General

  • Target

    a4974fd8c55c0ad42e459fb67e0d077301819417542bc27cc34311a61c749ce9

  • Size

    115KB

  • Sample

    220124-bsvvdahdgr

  • MD5

    c12e8e4e3215462c00b526f242547b5f

  • SHA1

    75e5dff575c7f2e6d7763510d68e28e033367726

  • SHA256

    a4974fd8c55c0ad42e459fb67e0d077301819417542bc27cc34311a61c749ce9

  • SHA512

    e5b60c4b929560010780d41ed398cf573c8ccdfcc6aac383df6f6bbb6c3f67d8fc8840232ba25fd4256e2cc4199373a1617c02c90af5e8fcbcbd9ad09e1a463e

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$cZPsNIhC359jnu4/4dMbzO09Rxlh5U6Zaosn5UYa4mOiJVsep6viK

Campaign

467

C2

daniel-akermann-architektur-und-planung.ch

chefdays.de

petnest.ir

plantag.de

101gowrie.com

live-your-life.jp

marietteaernoudts.nl

schoolofpassivewealth.com

gmto.fr

penco.ie

parking.netgateway.eu

markelbroch.com

aglend.com.au

parkcf.nl

pelorus.group

lionware.de

sarbatkhalsafoundation.org

coding-machine.com

deprobatehelp.com

kostenlose-webcams.com

Attributes
  • net

    false

  • pid

    $2a$10$cZPsNIhC359jnu4/4dMbzO09Rxlh5U6Zaosn5UYa4mOiJVsep6viK

  • prc

    xfssvccon

    isqlplussvc

    oracle

    mydesktopservice

    msftesql

    ocssd

    dbsnmp

    firefoxconfig

    visio

    sqlwriter

    powerpnt

    infopath

    wordpad

    mysqld

    mysqld_nt

    sqlbrowser

    excel

    ocautoupds

    outlook

    sqlagent

    onenote

    mydesktopqos

    ocomm

    winword

    sqbcoreservice

    synctime

    agntsvc

    thebat64

    mspub

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    467

  • svc

    sophos

    sql

    mepocs

    svc$

    memtas

    vss

    backup

    veeam

Extracted

Path

C:\1zw2w96i5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1zw2w96i5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A14881688D171D1E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A14881688D171D1E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 86VwX0GKFV8qfwEKwevsQvhJuTrr7blCCfwLPE8Yy3RtbWnM6+KTN46oqxdfSFOI 67JofCCucho0G/cwp1ukGwupdFNkzd0cMeFbd2hyfqnDMXpMHZnVVyVL2aCy+e0j 848IbidwueCmi0h3OfSCgVEY4ITjb4tbFBbZ7Pxj8nzuYGoR1VIiAEbyVw5YslM7 W5yqqDByROpvOkMTAJMrCbKXCmvEPDUFnLJ06sFIhApcqFKAGRE9tud3DjO4keMf YKfHrzg76/aJYB3tpmJ+PeEAoGFi6cw7zhU0EzSWTEXiGIte5LlYhFiVoiNgJ+0U kDWw28YqtNStpDvT3qaz00nPbg3iVrPDBY0gvbTaquTouQ0lHJfWf6rIOd6jJ0cp N4U3C4GxRkc07tMHUiL8xl/BieqI4lmKmV+fmmfC0OYofUfgr9tgLFbDxX0eZ4AE XPkniMykJzZNDepNPs7BhtRtHbBF/jGGAqdaYVG5snd42w0gkTdlTaG1Bk7NwhmA pmDddcTcDXifdWrqI6ijfljYZu1NzACPBoLPwQNjUmcJmEB2zHi3D9T25JSsyHd1 9xh3D0wYYMdFiDlQo+Np3vLwP6jGgVmogsnwYbk+DI32hbPLkXSKMT88CaBE0CAi lnymfj5PvJg/9Ri4py00AMtiQ5XsiyKmuIuE2AteUuFwY9fRRvjG/9EwI8OYbdq5 AH/EX1LiZNkKvkE3vJ4+6gmBj+4NVQU4nx4/3vDpUwbuBiwyabU7XFuObwOtsUJW qZMA+cDjCyECCPPbjXGLyBjAPK1yZFWoD/66m3pwxrwFnR4iFGvcUwtnf7N20N0t r4oLf7U5UzK/uhjk6i9myO5mR1MaYziVJJkTkdn6gtDX1YUvrQ/1jT78rwUF6POd I0yILS5voy9DZlBgX1fUHQs09VP6UK9oVzJm7yhiixcWTpo2WzcJI0I7NZ1i6pLL EAf8Txmhr6+QdonpqSpWSLyzGIO71Gkw2UYzwwZ3ig1ObqDdcl5doNZ56z9wP1sy tpQasERHFF55M1vQzmZL+5wD01R6dTZdyTnNsYMTdBWIwNQmeUm4Efrx9/yldLIq CB43To51v5Fw2pfU5bAsbU/TBeSwpIC1fJIfJ1B0olVO9xKWljZrx9u45gzTJCxT QINauJ4hZ4jk14ZHUPFL4QgULyXGxXDofUzRkotlqhx2gf770XKERjehnyR3pF42 AFiN/qH2siz49enOlCqyoz609cWJWUwcLp5xiusOq81SPT90U6fwVpZ51bnltgkY 6MXo/bO4FwNbXAZORZKCZQGFK/l54p+BQYjHQw== Extension name: 1zw2w96i5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A14881688D171D1E

http://decryptor.cc/A14881688D171D1E

Extracted

Path

C:\eykd2r5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion eykd2r5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/51BEE152D5D13FF0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/51BEE152D5D13FF0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: izZtZWWJJSModbRVbiXCC8uF9rH3tM+XzHU4FkisJUebAX/FATcgrLgZ6R+K2i9O nzpffSl00AKtZaCLzog3NAgeYaVknuDXV6zQfH8H9z/+uFSO7irYR9THQvGxxXsF 16hpP01Sw6qUXq13RD71ZU00YaHHOQDj9aVrKmVrpyK2M1DZE0PB9W/DI3YVF5sM 4mwfricJJQu2z0cDYho2eJ/wUPjb6/Zk7SS64APQa5tE2HL7vXiILL/JerZQZAXS /wx/v2zVH5rsmSvhxatSb6Gr+rE/0hpcRgQ9xwa5+jAYR9QF9OOAoC0Q2HJASGyy CB6Bpul/GRFmBFIc/TbNM0Q92avwxgXclDNDwxqSu21jtFhIxlQ8/gB0a/MBEvoE +1NUahsR1nTR/YxJfV+tvIWpEdGGXuOKwLWpTy5P8jiIu09wp917wQ9nKuJZrS0b d9GsgPDyB8YpaKxhEzcLcNAOKDIeefaX4PoCirVlR1R8j1/N0+Dw6K6yMv1yeZfa K1TOqiGagV+X7AXjtiBu0+vycs57gEReZWNrm/yBKrJgxrS45JFdQ9ts8c0hvzMf OfuIsImJG24deaZjiTvHnR9gRN7uniAZ7rSO3+cM/IkMUstc3ItYRcViXY6eg7xx gnJR57ARCtjaPHkSiPyJJ4jF8j7fi0l58r1wIn8e0pY33Lcsvh2BoeX6QgJd+Hjj C9H9Yuw+GUahAyjV5ZSNuaMVhX/g+W7rr+3z0XN4X+D4KRr+WLTNJX9CCW1ehkWh P8aOTLyWi/uV6cZo4JzlojABFRRA6RRir0BzDrzitqk+259T+FX70+k1egc4o3s8 AdO6LrG712ilzlgkvDDyi4C+l+7pRvAAYpzA3yuVu/yeCdhqWalqCK9QUxj5gphU oKNtdUs1PRl39gBypgWVPp09uUJqJW5P9T1RWCtKls8LfZ//c22I64XIgK6OW2rd VKlXmYRz6zoVbsf2H6wPnoUWw85XQv80eqkge52Y4LfJqi0D7PTexgVnejsKXTi1 XxzBLgmyqEujv0T2GWw0c9vZqfjZYtl12DzxD/7Vlp6dBolF+aASVnDUuJp+djGr 4Zrb/M8lCsiToP3NAIu4n63JgUtANIYtzRA3AqfZY8sHW10uYvdKSIwRYf1xeW2G PjKJkeDCHFJrPpYKBk5qfl94qqBfC/aQ5DDg+sGZJ28pejU/tmzoI8I8wTj4W7t+ hd+Xu1Bnvw83FNFSm/K9n/+kPgggBgUw+Sj5CljGgYZI1o4+S/ycZBtlm1Sf6bct nyW3zp+jPojvsfQdIq9Wgg== Extension name: eykd2r5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/51BEE152D5D13FF0

http://decryptor.cc/51BEE152D5D13FF0

Targets

    • Target

      a4974fd8c55c0ad42e459fb67e0d077301819417542bc27cc34311a61c749ce9

    • Size

      115KB

    • MD5

      c12e8e4e3215462c00b526f242547b5f

    • SHA1

      75e5dff575c7f2e6d7763510d68e28e033367726

    • SHA256

      a4974fd8c55c0ad42e459fb67e0d077301819417542bc27cc34311a61c749ce9

    • SHA512

      e5b60c4b929560010780d41ed398cf573c8ccdfcc6aac383df6f6bbb6c3f67d8fc8840232ba25fd4256e2cc4199373a1617c02c90af5e8fcbcbd9ad09e1a463e

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks