Overview

overview

10

Static

static

10

a07aef29c4...f6.exe

windows7_x64

10

a07aef29c4...f6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a07aef29c402d38cbf0bd399de0226ad91bf4d4614e3ceb587d2099df82f7cf6

  • Size

    161KB

  • Sample

    220124-bt45faheal

  • MD5

    85996570ce59c7ee2335ff3be81ae68c

  • SHA1

    d9878842e098a93aadae29e177268ced37388fac

  • SHA256

    a07aef29c402d38cbf0bd399de0226ad91bf4d4614e3ceb587d2099df82f7cf6

  • SHA512

    6166366d80cef2955d15a273ab94a4910bad42eed2dbb3548444aa0d61846f7ea7786e4361798362d74b370b998a04aab51a76d3e5c13a700a3cb0a517691d72

Score
10/10
sodinokibi1339ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

39

C2

krishnabrawijaya.com

glas-kuck.de

martinipstudios.com

oscommunity.de

janmorgenstern.com

druktemakersheerenveen.nl

liveyourheartout.co

vvego.com

rozmata.com

crestgood.com

nykfdyrehospital.dk

colored-shelves.com

frimec-international.es

optigas.com

entdoctor-durban.com

edvestors.org

goddardleadership.org

tilldeeke.de

sachainchiuk.com

andermattswisswatches.ch
Attributes
  • net

    true

  • pid

    13

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    39

Extracted

Path

C:\5wrgz994g3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5wrgz994g3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/245A2675813437F2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/245A2675813437F2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: izMY2eVq8Kk7ijXiW6VTqzWmz//QmrqLr4iH6LXz8ZjYkv3auo78vh858kY4Sn06 z3Nbg/NCmtLxSVTntlW/21MR68G66x9BLOfnM3gNsMCDjaobLDbe0paTk0/hV/rh dzsaEkMVb1I6ZpYgqRavKTI+aBoyR+Eq+HOsN2m8abWKTpHUcoQga+P3sXAOfTN2 5Fg5Z7ASsb8fjia/fpQ3JL5e5E/3NK6q/fBdxLEM81bgunK2/GMi767WBuN/fZCk 8SDR7u3SvOk+OXXxgfMenu3pnlePu1+IWG0CUt8VXHxi8bl1BlDETTNimOxwniNN gdRdfLyVYGk68xtzkj7G6e9g5cJDsWfrvDSBqt1sKcv51Vhd78dZ/NvG4v/olRZL 9OkT19D9c8QOxr3E8y/MBe+DyHLsh/36HKsqKwDZSuI0G9g+XCMImoWSaB24GAGW +DZCDnYt+rJ5t8juBv2dgOwtJtXf0lY5LFW3KZPz1+slHkVaQ3K0F7zHIi6zZMFH yjlcVn9CoiYVPTgW8HD0gyUNu6s7x4A62A9VIwJ8/E58qXPm4Q/1h12J9LfaHDBJ WqlMd2EXtsBrHKsxKo4ZcrA2TNRl4qnnGROz8xDWL3+ZLxbf4VrZdbR8zrupgqtG SU2Hus1grblRmwZtLlyqeGMs7ANcmqm52gdPOv0OxEmd786LvPNNekaUZmdHmI9p 6al/n2DspwtfK3WfsW7MRrsai8cukTGfbocaalFcXybX6aSfF2dpdgwvPnQ+tDAN /ELs9Fg/rtJ4mOuA/CLaVlgHJKuhSPpSoy3sH9xKrUdu4wQcpBW2OsPXPA3+sstx r/w9CAcbuq5hr/QvjLmRMzD2es2LYQ9Il5gs3RH4BokieQ73B37SRGEhqxHlBYWP sUjWjFWQUv5CbdZq72Mg6oNTr9e+sv9rD2hp9LJUn3yAvlL266Zwv9UFFV9T5TwR /UnnZSyKmy6GOiBWgcsuQ/sFgsH4UpNPc0Ngdci6rY5CaEX02WDLSTljLLQ/WZF0 OjQkcD+5vOWSxF84gxoaCoWadln5y6YOOW91BuwyEMQL8gGMbVo+LcQwW+3p//Yz s+27KfNBAOlO1OQ3KjG4WDRr5lKebrRFAetvFhR04mRDvexda4oxlRsChD6xpK+R DkE4/FVscug= Extension name: 5wrgz994g3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/245A2675813437F2

http://decryptor.top/245A2675813437F2

Extracted

Path

C:\i5mx941vw7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion i5mx941vw7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56D2895FA6B60A3D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/56D2895FA6B60A3D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: F3yXtmixmMztQUpjiTJVbCJ5mfLfvOrJ32DbztSINFqWzt0piuwASsDuPCd9ekwU EWJeKG6qrM4w2xx/t4Ehnc3/aoYgVF7G4hrB68JvcXNnEdZTCMnHrg3HLK+O5Lgo u86779c936j9B5ViaQ94mLPwQUPrwP/qFH8FSZeWRkCzOiY/+lE+I7KfF94iSm9+ I4Xo5wznfRF/e2RTWJBVf7o5jxqoYaTv0wtPbnq6d1mkclrSbnewK95RlOSdkv2w zPalcJw7khoxSlE9cOwBiHHvPUKoPlidYIRYshimwd4G+gHWXXCN3URMFhm9okzl TtMWj31PN/itvvyezC56yn636ttr5kAJVbS7ELEwnWuFKaHGm95yig7HVIAvWJ7y lCWYe2I/195yCrXQBxk9Mpa29JSVu7MZTTkltX3P5LDHCNgI8c6UDrOwVJkpUlSG rvbwvDOHX64qTii2QTv1JdP61EiOBj7T3A+ms2Z5xS5A7FlAkf6tHQULa/wHeFmy cUffIQeqBBkdhT9zUdXNGko9eBXeLGD85ZZqpZmaavbKB7bakxomhh0l+Ya0Qz1F XfkC1tjPUUpyvvv14UwQVW0iW0eBfRc/+QfSYqy0S/ntI69z3FCKnsThNRny68cO xUnR3iIL2dFL3iiyAEw1suC1r4KgsySndVWzQ4fk8/+IrTMb0EPcM61dMDYtWz5k FCCpIWOvK2S/x5Hhcjy+m+DsxF8Y4vxvD9NQAd3+Ne5t/tRUk+qmy3/wavBxOoES 4f8vZAu8dRrO8p51ToggqvMz728ofp94lcNDGLFJe/8NbfIBiHc1EqXRZZiWVgIU 1o7sSPpU7CRHm+jtL4KyQMJILgLWp1QZ0w5j4qOE3s1ig31kJVFq03PaJ2XrgtdJ Jd9IWzTHubya/Z5jHiYO5WNbOQimDh2ZJ1y5zA/1un+xVKqMoZgkz0P/DtI48w72 zvuqQ8zgab3ivPRVlpI+a4wJJ/ZvO73+jFaiHfV0wPM7zucxnL+H4TQg23Jfa0L2 wo93H1hZ9iDzF4tDpV+MXAy8ZsAETeCdNR8nAWgbBomwVwAtWW7F+FtQ36eJo/xd U2mWQv+ZOHEPfcRSjMsDqoyM4f7N5gd+yU2oIxZqJXBOrvJF4y5zwZx1WcpHzti8 Extension name: i5mx941vw7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56D2895FA6B60A3D

http://decryptor.top/56D2895FA6B60A3D

Targets

    • Target

      a07aef29c402d38cbf0bd399de0226ad91bf4d4614e3ceb587d2099df82f7cf6

    • Size

      161KB

    • MD5

      85996570ce59c7ee2335ff3be81ae68c

    • SHA1

      d9878842e098a93aadae29e177268ced37388fac

    • SHA256

      a07aef29c402d38cbf0bd399de0226ad91bf4d4614e3ceb587d2099df82f7cf6

    • SHA512

      6166366d80cef2955d15a273ab94a4910bad42eed2dbb3548444aa0d61846f7ea7786e4361798362d74b370b998a04aab51a76d3e5c13a700a3cb0a517691d72

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks