Overview

overview

10

Static

static

10

b613526b09...33.exe

windows7_x64

10

b613526b09...33.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

  • Size

    115KB

  • Sample

    220124-bmfhhahdd3

  • MD5

    4bda5d7d4ce3faba5f3d2197d16f02b0

  • SHA1

    cf839231de7e7e5fbe8cfdee462733308ea67850

  • SHA256

    b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

  • SHA512

    9c94167554f5134c9ce066ab7891067767e1f4193757e45f3bbcdce5fc707b462a4ed1c06a31458edeac88f63caa77b318a2025ff4cbcb7934218d294ccf062b

Score
10/10
sodinokibi$2a$10$/1erf2dv7bu./sktnhnq0e2ct8xn8viae.byolkca/q0dbfs2lk/s35persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$/1ERF2dV7BU./sKTNHNQ0e2ct8Xn8ViAe.ByOLkCA/Q0dbfS2Lk/S

Campaign

35

C2

deko4you.at

schmalhorst.de

abogadosadomicilio.es

theduke.de

coffreo.biz

projetlyonturin.fr

sairaku.net

4youbeautysalon.com

sevenadvertising.com

cirugiauretra.es

jacquin-maquettes.com

herbstfeststaefa.ch

1team.es

skanah.com

mylolis.com

forskolorna.org

jenniferandersonwriter.com

thaysa.com

jeanlouissibomana.com

slwgs.org
Attributes
  • net

    true

  • pid

    $2a$10$/1ERF2dV7BU./sKTNHNQ0e2ct8Xn8ViAe.ByOLkCA/Q0dbfS2Lk/S

  • prc

    mydesktopservice

    mysqld_opt

    outlook

    mysqld_nt

    visio

    thebat64

    sqbcoreservice

    thunderbird

    xfssvccon

    ocautoupds

    infopath

    mydesktopqos

    sqlservr

    mspub

    sqlagent

    encsvc

    excel

    sqlbrowser

    dbsnmp

    msftesql

    ocomm

    steam

    firefoxconfig

    sqlwriter

    oracle

    agntsvc

    thebat

    wordpad

    ocssd

    msaccess

    onenote

    dbeng50

    winword

    tbirdconfig

    synctime

    isqlplussvc

    mysqld

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    svc$

    veeam

    sql

    mepocs

    sophos

    backup

    memtas

    vss

Extracted

Path

C:\857d8do-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 857d8do. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F10621F4F38C5135 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F10621F4F38C5135 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ae572hwuJwezTMVaZp/DpTXeHVRxyEJI2vPSg2wlA2R4rFiRlGNtAkyrKNaY+Lu8 ZQ/Ae+jG4XRISWNzWhmIDNyxPhQwxpoCiTM3cDhgAXOGncj9LRJ4jkwOSCuKd7y5 lwWZFKaNkY8UKqx6mb9f1knJ2sLzedEiW8d+2G9y74rUHwzaoDCBFqa5VcklChcH rk3FGjH92Dnfr0QwwqSbk+yH/OwmQo9vnnjwwTgM8H+GkX7GsorU4XYHA7tOeb/J KLv/5xXnzv7ojw3OS/vP/THmkf6J9vRTTXuJNzTHwLQC3Vjj+2qI8bQtZ4eMPgFR 7Hi4HbPltXuctqOyobFa9oZ1TTu+YajudhSkaLH9ZqNhh0ivdQsf+43R/Ahdct1Y GEApnmMoLzb2D8GZm1rzKdBrJOhwFZOB4snlVLAxoVZFIZ4KmqQ+EnuN/GzxQbzE 2NsyHQ5NxpxWGI7fT4ucVsVHfqB7YnBmcjTPaA7/HlhBRs3NepCx1Pb9TulGqhZ5 LkvcTlhJzh1IYsbrQvXTGiktUUfBbY8guI6XFUvMMe64y+htFwdMafUaCGe6Khdw Y/s2tWBRTVsMxK3HO5RmMK4ptkXn/pCjRNKc0oDX50YP2Uzu8nJs18JSY0KX8s4p iRhCZSK2t2PhSe87jhPId9po9cM2wcwcO634+ew7K1PKp1ejXOEENbe9D9Rpe80d ABZssy1YTFY9Z+k8A+tkST8CCiTUrtvS/Ti+oyipIQFWyEAnESRqvcWrzLlyVmdg aEzJxU+3ItbrtcC1KZdddkBi3OnlpWk8J4Yj4yU2C6tRoyMhmCN3eKuh6q1o7tC5 cR48p5WdQ+PUWXZSiLG6b2B3TDHwin79d0Kn6hrVr/xf9G0BTBQUMknruiPkQJgO NoZSYfEcIopR2F8Z+DvEgHAHAU34Q/5jsfJgoVClSUYFUwSCSGzjImDRb66CMVES ka3YgZXzMDS9hL+TBYrNoqU3wZra5KvsgB4Pwt+45pnbfS8YZy3yWWWDeo+ingDq A02VnmyRLJyU8qhgTsk3RK5L6nPOV5VHSMUFIYgVnBQEPsqyWYkTxXfL8FbG1thV nsRcSiYPRGZrbXx+86su9F2GkrHQMFzNncpFtcpCZ4p8Bs4NZEqN1yN1/9Jo3lcR kOoHdQzL6EHYjlrmrXOyoY2HG0Ks1JA0cMUXjgjITVjP+5mRBY9NjcIgS2EpuTOu 02zLbLKWYA8OyVqjgIM1w5nuHhfei5F1sAvBrTPt46cYTuH2tFVtkn8xcJ6HmEZv +HkjH4Kf/Dbr/MvPh4pXVxep5Zwzqw== Extension name: 857d8do ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F10621F4F38C5135

http://decryptor.cc/F10621F4F38C5135

Extracted

Path

C:\5opz4b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5opz4b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/576E5E597C08E82D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/576E5E597C08E82D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: vVx+DFac9yNzIfPf48C0nh0mdGosxSWd3RMRMIRbL99MZVDdpkwQ/BqFwRm7lld1 wlTHe21Wv9Mu+YRS8lHiGYlBZKIxwERfa5TVp7sT0Jc5Adw7766XY1CQaKOH6FIR gOn3qxH2Cwn2h0rcJqupMRkTyG/F9qxr5JO1ocTXFxBNUMntVI0Oa2eidFb6VqQX YO7qh5O9ytEIFFFLV7acFKkGf1UJyaLasu1c0qRW76PV3nJ7xbyELql1kNDBu1iE WEfw0GjPKycZebhF/rGPIt4luKfu+F5+VcEzGCued8OAj5eODewZ7iP4/dRr+9VV CZwXwDUcZV3+xp/jsByI5fHO6ljnqOxfBmjHcwbfm5Ap5oqeKIyv2a4lB9tqHDZE hDvk+/B2QPwvbZL5e1yAU7Xfms8+ah1ziD/nCGRsKiDZRHiefhsPhe1Ey1oN1Ffx JnjfBnG4sz6d357dsd58cqqaTGfncGoGBlUsZhXaDpYW524joujndf6gl+sZkzJ7 cX3/cIorGM5QGZoECP+3bKRfE3+i/0rxFI9trGrNydMrPTbDcOm3q//u7sUoRDE+ Ltvn/wJiEuQ14FHVV79Rh6BLEAamq0IvD4XRxcH4HbSVRU939Q3YFMis2ue4kPaZ SDrLLAT692qPbXoX9HTO6ilW0s8P0wAFe1WfMkl7+SCGbgDrmQGKZEGxaFqkqNOY KoC5rDtQRtS/7bRalKgPeTVF4W3xpjPmgsH/JK1G81tlhHbuReVkTUstqNsRJL+S T2kPFlnuVmgDZtBPcw6UFF2gOyGQ9J2/ScNy+Q3JnBlDsmA0TN6Z2FLFRIMznjdG qyDdEH/M1gjrkF2Pp+vUPKCBTPT+NGh4PU0t7XmvR3R5oIIhJpiqmOh4zKCeQ1Pl xPtEwLiFGjQQcsqhHDSnfTwbo6DzCUJOe5OLhLgEqkeAxKg/MwqLVsWvU61jI1Ud lMUp8NMqJMZh++FnJomPRH0Vf7NfvkfX36tyOwRQwoZOLv75XXnJ55ynJyOozthi Bar6xAco8dua5ImBfuNzSe23GbSq29AbkXHV9QXwgmAS00qZdiip3ZH4YNq0T27P fvExgFTE+OVWY4JiMdXhPtoj/Q8YeWFDaQxhA2pAn2FLSVPoiw0gZcPdFjRda08K e1Xxb5VPOk3u+Z2JJCn7wqf2rpWUarLuJxghAVe7Xjg3Am9qJFD+6wuMlqpf6N/a zgw/f2IJ56PP0Y88NFfBsCMPSm94jB+9ZLPDLF1wDD2IPoMihYF2QBgdy1hva6j0 jfvIvJL1kQZUMO8O Extension name: 5opz4b ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/576E5E597C08E82D

http://decryptor.cc/576E5E597C08E82D

Targets

    • Target

      b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

    • Size

      115KB

    • MD5

      4bda5d7d4ce3faba5f3d2197d16f02b0

    • SHA1

      cf839231de7e7e5fbe8cfdee462733308ea67850

    • SHA256

      b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

    • SHA512

      9c94167554f5134c9ce066ab7891067767e1f4193757e45f3bbcdce5fc707b462a4ed1c06a31458edeac88f63caa77b318a2025ff4cbcb7934218d294ccf062b

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks