Overview

overview

10

Static

static

10

af4796662d...1c.exe

windows7_x64

10

af4796662d...1c.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af4796662d4dca855050c42a69c01096573b9acd3faa550ce55560c1dc9ac31c

  • Size

    196KB

  • Sample

    220124-bpec8ahdbp

  • MD5

    7813228c80b5e0dda5a89927e15013f1

  • SHA1

    8ae0fee7c240effa89f1f4d73a50c6b8ebd9f6b7

  • SHA256

    af4796662d4dca855050c42a69c01096573b9acd3faa550ce55560c1dc9ac31c

  • SHA512

    f3dc4f9a9726ad48fa868cc382d0ab97f1a5840e77deba7469c5a461503fa8d9fcca61c3c77fc21d27aafe44e0b0040f6fa5aa38160a06c785ba0c67933d71a2

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\85z651f99e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 85z651f99e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B1AEA7FE057AC578 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B1AEA7FE057AC578 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fdkllqdTShosFnUKBaD9dw8uyhFt1iRv+suqpwee7hR4iPPYKhL6zmfDJ+OHxmC5 wFXV4KqMDj2owXkQ9cErnySm9qUCH8O2NMvN8t3Kkg0GUrKZqUEMiwTtYOGFapYQ P+qiz3o278xc2vyVcQ9L4JlCyyvN7FUjSHb60CH1uifwuzyIhHElLPEnPqeFzgKT HZHeffiZqTC7hvphDuN+VY5ocwUYxuWgHdZhJg48EgVxBsJr1y4D8rk7tA9QOcp2 GwYCiZk2Jvlf8vM6nGI5cOdzWAwiVkPMvveilcKIdo0MECrHyLuAAuA0rzsHEPf+ Y4nPOT6xonVJMe8M5Y2nkPIi1gTG32Dxw++A5fQZNZSIsQOXsqGR6+R0WPQBoCVJ QFaqQ2dzHcyDlsTu/nS9v8Y0wBeCOIgfaJfgk/XPtfkXJhk4tARf3scX4xBBNyKr U22MiZCLkpwsozZokRaUTf7S4QLRE7bLyGsxLeuui5AVfQgxi5NtDRqK4+VM+bWA bTOPvu0rcO9eipwxqqc+/01Exkwnp8ibKlmi00esIHJvQnMmR+SJlELPNnWdc5SD f92sHkGwTxly7PSuy0+mkQ2QDhFEJdulPQhtVl65Wih7p02aTbJ04M0M84lwUOhq TvRSUa3bnNA2unIEXh3hQj0vU+ZSygwAFnqE0Y/z6TMkxcd3sNQUD9v5ATe/bA6z DQlRsSVBcWDe+/+8C9lse4MZeEJMIokVriVcMyfH74kUvHIuVueuUHy4sg6QDsVO HJtk0AfyFLeFZOzISrS4yh81kd/nC7UMiW7kgxu/Tu57DL7soMx/2d05n5nXneqm YzerJruqvVKZ4Nl1wsIHvAQyF/BGBpQTEgc+btoAnIgfs0D3+gD1A1sREHnwMriq KxDmFAXRJ29q7NYxGO6a6GmeT6s6LcgYJdEW3Gk+rGkd2vxCcaQ924wBqjt4j5mP hqcjZpmmPwHtF9nmY6dMPqyGuETWXVVG0JID8kOsj/h93OrAX/HDVB2Jh0+vtQtj fnBCjLOim4tQ4yGO0q2Oy91KGRylu9it5X0Xhmvj7heSBqiOnLvd4lDGE8BoKglm PVojBG6UNfMn6i54+IidwPW/00QIzdNICNOF8EcmMjYUz9M7P2V7enqelICauI2i WRhh5qwzyCUeKt3r3E2pPuVNeffiLkR6F4d0n2yCHd8v9PppfelwBBNsGjsg7e+I Drh+sgOcCfPWY+7bMllFqfR+3ZKeEan7nm3wG1wg1Xn1TpvseFekFJwI1KZX9Bpj zXoPFlapTg701C90gov49LUjVuwGCCU5RqTCR+R71Ms= Extension name: 85z651f99e ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B1AEA7FE057AC578

http://decryptor.cc/B1AEA7FE057AC578

Extracted

Path

C:\sd64av-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion sd64av. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C9F7D3D69878FC55 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C9F7D3D69878FC55 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: k8W4NX2tZrArP2uu3Pty5RwC9VyUeH2FWxyEj0t6DIHZBpo4/IbKXLEr8UfzrbhD iheedaOqng3ztbKohM9D2C5skXxPfYdzO0+nqVYjv43Ro6Aby3HpBcKtMsdyESxX 7GIP6vNFVwUKG9GaDKi0pqk4aNAk9+4l7E78dAST+b/1aeFrDD2m3U6lfeXP6diV hHS1v6/2vhec7NaxCgW//55Bf8wK42hK2YdKBEe5NbIedx+VbWk4hFHaFVDMo9sV ta5OITzJ333eUB0ydg7PqjqAh1rzYwKqJsVYmKsryUIJeLG2LVHqkpaWcif0U5g4 4UVzP03BYOmfquLjX+di1oXQK2bo62+9hEgFcCxxrk6wGaWJVnLatDwMSrW+kebA 2u92PT3zq5cPWtxRGDNSxuwrV0dBDyP7EeQ36XGd0u6ZHUOpjxEXqIcEnnLBekHo 726CbNtlm8z8pSeyFdsqCdOhoHVdG08RyqCHAnqgRmYp6dZX1o982S0+9wjOxw9k j1lAQMBp1wkellQ7WgteHJa71yWBcmINGI4rfDyYBiH9AexW4txi56tQ2E2Cqb6Z 9gWfQH4nXlE83J+4RAX3cFxHZl4fIIVapaCqB8+QZuKOAVNzoy6YH0ga7DkSJbeb dKYooJuAQViybnMLOOHOLG1e6D7gbXr/NX7jPOMaCI/NDRWuCtE171+PxCBUh0rq mYVyBfLxlD2zePFoHmu1exC0HZJzN0YJ1v+R7bhyPpFwUuvziSTC58HoUi578RIV rWCeQTOVcGv9whU14WWywT65AOtlouMpRxjJORFtON3bAQGBmVg1QX+j55Ztpli0 Xa+6wNNR4xWLpQEdaZsKIRY1P9ETBEihb+LyeAx5mdzCENXKTpIS6SWleixkZFh8 aSCe0R3OVBTENRNUtRm7hafxN3yEQIEXsKv6RMunI0frSwT+dCLoTEYLRpEkaHkP kzjOVx4GJbhv1x5TvNtQm8jdqLtOWrqyBA7ah+NJ2z98pXIs/54uYc6uD79JWT4T 7c40HG9WypNinRvl7JVbrtMfWhkrKkl2H3sqLscve3H2Ra5fUfTqi22plrv1ReHG brOlkK0qmGjNaux8J9A4/DpF+a12oF3G/NKAt1EWIkl6EREwbr8I0Q9MxBmECgv7 YFMR5shzDkruv7TRhTYBzZ3ozlBpo5EBiaZHOfG/lDrHV7GpwuYm54Ojg2qLT1W2 YK/j1QUCsiKY6NprHXX3mTqxGEySwe8vNvJGyr2RPI0RgzZJz6IgktBut38WOtF4 OgzjAyI8ZK3oxV+9rR/CYA== Extension name: sd64av ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C9F7D3D69878FC55

http://decryptor.cc/C9F7D3D69878FC55

Targets

    • Target

      af4796662d4dca855050c42a69c01096573b9acd3faa550ce55560c1dc9ac31c

    • Size

      196KB

    • MD5

      7813228c80b5e0dda5a89927e15013f1

    • SHA1

      8ae0fee7c240effa89f1f4d73a50c6b8ebd9f6b7

    • SHA256

      af4796662d4dca855050c42a69c01096573b9acd3faa550ce55560c1dc9ac31c

    • SHA512

      f3dc4f9a9726ad48fa868cc382d0ab97f1a5840e77deba7469c5a461503fa8d9fcca61c3c77fc21d27aafe44e0b0040f6fa5aa38160a06c785ba0c67933d71a2

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks