Overview

overview

10

Static

static

10

a3237bee42...63.exe

windows7_x64

10

a3237bee42...63.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a3237bee421786c2d5752e0f2be5e33147e2456d781638578b5ab7fcff77f963

  • Size

    179KB

  • Sample

    220124-btejsahef6

  • MD5

    171b8108e20dfb2237b6b5360f552d7b

  • SHA1

    2d8472b1e34b9775574dd69e673ce0062ca337ff

  • SHA256

    a3237bee421786c2d5752e0f2be5e33147e2456d781638578b5ab7fcff77f963

  • SHA512

    d868b569ed1aeaf6aeeb333032471ac5261f18bf6bc91d9d5f63f813d2470332c5bc35c6dc5126f96159306556923987df4cd847a23af035c90ae96b4a816d19

Score
10/10
sodinokibi361751ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

36

Campaign

1751

C2

rokthetalk.com

mslp.org

palmecophilippines.com

envomask.com

pvandambv.nl

rentingwell.com

advance-refle.com

lovcase.com

ncjc.ca

morgansconsult.com

internestdigital.com

log-barn.co.uk

theintellect.edu.pk

rossomattonecase.it

autoteamlast.de

innervisions-id.com

alharsunindo.com

hostastay.com

satoblog.org

computer-place.de
Attributes
  • net

    true

  • pid

    36

  • prc

    ocomm

    thebat

    sqbcoreservice

    ocssd

    excel

    synctime

    thunderbird

    sql

    ocautoupds

    dbsnmp

    mydesktopservice

    powerpnt

    isqlplussvc

    onenote

    xfssvccon

    visio

    dbeng50

    winword

    wordpa

    oracle

    agntsvc

    mspub

    mydesktopqos

    firefox

    msaccess

    encsvc

    tbirdconfig

    outlook

    steam

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1751

  • svc

    mepocs

    svc$

    backup

    veeam

    vss

    sql

    sophos

    memtas

Extracted

Path

C:\447cw4gb8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 447cw4gb8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/849504F521A14459 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/849504F521A14459 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Qt8u6GsUgg7fU1V8h+VG+i5fMOuSyoLYsS6WSFwC9xUitAezaLbotI9ULFtUvKTY 4GXBNAWiyl0nTnxOBfVMfkq4JUpBph6mVt6wNUh1Z0I0bjO+pkXJW8DROcoZb7gh EVfzZFURaAg4pU+zPQ40TV8gi5AHaiCsDVJoYTJdZT3tb6QiS6tq5VvoxRfEb2xH 2qT9dlFhN5yw9Kvmz/wxAupiqR8/iy7Z3kBMrzuaTTxYh7hgh2YAq7RBXLpP4Nhd zRcaW7+9kt26QinqQMikWYDMJm7roFQGcacH6BNfbNSSejxqwkI96fiuLrEUesst XWZdiLC3pJACsuxRkY8k9viFd87XkQ2/mDoti+XdS44E+v3HhPQrfh0BWYjeOTH2 fXRLT2Cr4hRHLKr1eTo/SgmWo+VYXcBMjZ/8XalIj9P/YW1kdT1L/B4JlwYkEsGs hOzhQbwmRDeYcjfgxaR1pNMmi70isKYdn9pP0VZUkItjr6kzksb6BsCUYsaA3yjD fvBQEM4JhowqmdyWvX/50A7L9nB2O7Q65Nfuv84CCa9u6J/8JUraeg+cVa0gU17/ I3H4ASSjiUlb9yI5VRsmr7CjkSTwHlvwBCxurj1SNqUOkCSX0a1S2mk6T4wdsEBJ 8gyn2H8VeKvHOjwYIY2I0UkU5ZMtidvsdgyF3AugcSL6saKkEKDTRfn0IumHOrnx bhcl5fMkU+MgI0eaCY5QP2baZ5r6G6ehD4lo6QHIkl+h4ClkQr2W5FsCTzw3bs34 kIwYqvBGJJ+zCjnS+sNj0IpsfnkGNRqLJnOyUKSF4HebVrMEXttgtCQ5O1yJF3mh EinMzSKJHboygm1aXqc8CMz8He/JM4vcpf5jSP3dbghfSX/1uLjPD+dI8djQxraF vm6cPx8S2SL/guh89S0k4Yq+8Myp8ZmaKJdUqUZnj8/UUSFYsncK/qOC8HX4aSpx WaBbWcWYLe95xeuVD0SyiLesi/FNV67gLx+GgH0KrVou+bp7buuN/w7hc+2dsneU oGqYkQ3h7SbiT7Zp/FFIIXS9s1GOaIw2+rLjrn0jMTftzc8rKyw0EOYaW5QhNIi0 HkdXfuzAtPtP8hv33GNDWAeChT5TgCR4ykz9mHftUF6YCSrME0SRuJudZDyx4xDp ujNMKA2Yg8uJ6w== Extension name: 447cw4gb8 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/849504F521A14459

http://decryptor.top/849504F521A14459

Extracted

Path

C:\idw8w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension idw8w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7F63380C6A54AF8D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7F63380C6A54AF8D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ElZqBEHRvpUKa9XL2dGsm4y+4Pm9T1B58LKHymlXj87VXUq2JlE9mOx2R6Gz4jAU uFSfSjuOKg0Mek7vtA698WrOaOHbRHSNH/9sMd2yWuhqHhJ2FPcxnOaExryM7taI oc3D0aGNW9pkTRxi6Q6DwrlAAHCsrDUAfWlt/GRomFx1aqZHoNm3GRLUHHED/tXa LFy6AN1nCjMu3ABxmFAWQUsR1c8bbdH43o7QsChdl7beVqbTw/c3X4jAXhE8U9OE /LjbpCjHA073FbjUbtXNhMP+F4MG8q5o5iMBQz3bXdmX+IhK5+1BH21xfWA+m6DD nwQBkNvfSGXUIW0O5jHBmpvYrwdtY4vrRzi2zdIR4261Cc/ais7SNmIoBv/poD59 La1Q3PpCw7er8jpBW3PsM4eqGVE908j/BT29ovlm7VAr8FSQdOIAFZa5YtMqKsDc z5TPGQclX3pV6EHyARAKz6oUOYs8wCEGqTRshP+i5oavNSiih23iENYyfgNu7ylr DompXKJPZLEnikOmp52MjSymd8DYlUfyWjhpYDUWCNsejuiudNw1xLqeGwj31p+z zTBLnCAYnvfPtWERdUup+bwKSfbtCZZf6+th1B76O1ArcO9Sd7yajj11DaHsqeOk c7j0i96hkQ1ADvtE7JvZr/yfroPco2ZvouUiaYLqHjoj2aLqYC0GglfrR5jj5TsD 3axEZ5x2Th6ZUv5PbxesQcs+INLWWDJmNdOC3A+WLKWL1w3KmXvYhK7iCe8NssfW bL8MgAk8sgdgBR87A+LD+qERC7g3jLCa0g4ag4AXwu+OOrOFNl+ronknOk6Nfdz7 L/miA+EvMTI+8fZ4p2fMEJpIzp2uFeop+Jmqs78spDevtrEi2yNPQaM72ejxL53M sop1jHa5Z0Ckigmf3I48/0Mi07bpvAGUvfZGCyRNS6mZyj4EYaBl0rWpigRPFYMz NtwiE5aF+ljQrX3nwO1Wt7bL/gmay5GODxXHEKOlo6Yi73bA5wySfmgzc3xX7X/1 gesuALfRfnl9Ma27lwHq51Q8GiDPJAgq7dq/TkWaSpABXHyUKq25pRjdXF2SBmx6 o/7PV/6xNpMYfXOuxxhs3m9tvvrCShT7L4nXttqsPk/mihlkINKTU72A Extension name: idw8w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7F63380C6A54AF8D

http://decryptor.top/7F63380C6A54AF8D

Targets

    • Target

      a3237bee421786c2d5752e0f2be5e33147e2456d781638578b5ab7fcff77f963

    • Size

      179KB

    • MD5

      171b8108e20dfb2237b6b5360f552d7b

    • SHA1

      2d8472b1e34b9775574dd69e673ce0062ca337ff

    • SHA256

      a3237bee421786c2d5752e0f2be5e33147e2456d781638578b5ab7fcff77f963

    • SHA512

      d868b569ed1aeaf6aeeb333032471ac5261f18bf6bc91d9d5f63f813d2470332c5bc35c6dc5126f96159306556923987df4cd847a23af035c90ae96b4a816d19

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks