Overview

overview

10

Static

static

10

96a7ff0cff...48.exe

windows7_x64

10

96a7ff0cff...48.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248

  • Size

    115KB

  • Sample

    220124-bxvp6sheeq

  • MD5

    eac91fd727e02264e06be76d23d7b1d8

  • SHA1

    0e1b850017812402b82c9c403e145a697a9d1462

  • SHA256

    96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248

  • SHA512

    9942ed7c74fee157cb7cd87ff503374b26fb6c619c77a1c1d4e3b3b8facaee05975e03ef621816a86ee527aa727b8d56802d5d61460a02d12755991df5465ff9

Score
10/10
sodinokibi$2a$10$h9oyxlaand2qtche7gkmvu/9hec2d7fo3.wq9u5jrdf9d59hoit.o312persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$h9OyxLaaNd2qtche7GKmVu/9hec2d7FO3.wq9U5jRDF9d59hoit.O

Campaign

312

C2

maasreusel.nl

wurmpower.at

sofavietxinh.com

slimidealherbal.com

vdberg-autoimport.nl

plantag.de

digi-talents.com

mylovelybluesky.com

sauschneider.info

platformier.com

westdeptfordbuyrite.com

odiclinic.org

delawarecorporatelaw.com

bingonearme.org

hotelsolbh.com.br

lukeshepley.wordpress.com

ussmontanacommittee.us

international-sound-awards.com

judithjansen.com

plv.media
Attributes
  • net

    true

  • pid

    $2a$10$h9OyxLaaNd2qtche7GKmVu/9hec2d7FO3.wq9U5jRDF9d59hoit.O

  • prc

    ocomm

    visio

    ocssd

    msftesql

    thunderbird

    agntsvc

    isqlplussvc

    veeam

    dbsnmp

    msaccess

    wordpad

    sqlagent

    encsvc

    mysqld_opt

    infopath

    mydesktopservice

    winword

    sqlwriter

    sqlbrowser

    tbirdconfig

    outlook

    mysqld_nt

    thebat64

    powerpnt

    sqlservr

    ocautoupds

    synctime

    mysqld

    xfssvccon

    onenote

    thebat

    mydesktopqos

    firefoxconfig

    mspub

    oracle

    sqbcoreservice

    dbeng50

    excel

    steam

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    veeam

    mepocs

    memtas

    sophos

    vss

    sql

    svc$

    backup

Extracted

Path

C:\uyhh5c4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion uyhh5c4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EDEA52C5E7300F91 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EDEA52C5E7300F91 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: LZr+u9od1+7uDHpD7/huhDHHhkg1KXKL2vcUhiuBqzaIfuHxDXjtT4MmU8GmW3dn 75QXsdtbCGhtT+XGrI+PyXvt21FEDx/QzZ6FrgvPK2TSpTA2v27mDrh4uUlPDjQG 56GpWWipKXA0mIRaQi4PB5F69j3WlzC9DUICw9Kc4fyw0YjynubczOSMoLS2gnwJ K9eigK6bPYtiLIaIIipu4A2fuAhSzuyl5xiGs1CVt+oR0wZ0f7tEpY5Fq7D3/tSH 6HzJUbOnaD1SJ7gMYOT3jAOKxmPE6/ljVojMBHITAELaKaQGrSCwIebF6aT0jPBc 5zNG7EXL/LWl4wbEl3IY0QaiaAJCaEMLwG0huwglfOC58R3nMVbiYwagf4L1B2xL GWdN3CxAtR5NlGHZbCH13GpW2Xx5+jD6maJhsZN4swhvvTFjiw8TD2L3AEKJ8nYV sji8HfU6CX/5OUSFuZZ5H/SeRQBWmA47WzMyhg4kRTn7X02gfkNmc773fJEsuqYJ uz35lvPpRc2OmjD/ZhWSWoOO45DeScjQjqVT23PpqWTrbpidx/pIcUs/wxedKX3f NNo7ZsCzv8F7aC3uONxdbk7Rixe9s8JjmdEsMgRc98fEwkreQ6imV3xlaAir7J0/ p0aSZyhUmHhT9ii+pR037feSjUOlRUusaunyESBIst2ExnkWvHFyJdF1TGcwxUdF 6poh1O5WjNkl1656zg2X4XKIGF1nLRqRbYNuBqjr5caXDtDYYVaV0oT1gxoigwx7 uozvp4mXEOzq4ltBG4lmT2oIVc5n5MYplehRtvTygRovZ3pMoO5qmkRq50/ovIlk cpyhcEdhpvhdFcTiam5u7DyMi4peDIoV2SAKWbyd5P4RA7KWNVnVdW9bOZbcmz/g wPaHnZEK7QrlN0NLw5lrcw/1NAjwuldkYT8IAplRJ3f3OVzUaKJrAYVp4kYWN5B2 ea+ZRsafT5KKV7cSaHEAttYrQttFI4Rru+tSQ4BHkQhW4+q7olbvi9ErjJxRcMKj RpJrMTbr4KPfIvx1kxUc9JwLjHLlavU+14CuU4sdCWG6eztHMQXSP9pf9Ipj8les yxryySJeTcIEvCb/aSEwUItAMhFzRaplKui8ox5l9us46n3mOkJ6yGKqlf3YZyjz Diwu2M8l0dykVz+Hl18xFdC+k+uz82Wwd3BEToaDpKCpIkBODxopH4k8b5w+Y4Yb ZRwMVzEvxvPbsAXjvbq/8SD4ATPdc3ZJVAfAFT+g8OUYwh8YZokVW6gGmdnsZNLC wZ9nWcmKOdLQo4JljxRFUtwTZR+gYDo1 Extension name: uyhh5c4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EDEA52C5E7300F91

http://decryptor.cc/EDEA52C5E7300F91

Extracted

Path

C:\37204vx-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 37204vx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2E95C50E81A90DF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E2E95C50E81A90DF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: c79r1hySElz6NeHjMXhgowT5AECHI3cpmtHMni3g6iH9Mb8KyOZzMWD8Jbjqk5q8 TsilSC5zqUVqFYMjwhtjZIY2oSL4LzxylWxd+9GHe/epfB6F1GAF+5OjmbJq06Jz A4qBdbnyfLWOV70JMDbjWp2rM0MaYEZnGrL5Brbm5J+hSNDV6OjD9XyG1SHaPuGX UShXAoTjfZ6LE8IULYg8IekEontg3b6eNFk2NqOiyv6vTGghnoobLHKJqk6h54wS 5WFVZe0jixM2wHknRrsGqUHVmPpkh/incDmnI2jTrObzO0sIwnWpcp/wU1HDYhqo hNA316czOZzYv8lewSAMmHwuU5SO0VJV8YGwIeqnYbeMzXXb6+yg/wZhw+x49acm 32ZrdtVzAP06Vozn38AvUTPwkRqX3pErl4uNy+EBPbl6K0+aavwOow0ypTB2cehq nZkMvqYKNKtUIpn81KaYwFvMNFTBb9KuS3Mg7ouFWBJrATqItymkrnjol75gcgUC 9rPr2qUfcfGU8GKVAopCrXB60h9IUh4SX8y7vYHNSx3BKV7n3MpExuasI/wr6rsK 3TAOFih6jkxDDREnIoxOMrfOrEObatowYKyJThQ+j2o59hf+w2JZ7tRDeEFcbhGY 46ttPdMksl90ojG464im8zBSGOCV8NK3JMvPjTYjSaTvLdch5pvoKEhTWawlN3Qp raeZb1mujS5I4ObxVwIhRcpmQ5pxxzAZdX6z2NscLUPPDFs4E+HwHEdymDM1PsQA sPPgM/I70P38m7n0m+lpSmAftwwz8ZSHa+zQvXnUHGUYX56KnohVlQpjRcObjld4 mpVzxjG+Lsxe5FZfxw5n5NeuoZR/nggOa0JloQstvz0tuG9vMw5yHU7BSkD1SV/P PeACIe/89FCvWM10Ag9vqQpwwW02XxO1GbfM1Vnz7M+Y2kxZXzbHiwC4vCy5KWy/ zy2zzQ/oZ3t51tO4sHM8x/+u4oPUVvPoLTx1KKPcKtEssgKVqtlp4/mH15eOmLN3 e3ExuYT1vTNjLBnLS/9aHbM4V6vILI6aHEpIAQ6LFAS+Ys9eNKfGN3pUsQ5HgFps utclX1jjlnKYzY8+713nh5eJLGY0FYL84IeG8NEhhI2KYX7UiLuE9eWLgsGg1Bee XUN1rse7aY0e2FpI4OELe+3Kq1zRbJlINZXg66eScFOv4w55lHHYDtbVbERitBvK Yuc1LzmjOSE0H7gUvGZsFlEOCJv2HMZtB6kKnWjXSrzXpCmyLn7xuRuGQ257if21 WOApq9td7QndmbhRfyxvNQ== Extension name: 37204vx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2E95C50E81A90DF

http://decryptor.cc/E2E95C50E81A90DF

Targets

    • Target

      96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248

    • Size

      115KB

    • MD5

      eac91fd727e02264e06be76d23d7b1d8

    • SHA1

      0e1b850017812402b82c9c403e145a697a9d1462

    • SHA256

      96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248

    • SHA512

      9942ed7c74fee157cb7cd87ff503374b26fb6c619c77a1c1d4e3b3b8facaee05975e03ef621816a86ee527aa727b8d56802d5d61460a02d12755991df5465ff9

    Score
    10/10
    sodinokibipersistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks