNKivuETi0b7J3ZduvBbKhF OX+cv5eHA2z8ozqSRmIlws1OY4a1/pfGStYLOFXbDSuehTRD95qtTKSALRRxt41X AUkoLYgnn9Ae1PH9+moPjsRDh45JegH9jWlmEcPeuRa+EPjU4edK2HDh4op36XQs gmGDkbtM1UwjpPNANOhjLAt3fgia1bK5Ji/1vqJD1ZqvNVgtvt978f1R8Fqnpx6G Bbeo4cvuJ7RZfN71YFeaf1R5OHhUO0jgXHAFc7X8L/zHGYo7KyxLm4vHU5pJWAfu AyTreaCXPCu65XkwiJMwhSwrK9CqBJXYbgBf03uVLrLGkT9ENkdY+x2qe44305Wo a1sJoqprOkU= Extension name: i1470ceqd ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D86539D37C2088E6

http://decryptor.top/D86539D37C2088E6

Extracted

Path

C:\vowlzjr6qg-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vowlzjr6qg. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1853E34D8BC9FA07 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1853E34D8BC9FA07 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lvZqlda1GTRkDiwzTzcOzFz6zNA9zNRl+3OgIiSJUTayQ+I4AAg7bi0f7qgD017a OMS9GD941wgzTZl/b2mxo9vwVsTBzgsmSeKYuC43ybwvhJgFB613CjKOazOepe9h AzvOsn7vUIKPHgjufliedOmlTesbAeUtzFH080fDZLyBLH7zH40OKc/P0Rra8doj dVrTGMjNbbwalwa6g8Q+Adni9/jAASjkiQDj6/GMPg73Djuc8rnz5roATF7KiSsS krbzVCQNc0kXWbM1TLqxEcHUcjzSb9cu0frTc6IWjhw98BzyBuhCM5IL//AG5uXW 9Ie/d+EDTHMuFqHRNqPLOPJjFIJYZ6HJPwTVqtDQ2ZYXCocVuz6UCmNe4hoBdFBT RhlXXxIhK+ycGCKHGJqYUTO9BEl6LOMwg7AuMjoV4qla3uP739yhOgbatcRi1W7+ +iKnMyxVan4DEFty6UfiT7jY5mvyFkIfVBNvfaNfmf7uYE9i39lk7Kdi3RjAgQXx rA8bRsxnQAdN2b2ke0c+Ik0Y8edafJ0yzcQc9gvtyQkXttjAQiXU6g3pt1UWmTDM d5iETgfjB98j/E54/qgVlYKZ/+eGoPLaejgKW+W1wocuhYByTR3WirwYs53RnZ70 FFarjzFC8Yl/jZWj82AXBSKjVyLNUVkm9lvDKe1E8Kqdzm92Ry59jrtjo9ooX+WZ aMHl2Uw8KMUtSz3BaSXn/EBrgjYPrYv4mPJXDOEPqwogSSVDaSHugWR5tDVAc+Vk lt7ZAVx0CevPssUZSCTF3Rw2BL9aIKbj7UtUEYvwL4W+u5zoe78j3I7CBqcxmDlg ZKVIeZhhBKxNbYFyCNDcLQOYWGUMZZ0i7XfJx9iHDZLX6fsDNw20vwxLEhj3+t0C UsvnZnsN+ckJCv+t8Gj27DY74d6FEB6Tetm91qU52yCFKitn328qKWcw+UQqQiXy 3bIx1FzpmC6bbvdlwqoBq4+cW5BPhcNRIj2FTU1+7A6RcVJAhr12Wa5L26vib9Wh 9HlYDKLOJzBLM8vzP+uUjDrAwB9kmJXxVa5K3nlv2pWWR1a4HE552x+JyNQMDOai UYcEFNPcCFX8OAQpQR1xns30uxLwK0PlxP0xjy0M79Sj6raT5LZDsMH9vQYnXZX/ ZJQ= Extension name: vowlzjr6qg ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1853E34D8BC9FA07

http://decryptor.top/1853E34D8BC9FA07

Targets

    • Target

      bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4

    • Size

      160KB

    • MD5

      369b4dd7a6a31aff7d26acdc52716f6a

    • SHA1

      9b0e8120f2a18424789242fb4ad02d858a85049f

    • SHA256

      bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4

    • SHA512

      bcd84fd0a23455700a86c17a2d27eeb48fc55a4fb1df84258559f1bddc7ceae36f4a67f040a9a1fa61afecc0ee5f4668028975359ac8d3b03f60d0f18660889e

    Score
    10/10
    sodinokibiransomwaresuricata

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • suricata: ET MALWARE Known Sinkhole Response Header

      suricata: ET MALWARE Known Sinkhole Response Header

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks