Overview

overview

10

Static

static

10

96cf8bb1df...25.exe

windows7_x64

10

96cf8bb1df...25.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925

  • Size

    165KB

  • Sample

    220124-bxtg4shfd7

  • MD5

    e9e3f043ee293f2e2e6687c2fdb66740

  • SHA1

    93b2fae615741cdd658c3dd701bb53f321284563

  • SHA256

    96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925

  • SHA512

    64fc206e87c5f4ecb9bb21de3e757eeaecf53fd8958104779c2a8f4bb1960d9af5f48f55f157fd05f38f87f051d51cf3e0388b767c01cb96b666689e7f2eabad

Score
10/10
sodinokibi372976persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

37

Campaign

2976

C2

n-newmedia.de

berdonllp.com

astrographic.com

ludoil.it

craftstone.co.nz

eventosvirtualesexitosos.com

zwemofficial.nl

reputation-medical.online

chomiksy.net

bcmets.info

buzzneakers.com

fotoslubna.com

primemarineengineering.com

alexwenzel.de

ronielyn.com

centuryvisionglobal.com

georgemuncey.com

azerbaycanas.com

advanced-removals.co.uk

alwaysdc.com
Attributes
  • net

    true

  • pid

    37

  • prc

    onenote

    dbeng50

    mydesktopservice

    sql

    dbsnmp

    msaccess

    thunderbird

    ocomm

    synctime

    agntsvc

    mydesktopqos

    steam

    powerpnt

    thebat

    isqlplussvc

    mspub

    winword

    sqbcoreservice

    infopath

    xfssvccon

    excel

    outlook

    oracle

    wordpa

    encsvc

    ocautoupds

    visio

    firefox

    tbirdconfig

    ocssd

    vss

  • ransom_oneliner

    All of your files are encrypted! Find how to decrypt {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2976

  • svc

    vss

    sql

    svc$

    mepocs

    backup

    sophos

    veeam

    memtas

Extracted

Path

C:\How to decrypt sw2zijzc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension sw2zijzc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA1888CFE72699D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4EA1888CFE72699D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AoB9lVn6WpXPe7eBx5CQAiy66h1SNOgwqsHATFf9vbiXJqh74pDbNit6rekzPYFo 8ny8XHMBBVumMfywCtcXN1ySQsxfrGAppCQa84AGbUofeHb+jhSLUN7qzEmSkSSC 37791Zb8WL5M3ESdZeB9jIfa6IBghmkR3berXt0tsVhZWvTTkRvUZWJ7KruOxsRB VRozCjBGb/ZA0huq8XogQkkPF3TVG15itXLwznqcyMwEePKJarY9XpKY/ol3+kCo 6hKlX2Ua9WSulOeHX9/bJXWjDLR1qz465A+P7/VjEK0gA721xY5vrvytv4/XPJEP i3vNAYDo1iW3Bmu0weiB+Xi27VUFQIJN9pDl3QNwsmkOD90TiMMcdliJjleE0ho+ gyNvTaKucgDQvaPo0JJYf54u8LQaYBgVCPxNlJmgBsDuIQwlBXKioORcw5Va0a5L 7IAf2I9zE89s+N7D2YC1HWl/GRKa2hAUvFv6vdQvabnkv/bn5fYfUVkR+kcec7ty KM4GXDWcM/B5XfPbBggsv/imE4LxU245gTd466p9RkbgyP/N8YbRUe+yJaZ4mCQF rOU5bOdq3dh8eWY1DZQMAu6jEPoAC+MBFukFMwuFEDMHUXFTjUEozvZ/XYXm36Hf tBdYtAk2ssGs402Aa4B0b/NVVRk+Jk/zwAVtZ4y1zeIMjAOvFk9Sl5iX5pleZ3/7 6e0oUYh7IyjcySilhu2uK5ELVQEzzcKe1ZPAbeIR8YaSbWxUWa9TcgUntQQ1xDoV SOM6SfsktV5VyAVhcY3OGInrI0Dcs58rIEwb9JmD6kwEfazXaiW2uPGRikXfodJ3 o4Hw1PTpgOkMyF8Zl/djpL9oSscthxhE3zZLZg/35IgjW11y2/MZhW+Na7diY/sI UurxuMqX5hl0OVTyIOPx9AUWmGTDxsrV1o/f13Wv3Y5Sf7Xx3tok6sddJNAOWdA+ lvqDs3sIhSwTKDqr4QS3MRC8grkJNzxAZYaZtclB3VoLy2aYOlEFeMVS6St1GWE9 TPPWMShnojO3gGp/Dwz5aPD3WZLgonT1cyppTcvuKEIKam2833/rPrR5qFuaxn75 L+W+6EjysLUWmQcWWtHDHnbVlzhLk98MYZOHm8A6tGKogmUGJ10UGqUDD2BzVPm1 8id3npgQGvo= Extension name: sw2zijzc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA1888CFE72699D

http://decryptor.cc/4EA1888CFE72699D

Extracted

Path

C:\How to decrypt 9u0830-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9u0830. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D042C8E40E847951 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D042C8E40E847951 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WbTjkEWO2tbQ/Sm5960Vkx5V+WzJOEv19jlmBGag/ErQ5xglR5Et6jTwZ9rpmKlr afzcXsaL1qidhRNH2x11KGPD8J5N9ou8nI08OZBGLzc9zrhPGVe/9XAUuw+sr9Dg MALzcdsIzjSNDUOomGNwq3Y4L4qTPSKffVFUqv3XIc8DAae2hiluq+sE2q7dWtxL ztdNPBhNhOd3wZFva2Bko3sJ+K0ypJi0Ui9FwQqw9+4yeSWt2JQhP5QI7rq0LAm2 s4D6q3Oqk+Dn40b6eTEdepdjOKg50Mmtnu5g3cSHQ3Pv2rdk6GCOE27xm/pjmSIp Rsfvlkuoa/78yWREUuw9Sgpg+bwYqxc/hR4vOE80KCKOPYF5Ifx6Gis6fVdM18lx lua6RzMto2TG3fY3BgHIWljBt9GaiMO2bklZ5VDsi0HCzgpguezNNrbgRZ0CtuBc AtMjoIpSkquIw2wOMy5oV1QyQjbTr+AQRCNCrcWX7/welvdOdM78yhZZyHXBEdij U6DRsGI0CU8nnDl25tUVDuRiNPTP7A1Q4ELp/U/sNtOQkaCcVKbcfg886NOiFomd x5B5kBWzrBPCa+19keb9lH1+w8rhmmPgh0cFYV86+/tksBBS7qGlwip5wkTdcslG 2rliqtsZSBNc1U6HkX2oDTVq5st6KA6o+x7HM9oUtICWXjOOvbEsWGnZiZ30tNbU nsYlu1jhEgP2+m5ARt9xoYVYvwOI0xgrpCuc1uvDHMHSfzkxH/sB1BsQA6qiwZpo HAVyVK3EGXLKKexV+/DIUwc3nRlHzWbLEz1HIpXx5MKipvNwEaihyqztgNy2gmSm AnDHSrffjX2Fk4RDEFWBwTfrLmZrsqHIHKRwl03Fx1mEIES2xqDE331Crup3TQQq DmcYLmRcyjuLJ+0NOqvF5KxmrM4G6KDL9uJFLvxxJWfzqREPtVQBg/utJGEnMa3H uFLPpKDlKx8DLTceUvlUhFKPUe5aCKNNPcGpA2mKniNi8ustlb/y1licej40b8qY 5DpNljhR+8+y6hPJYBJv+kVw8pfGsffh3ahgK1L0fns8JoI8l41gzTCsf7p8Ge8u iddYUNlDc6Jx2tZU4+xPZ4BnL6omTkZ0HJvwyigIlbpWkJFwi2Zt77wmRPI= Extension name: 9u0830 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D042C8E40E847951

http://decryptor.cc/D042C8E40E847951

Targets

    • Target

      96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925

    • Size

      165KB

    • MD5

      e9e3f043ee293f2e2e6687c2fdb66740

    • SHA1

      93b2fae615741cdd658c3dd701bb53f321284563

    • SHA256

      96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925

    • SHA512

      64fc206e87c5f4ecb9bb21de3e757eeaecf53fd8958104779c2a8f4bb1960d9af5f48f55f157fd05f38f87f051d51cf3e0388b767c01cb96b666689e7f2eabad

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks