General

  • Target

    a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb

  • Size

    164KB

  • Sample

    220124-btk2kaheg3

  • MD5

    4c7f8b8be38b8e86b8e9b2bddafb0907

  • SHA1

    d6576ba929b699a46f05f19b4cab0bc8da2cb775

  • SHA256

    a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb

  • SHA512

    afd93d45ea0cd7a5cdd71d74ea36654e3106bf0bfa33d06374ddb81852ad9e82054acd1243f8beb8830b30eba99a5913a8919483d3cbb050d71ec53a8ec84607

Malware Config

Extracted

Family

sodinokibi

Botnet

29

Campaign

1386

C2

silverbird.dk

betterce.com

vapiano.fr

penumbuhrambutkeiskei.com

alcye.com

wasnederland.nl

sealgrinderpt.com

janmorgenstern.com

alltagsrassismus-entknoten.de

line-x.co.uk

littlesaints.academy

motocrosshideout.com

flossmoordental.com

stralsund-ansichten.de

efficiencyconsulting.es

welovecustomers.fr

buerocenter-butzbach-werbemittel.de

clinic-beethovenstrasse-ag.ch

90nguyentuan.com

martinipstudios.com

Attributes
  • net

    true

  • pid

    29

  • prc

    thunderbird

    dbeng50

    synctime

    winword

    wordpa

    tbirdconfig

    powerpnt

    msaccess

    encsvc

    mydesktopservice

    agntsvc

    ocssd

    sqbcoreservice

    xfssvccon

    sql

    dbsnmp

    thebat

    excel

    mspub

    ocautoupds

    onenote

    visio

    isqlplussvc

    steam

    infopath

    mydesktopqos

    ocomm

    oracle

    firefox

    outlook

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1386

  • svc

    mepocs

    svc$

    memtas

    sophos

    sql

    vss

    backup

    veeam

Extracted

Path

C:\da0sa18f-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension da0sa18f. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/370DAAA3E87F026B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/370DAAA3E87F026B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0vdVGNA/mN+12ZDg2Yf4snmwTuB9ikDgEvyuHghJVGJeJkns330QfdquB9r+MvN5 J/O2viHiMPId+Z+AxsHe1kY3w0kHO/tS3uW6/MZHB2UmviZSlfROoZeo3x1a669t AR/YD3nN3uqymMvFGxufu8BTgPSDCAlubfxw7gOY38PqF9CY41xZPFwhcMuPjinv TKsxYS08Xlvec6TKTbGCiag3tMiY0+Zirm743ByjpuZHZzHhpR20bgQyirXaxVVM Neef7k6jI+Ff+VRPdSLom7MQsXoCVHQeStdPfKnvma2ILmgCzhEKZlBE7Ph4Di6R IkaYtjJFS1vGNoIH0DGalfrdSC+TTaXflDR/lE/bKvCE97bBUVW56WsbssNPDRcO GWRkJ1ax/gYGb9hvBxv+VgaspMgnP9l2kc2fs2fM3aQqZd3TFURjwOdrztkFj8Fl UFm/SNuzEVOva1on2eyjFUNpAq6DzAQYGFo47KHkU55Eo8i+RO7rfQoeY8EaKKMT m4+veMSn/nHw46PAvKbTxnx5HPURbEnv/l0nu6tk2baCzuJRetXb1u0pCRa05dqD lg4TfQohdAIVK0RyWtuvMOTTSA4VlR7xhzVhXeBXgpXSMg4QZzK1uyDxdb3uW4Z1 ZVmD6Rdsq9ODI5RlIevO6cpBTeSZht55yjfBLa6Pd9KtxSm4tpOUiG5cTU1IWISa EJm/7Y6JXPY6dauFo538OIZZuif5Ofl3XB7jBD+ZhU8Tiz+qnHH/gAvAHZc9r5zC waZMM3ug8lO+/pIRw93aCz0om1+q8TANleHaSthPoMi1d90em+szbx4um/iFuRev BFLONb60WCrcpSrXXJ9KhngBwM+coBgHNvuN0hzMSZVH6FUFcIWm+nv2qp91Vz5y ZUw7XeDZ8BxRZM7o/K7Ec6LfFN2sRW7z1LVG8eLkSvn2WRXSTkpb8ba7H/umf3qJ PO7k7SYjMRKAZDWTLqHrmd0vxRMos1R0xL9tkQ7FOwHlpI4vC1gIFVVEm0qG6ckp D8uuoQfOnHM0ihoD3r0m2AOqQ3OszvFZvUqiS3RhsWrtG2FTXtblOENYvUxWs8qA 4iGBbWvALqqE+5i2oOIRBICwOfKWhm/YUNKm62XA6nlW5xNbb1lMHokwnPmmSKUQ PpWnLsDESvs= Extension name: da0sa18f ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/370DAAA3E87F026B

http://decryptor.top/370DAAA3E87F026B

Extracted

Path

C:\83244k9s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 83244k9s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A07EF0413F32E7E9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A07EF0413F32E7E9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Xgf97e1A/FFl94tr/WQWvfrJ1Xn5U2H+7zy8hiY3Qp6YWjy9ko6Rq//NLCIloeH0 uGrXteI6Bkx08rtnKo6LCMwm6u7/4JniWMdPJsPhL7MJ6ZOyGQVtG1JydTC3pn7h tyFjoeQH31Z9FgB3pdasqHrZSE279RJxmqstV0vfDO2iG40XiepCyleBRTkmbXHp APiPyAENP9CeHcZoX495OsHch41JffzMgj00O1a6wndIvZQUMp6eMPsqzX0Td7ks ZugJbHgxb6sWhpHVgEJqAJq5+yW1HcfqDITe1u17mh4xuAPuaohO3ZQAuwNyPJDH rCh0h3hZrku+Hkq9hAW02IvvpU3q5rWmf9fZaO+MNy02D/xbdY+Dhmj+qFiXWIM6 9HnjNM2A+9aYyGDDqsJZC1Q0N8STycsFONaQ/hwk5JCWlMqkpzGSG+d4RnrPG7+j KNhn0zawRlLO6S3IMW1WH9SaD4CovK6KCSJgThxGUG6azOSlCu/hfOtwJO8atY7e 5IEy8/5u3kUSRYJI8D/8+rwBjoOPnmvRFeVUoHoH2gqXlxMjpXYlVV+x1KcuL9xh dWKi3Sl8r9h21IK3M89o9Z0KFyYD0vs6+ycbBHmohr+gyd96QcqUvvYiI4/4Gcdl 3dR8SIS9nGJY95VIWgHkTVN0ZeE5BXoBQGLeN9iPUa43yB30FwcPgHyJKcNXWoC1 8jinBIPfjzrElqEb+f6PpKGqp8r3miAy256/g7Xc9l5B7e7NbORmKO4PUpr8qvQe gt3MidRdBYEynXYzf/dhkIsnPnkmMni4h/MmePyvX8xC6TyIEbiDHjERg2Uu55OV MKKIh5gOHIBYxwVe9ylhjLSbjXNGHqyct1oEtJ9G6i2r81ANVF7R8lD6CysPm5Q6 C3S4ZPuziq1vW8+S2+AEHcJvlVN2qaHkRt+lgQ6S3hOG/3Vg3+cUTpTcam8a6qzy x/Ok1Xazl115y9fkLrtbJM2zah63ghSmWw4j3YkSbo9xfTcfCAn/fw2JeUyJc4+X Sie5pjSG0DTLALuSlhETebl51fOp67yIVbXMqTK4XqOYGKdSIWvogmN7MmV7YqpB aUEyW02/JDD0/eScltgc0C62L1Elj0mXoY8IYhquuL18RqvaoFV+5TLpKJj+HT3F Extension name: 83244k9s ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A07EF0413F32E7E9

http://decryptor.top/A07EF0413F32E7E9

Targets

    • Target

      a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb

    • Size

      164KB

    • MD5

      4c7f8b8be38b8e86b8e9b2bddafb0907

    • SHA1

      d6576ba929b699a46f05f19b4cab0bc8da2cb775

    • SHA256

      a277bdefa362724b8e70cb1560836a255064cb360db1b178391773a0d3543cbb

    • SHA512

      afd93d45ea0cd7a5cdd71d74ea36654e3106bf0bfa33d06374ddb81852ad9e82054acd1243f8beb8830b30eba99a5913a8919483d3cbb050d71ec53a8ec84607

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks