Overview

overview

10

Static

static

10

a03a935a9b...b4.exe

windows7_x64

10

a03a935a9b...b4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4

  • Size

    164KB

  • Sample

    220124-bt69ssheh5

  • MD5

    ffeae1d6c63e1f6ab23cdaf01f7dc9ae

  • SHA1

    d886717b94edabddb548c532d55f5b7189c038cb

  • SHA256

    a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4

  • SHA512

    b38b34f60505884d331b07b801f648402c2ba4ee6f03f30b2f7ca0b9e2fe0269a0a59715b20ecbfa69148a44c9ef8654dbda30b52ca25c06e2f742d9d1952c1b

Score
10/10
sodinokibi13981ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

981

C2

achetrabalhos.com

mercadodelrio.com

circuit-diagramz.com

brunoimmobilier.com

blucamp.com

karelinjames.com

zdrowieszczecin.pl

physio-lang.de

broccolisoep.nl

tieronechic.com

pilotgreen.com

magnetvisual.com

eksperdanismanlik.com

hypogenforensic.com

happycatering.de

grafikstudio-visuell.de

kristianboennelykke.dk

metallbau-hartmann.eu

subyard.com

wasnederland.nl
Attributes
  • net

    true

  • pid

    13

  • prc

    visio

    agntsvc

    steam

    ocautoupds

    dbeng50

    oracle

    excel

    ocssd

    msaccess

    ocomm

    isqlplussvc

    infopath

    wordpa

    synctime

    sqbcoreservice

    xfssvccon

    mydesktopqos

    winword

    mspub

    thunderbird

    powerpnt

    onenote

    tbirdconfig

    dbsnmp

    mydesktopservice

    thebat

    sql

    firefox

    outlook

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    981

  • svc

    veeam

    sql

    svc$

    backup

    memtas

    sophos

    vss

    mepocs

Extracted

Path

C:\3pzdk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 3pzdk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5AA01F7FBF536BE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B5AA01F7FBF536BE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AeggCKGkm+aF4kzwYoW+I5m/NFZZwWubqyeCCi2HYENc5trzqvSzKaKbY2KyQOM+ dx8RtB4uWbPFWhZdFXgWEGiGuhL8lG0SBip/cTCcF4ERPjrPInbouTxG45OaeQyZ ceV/u0KNKZ36wWnDhcVIZjCsD13CMbCAKjYLdiOGX4/ABaajEyzRRYwKy6+5natD UZHpEL68hImq4t5LIqla/sDjcQTX8KFSKl5wyYKr8FE3DdgkKVy2PXMPZGNt2OA0 cZkFoizoddiiJjLpDNosaL2KpxiA6AKeGFIGwe3fMlKeDBXbeIsgXm9M/PGs+qX1 jGxI9wrGaQpOsQU9PuBSwMKYTr1gTA3X+xQDbeJ65J/NMMIJJABwDsX+ar7gO+42 /JWBNGf/FiHSTLuydAaXh1BwDm6FZAl36j51ElbAy4zMKEuQ9G9+126UD8JtP/96 mkZiMEl0qei6jJNCfJxo5aaFzRxzOT/gihSA1tIFWyIjzbxTHPxp00AGzJQFXXZb lMsZwY9GX8NLCPvTPmb21pyOOA/yIgFXUAhvRM/ZU2Zb6X9mVGiVR9L3GEF/Q4vI 3zhhOb4odxqOtjBHAxjb9Tr9/XmbDGNZMAvzG9hAJiFYqFtJPwrDhp/Gtjmgdwxj zTgKleyGm6HCIo40Bylo4VoA/L0GohG8UJC7jQMVwLuTY53IHVRfVP0MAFiOWLCX 30jnVdSk76Y27+zc5p8ssMq709Jdp/+H24DreUOWx6LSBH9O7oEDJXRLftyTVSlo 0l5GpVwoFpi0YjC/pyrtkpqVAL1ozgj2CnHllAXzP5v1U9MJZNZZENreLr6+7Dq1 ygFXMSC/uDQt/+8Uvz4muyaorjTz5ysQxX+rTj8P5QqAbwIAM2hRKIxvVlexD6KK n8QPDwtYwCTrGzMJo6SA65JPC8DbD6kGq6bhvhFtNhUnINpKQeu60kLAYrqDUaUw Z9/EcsZEVncHfUkaVWzsN9j3aLfXYeXtPGB+MWZaJont5btnhXKCynjx7nDk77Si MsByQR3Vz3Bi2+o3EaxRFpSowiPKV1AeDz1waPiQwq9PLwvIaT8JHwHognQiUpBb q5Ay9yaTLK5Ib9Ig8WHe/rqhtCkIRE8SAS96G3QQ3uk0xAq2rcrlyTxiysM/wraL Extension name: 3pzdk ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5AA01F7FBF536BE

http://decryptor.top/B5AA01F7FBF536BE

Extracted

Path

C:\58d0ti64-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 58d0ti64. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/273492FD5E9A0C85 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/273492FD5E9A0C85 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bcxxMCisaKpaQMo7QyQ0t6tHsQBiRT349NirT3KZLe8Qt6gx74GrgvUZJipve10O pf4zHrwvXqolL8JbjxqGBVH+oRnJlfYEdjyPzRZGWhY/YBXJHdg85YRVs14lRwlx JXOXugOCE3SC12a++V5EFvDNHrjuGbuUCa+wOkpLJCZ42UB3FwUb47jaanyxWpyI 52UUAZZZMkr69NmPNPue9tfYTvn9g6cpTICvbRQo4wow/K7gE3kBpTluDzzLTCWL 07oEhqb5b4d7tWwh3ZVyTQhuH8tVvtcBZL0KuB/yEL+5y1pZ7dX2KB7UW/E3LylN ithD6iwulXqKvMdd5ZkVdgv2I2OUQNDgid/byXgJ7kIUAm9r8TSPWN8wAfwXjMRk UkQwXmtc+sHLZ/7PSUC3CGKLyK9X7tocTSe8V9nbQdQLmyGJj1O48/eCLbetXG7r QWpNovijxl0IQBt72h23wT3Jz4kWM3j8JAPYxrtwWMzWS5Vxujku3Z9DqshyseXO 1UjnXxol4MlLB1+G0vKCLqdtZQ3nh5rPY3t9ySre6ixyabNwlQSPDp9O5gA6qS69 J7lLx7RIvaWLFMI9cLp3ekctvZahMMiV66YXPhrZy4XjAXwDQ/SAUq7neuqCw+lb mSxsbgSyGBNfzalCPYsEHUidhFsd7DAWSKpP0NpU5vWUZUU4tRLpJx+pnvJEqwE8 kFky7VW9mM4UCS92CN0f+96nKGOwvuuOELBes+xHN6ru8IQbNblAsJRcZpXDs/GB c3BQ7cIC/ilu6/3vBPv9MAukf6oCd0qhtmx3XQtj5O0jG69s/CROa9Gl9aIEYio+ upFC/zAKGuMX/CEXIkxMhkg5NNhan/kiodQZkYbHYwspv8HEPesKo3gi6BhA49GP 0veVpicA84EYQfFsFovwNG5k7uJQElDbRBsMjLzQM5Oa2SZOwBMGiq/gOCUM5MW3 kZ17in24QXI3r7ze/jAuVmC5WZbtpWo7PYgWsqqKgZxQNuSdJuoq9y9sqALu58m/ RLdN5rU2dH/Ys4NXp2i9v9nphTMRvchtOdzzgXpVP/dMJKS3P5Z1nMN6GKDWL/VF ZNydTxWIFI6oK4FnZh7FJaB+FZ1HwkpdR0kamSzaFQ8C/DD+066XTTppEqiBHA== Extension name: 58d0ti64 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/273492FD5E9A0C85

http://decryptor.top/273492FD5E9A0C85

Targets

    • Target

      a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4

    • Size

      164KB

    • MD5

      ffeae1d6c63e1f6ab23cdaf01f7dc9ae

    • SHA1

      d886717b94edabddb548c532d55f5b7189c038cb

    • SHA256

      a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4

    • SHA512

      b38b34f60505884d331b07b801f648402c2ba4ee6f03f30b2f7ca0b9e2fe0269a0a59715b20ecbfa69148a44c9ef8654dbda30b52ca25c06e2f742d9d1952c1b

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks