Overview

overview

10

Static

static

10

a3a93c4133...0d.exe

windows7_x64

10

a3a93c4133...0d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a3a93c413316d7c2b1142eae2659c731199c86ca7ace114103f1dbc4d2748f0d

  • Size

    137KB

  • Sample

    220124-bs821ahef4

  • MD5

    7d4ed09beef0ef99c2c24cc188080a3d

  • SHA1

    4605078fb4c985e9817032712b3cfc3b0f2dd09b

  • SHA256

    a3a93c413316d7c2b1142eae2659c731199c86ca7ace114103f1dbc4d2748f0d

  • SHA512

    d60c57552076b46c17d3bb6114681eb927d396066ada9370b3437b5820fe19fdea42b2e69262ebf2ad78895ac5cdcb692e5a64f0f0d167a82f26e3df2100f66e

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\8g7uc10-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8g7uc10. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D86465B0D2F346D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7D86465B0D2F346D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: sBqEzlIGQiXC49uiPGzL6zlvpuIp95bxENrVJAQTfGipaneSOWxmYs1xk7KxlQmQ N0xiiIDIMyRqyvKbjTsS7RU93w2i7b7ibbXuiMyjkbHyMJZ7flfCf/S23Rc5jmsn g1nYVRwATVY4jd++DYdoxdIGD4aRlFOmBgko/E2sMWP8MOPbEJ8tZjQWsHV7KL/Z ml5Fd+IMO20OxAEplfWb4Nq34gJ91TEvHJ0k4Ru+BVM5pwcc5pXWcAUb3NPURkAw 8TVkKHGlevWrNleNoyWuj4L0bIu6Jmm5pLfYINprn0lrodhUDuCmM/G64MKBPEDO YQ3n3svD7jKX5jMtXRSIBxYTqpbZETmdHAY5L2gZ9rsqFDDMNnbAny1b8aVBMANm VB2l7V2CfHveZGhf7cKLJ+e/1wDnP4F9zPZ8jX0DNSB69u19JQHj2vpV28zE1Pbs GPCn8NRAIB5z+uOitKd2kWL7llGk3PoYTmy/D5V7z6O2ksIKsPabkT3iIDjO7hO0 ll6zi3oEb3nXGHBwVEii9OGGRzjMp7LFhAoy8P/36fjMUzdXJlmE3BxohHdQWsDz k5x++/5RBm02QOliPeGaFh32Rh55JqrrK7jt0/QYDMIGQxNF46r+UBds90lM+7XI up3+u8Ooedq0XmofXPqkzUSaaQPkd80AsStbQZCUAYyoWHcaTTvsqidchfaPWi0W MmYRHujgeCFuLVa3v8S4ILZV/celAc6O+vxdyeV2K6VEdcH9otQFooxk8LqP6Jfu S9ZzyuNCvkvnu9FqNwOjZ4NhmodvonqxbghwVzv3E6vyR7DM8aiXuo4uknTzlv9/ TYw+065m1hiCXFNltuFX/yUB1AYJy+q8tY/rIQeo08L/QhvWFhIepwvgPwUB4fM0 Ns7KrzexRtwP8rdbhm73r6HjAF53cvkTofqrTGBjklY5W7Nof+uNKppDDQhUH+YZ gIZmimlHe3RKfXRVnktUIE88fCXBi2A6P6DeuOWAqxL9W4xx8GjHgvA1ERsGgwFx omb3oAuiIWzje/ceK1vt3OmFkDMQQncsKKaFrx6U0oQSc9eRUk7Ne4YxIrt4NQPw sI/sb/TlxrzvWidZSeuPRiT92YAIHraLOOyh/B7BfgnjpVlA32Yw3EbZtgOYdszs wQvzIO1rmbNEynVO20CW4dPdPXuvz8aB/McunKJD47YkI8OmptDPZCgKCvDOjYOD YT6WvQUNiYUyC0I4tkLgpiZryRor26iv8bfQfJZBqNGHYYNLfkmRh2CO9+1ZYjvr Ybc8e2VAz1WRkFLoNV9WIjluhezehxPpa1g= Extension name: 8g7uc10 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D86465B0D2F346D

http://decryptor.cc/7D86465B0D2F346D

Extracted

Path

C:\tkqtc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion tkqtc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A1BA4C41A6141B41 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A1BA4C41A6141B41 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AcEGAKALDk5XMfz//y9M29eFzP85Et05ouQ1yklOr9NzfnCWzx6BXXn/DB8k1top naKC/+ZQHbHVr3cSsCK7cIB6rXxHeGPRVDanY2aBEz/sbNiKu1bd3ThZLyGo5lFZ Iejk13CDIWQMjCmis22a5zuAV9RCM9uLaVzzCBbYcvpUPjD0/PuqYcs+ikG9puHp zpq5fiMi+gBKdzIhIyfQZLIF0mWOkjekPoeR3jVTaOcsAtl1tpWmTdjnJP60TR8K Sg8wCOHbXKIYt0/cV9YN9AprmWqLUkAiJXf1dFUl/fDIeeUSmg0RZVRMHSRcagMb qpUXA91T6QIyQGBhZ8if1llljoM1PRX91SuFzOM+D/vKFyefpKr42iU2B3wDj1oZ gVqJ+Cjh2h27xFryiZJyJCgr+W5B+QtxTwJwo0fu0FzquXfEDOdPweg0NqjPS8G3 UuUUVCv3ieOgddGyV8KOVAuBVddmHLpgzafZJ8V1790SJ1xNn/JosEtnpJkNWwMa Sle8r46o3rK1pbnqf517VPbvm06RmM86LLrZbDoZmQH3OH1y1g4TrFIZk+5MUQ+p 1UjTHMtGu+ZDk+xyhHHA0XVIO+5Sqr7NOxLqbY3iUFYr7Lm0IRPEmja64zQgwo1D I+M6oK5NXCXPDU5DTstkjsJ4R+qL0M6MON8qAB5NyMwGlp3yaxcSoeVQO+SbgsyK JCQU8zsjPLqSDU4nKKTItp63mb2SI3ggvPFQ22p1ywpK2cJnCw1q+cbfJHdoKQ+w 0V2eOdQvm7S5ssX2A4h2XcZFy2jn7CZKDGDF+bMru7oNsuaaMCw9X0npDVQtNFcN cuBUc2WQk1P9Kc4U+BPuHulFF2iDFHgSYx9/mQo2hcpisFlJrPVTeoeWInoUE5Fq fSz2nG8L2QYR8WZQH7AzhVzmF2LZnx0B8aJ4utsSlOEsuP4hBdU8HXX9PI3adB6L 3AT2Lzp3dAUCI61Yiv7YAaPA+R6cmXeREmbLHFi/suZVOJxoSQnKXkHmJJAvYIpg 7EXSU769JO0oatiA/YewFT+2stXkdWyPZPrpVFjF9TU7WczpidljqEI+OlRaXzWp Oux5qGBV1y75moUu/NKQFhjlgn7cMGFzTWvssKRv+sAF7lRIsKAEGtqYAlQSz3CC 8Hkb9Ws3swSjKPaltpqQj++61271ouxmyte/8x8woK8u27z7eng2SJuUlUPKBZVw yLoqvI6mPentTv1dfqf0iDBxdnnfJR05LPvBoJI98qgDeO6xPOem/u1yHVJQEMrn /O7HzsFinxGuudp+vuY= Extension name: tkqtc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A1BA4C41A6141B41

http://decryptor.cc/A1BA4C41A6141B41

Targets

    • Target

      a3a93c413316d7c2b1142eae2659c731199c86ca7ace114103f1dbc4d2748f0d

    • Size

      137KB

    • MD5

      7d4ed09beef0ef99c2c24cc188080a3d

    • SHA1

      4605078fb4c985e9817032712b3cfc3b0f2dd09b

    • SHA256

      a3a93c413316d7c2b1142eae2659c731199c86ca7ace114103f1dbc4d2748f0d

    • SHA512

      d60c57552076b46c17d3bb6114681eb927d396066ada9370b3437b5820fe19fdea42b2e69262ebf2ad78895ac5cdcb692e5a64f0f0d167a82f26e3df2100f66e

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks