Overview

overview

10

Static

static

10

a4ea7eab38...b4.exe

windows7_x64

10

a4ea7eab38...b4.exe

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4ea7eab38b227283d7b641a35e1ae26fc499ef489eccc8edac7f192e7e564b4

  • Size

    164KB

  • Sample

    220124-bsrgyshee7

  • MD5

    2663090a836e85d5351c707fbbbf80d2

  • SHA1

    86f39506eab8449d94d6771f73d9be99c093e3a1

  • SHA256

    a4ea7eab38b227283d7b641a35e1ae26fc499ef489eccc8edac7f192e7e564b4

  • SHA512

    0d33725e0cd69889d75242550681f19dc159e9070cedfd4f5475c508098c70912626a82335bd903bec51f3ed7741ca7d75bdb5d10ce1355d30b3247b0705eadf

Score
10/10
sodinokibi361107ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

36

Campaign

1107

C2

jdscenter.com

billigeflybilletter.dk

lesyeuxbleus.net

osn.ro

rentingwell.com

airserviceunlimited.com

medicalsupportco.com

springfieldplumbermo.com

lattalvor.com

factorywizuk.com

stitch-n-bitch.com

heuvelland-oaze.nl

vvego.com

zwemofficial.nl

jag.me

amelielecompte.wordpress.com

skinkeeper.li

eurethicsport.eu

brownswoodblog.com

kemtron.fr
Attributes
  • net

    true

  • pid

    36

  • prc

    ocautoupds

    outlook

    dbsnmp

    sqbcoreservice

    dbeng50

    synctime

    msaccess

    mydesktopqos

    thunderbird

    sql

    ocomm

    isqlplussvc

    tbirdconfig

    infopath

    encsvc

    thebat

    onenote

    visio

    mydesktopservice

    agntsvc

    xfssvccon

    firefox

    excel

    winword

    powerpnt

    oracle

    ocssd

    steam

    wordpa

    mspub

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1107

  • svc

    memtas

    sophos

    mepocs

    sql

    svc$

    vss

    backup

    veeam

Extracted

Path

C:\x965t8i-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension x965t8i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0772C7D893B3FAFB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0772C7D893B3FAFB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dbhTrfzegyPFiCSg5sx6sqeDaVvCv7zCCAJGsn1A+nTEKSXvbiJaiiRdHMf78A5W 54mu1zvXoa7r0FSAPcd5yvbGnP5IhA2CU3TL9WhIbhXi54eRluO3w1jsvNGSnnzd MBhpJsWquliyKB8CP8pvQ/SXG9N5VGsFn70JufD5rflNaehm6j83RZElWmtkhhV7 zJ3Y90iVlSC7ucwH/3xa2n67TqA1t7x54mziGyy5PkqpykZB5ztSaGGMFqGNBQl3 VMBlshivAXXKzEPNG3YNt0bBXZEgvNtSOfr/S/tnDRFYbELUYuP6xHE7TihxYyKE haHDKa+jR0QXnrBLFdgv42RgWRzOcXEQZwck/8ObR8gyHWI3e3Gd2woUq8mdyRmH y+LFObeiNp06QIiNjnIqCWBp9AV2yr04LkPgQjXd1HxrLf9rVqUFj6fzeSPEh0Zd s4e/pvzJz8puKsE1UyEX62Ru3K2ngGjlsRYfpI68m7ywBTpwhQ2UGhgx2xfjgea0 /5vvSTLfh2kpt91gvdryKn45ZK8hMu07JWqqWdhMSSAk9TeWtRsRS+A1je46mocb dqynM2n7UqHus2P7M3LqFUYra3cjjNw5013H1lkf+DLqM8HL9e2I7Yhy/n1uuuet mDaTDA7T6jAMiStnkT82gOxiPTvChlT60qIBMYQJOBegLmzrSdbYHJx6SYG4ImVz 01EmmbHOFZIXOGG83nacse5YrcKDmcr0mqUm4cAq4z72inOv3xyQo2QSsHkSnHrJ 44soFBABecOWoRogVwf1IXI2cdfGrToFLEXXNdzvaM5IKZPXMpK/Pn0UKIbS9Au2 dbbelgdm4ALaGNrC9zoGyLRSJyTEzHH8NLUvqXJHbc3eOZPiN7OGQ2lcxLY12keM Zo7xpDMqzgmh9cLvqFTux6K9I3gJXpWyC4t2DDn8Bdrq896VCDFUECaWva26szNP bhrmbO5f/kNu0xdxi7fVgLRMUpaGlfk5DhjbsUkvPZznAwCw+zaN3qYYtMzl3Bbr tpH/D9hgWtp0regsXhemgy7cpi90yYT4j7D0mcBtUYXcDnurgeBUsb0mJD2bg/Ao C5orhnJJSNNQLcRrUAYAs2hu5FkaIZkSlNP5A47uaK6PUQAtDbpE4jGWzXCacYwl NlonglkY Extension name: x965t8i ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0772C7D893B3FAFB

http://decryptor.top/0772C7D893B3FAFB

Targets

    • Target

      a4ea7eab38b227283d7b641a35e1ae26fc499ef489eccc8edac7f192e7e564b4

    • Size

      164KB

    • MD5

      2663090a836e85d5351c707fbbbf80d2

    • SHA1

      86f39506eab8449d94d6771f73d9be99c093e3a1

    • SHA256

      a4ea7eab38b227283d7b641a35e1ae26fc499ef489eccc8edac7f192e7e564b4

    • SHA512

      0d33725e0cd69889d75242550681f19dc159e9070cedfd4f5475c508098c70912626a82335bd903bec51f3ed7741ca7d75bdb5d10ce1355d30b3247b0705eadf

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks