Overview

overview

10

Static

static

10

6cff57ed23...fd.exe

windows7_x64

10

6cff57ed23...fd.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

  • Size

    115KB

  • Sample

    220124-capfbahhe4

  • MD5

    da50c8e2aeeecc39e8ae49cef8271733

  • SHA1

    768d0597775446938114e0b5f1ad74b7c51b2a5b

  • SHA256

    6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

  • SHA512

    adf77baf9095cd1be5a9a2639978e9b1150485d08c09d8146645930528e552bb1329467cc4e70901c17faee0b734b849d5ef83feb0da760ef7d636d75e1c4786

Score
10/10
sodinokibi$2a$10$nwpirsot/ccktpp00tnxqofn2ns9abxbedablqph5cricw8.cqoug3382persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$nWPIRSot/CckTPp00tnXQOFn2NS9abxBEdAbLQPH5CRiCW8.CQOuG

Campaign

3382

C2

bouldercafe-wuppertal.de

i-arslan.de

chavesdoareeiro.com

work2live.de

rehabilitationcentersinhouston.net

mirjamholleman.nl

pogypneu.sk

babcockchurch.org

lorenacarnero.com

schlafsack-test.net

c-a.co.in

lapinvihreat.fi

smart-light.co.uk

craigvalentineacademy.com

lange.host

amerikansktgodis.se

blacksirius.de

desert-trails.com

exenberger.at

hrabritelefon.hr
Attributes
  • net

    true

  • pid

    $2a$10$nWPIRSot/CckTPp00tnXQOFn2NS9abxBEdAbLQPH5CRiCW8.CQOuG

  • prc

    powerpnt

    winword

    ocssd

    onenote

    sqbcoreservice

    encsvc

    outlook

    oracle

    dbsnmp

    xfssvccon

    agntsvc

    dbeng50

    visio

    thebat

    mydesktopservice

    thunderbird

    msaccess

    mydesktopqos

    steam

    sql

    infopath

    firefox

    tbirdconfig

    wordpad

    isqlplussvc

    ocautoupds

    mspub

    synctime

    ocomm

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3382

  • svc

    sophos

    sql

    svc$

    memtas

    mepocs

    veeam

    backup

    vss

Extracted

Path

C:\jc30bk0o7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension jc30bk0o7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9D7786AE1D7FC38 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B9D7786AE1D7FC38 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: TqbG19SPTOnGFdTw1RVYbeOdS7Z7j7EN6fo/BxArVuCFNQFUKk2GpvqBUnyhMLpC X/c6iOAvemIegdeRmV5E4yt8HxjZ+3j6fm1A4V2sUdQIf5X2bDzA77AwDEEqZHSG CxamwdmqzHXhuiye9kmPbsBeF7QF1bKVaEG8vMY5xVDhEBizA7r/eB+vpS9tu20r qF8DNhy/v/7hWug3qIQsYtarvc9ySwhTlD6nxlCnBaOZFBf//Vdg6dpFBSxlPCh3 gCgxC0tVgX/wcyDtqA4QBjHyjJHSg17jZtJEHl/OTkIyg7Xh2QxRU23jtqzQNsYw sRC8xBbGMo4OtBGVLnaGorVtft1otGL54yCTshwjXq1uNzmdHob75OcvcYZJoUP+ sL0LjLIX6i9jnswz8PQVd1s8U+3FVy7EIFpE4GkP130EazPZzudLuw1r8OE+G9+U Oy12b2IFa1zO7LbqTT/Tr20BG8VpQIuef2+iBIH+rnWX7ye8i2Oapl0vRtBwsKpG 3LFFpvYrKxDFx6xa0bbHsJt6FLIbZzZUGumHyCyWsrvSudMkRfGgoia5QyQ1VKJK 9DQW+ZoFpVoGuPS+Q3cce0xh4jEQLin8eDY5Lv1pEfGhRGw5XiRnH2x+JhH693gg /C+4sGt9s6H5jAyNp9hsHuR4n9XicdjV3kfiJKeCuF/oNRZwFYhvREPGwecdsdZa 8SQn8YB9pF7fi/J1eXqSjQX2NNCC3YHqN2IIJHo2obt8f00tzQYw5wAI3vsSVEz5 yoDdK19wcuPvj6wPOACsilDAbUdJjXlTSczb0nLRk1WiXgwi9xP9Bi9z7jfwZ0DM sQdpYe95wEmqdQ8FDLH3Iltz5+nkmy4qNBvdDGDA2Q2LmuKkKQfIGRMeLKkeWXiD llfsPlXteNYcSa3n6txVDm1sb30EJN7Shp6MyaKL7ntkZOlgrEbfkzhHfPoEVzEa LvulTcUrA/4Oo2KCxviZ1rtc++eJRDzfZDH7F6zVDxtc90qmbMrAJR26/4OH5CNz w47vVvG/F4P+4yuocF9q86/geOz0CeEdXGoFPbJe4YkmaYi4cqdR0wBqRwuw8q6K r3akAG+a4uyffGI/uySn/sS711Crk37WVCqA1mDJhbL9HcdXM6ut6lpLjgxc4Nli 5A5rI9PFwfw327Zyp3Nttb7NLcWwlIvoAE7BTGiGZxM2bOz0cKAkfKR7YaWlfx8K BPt1R1PVCxRIrkK4w7xhZUtUGebwE/WAGToxHOA3ixl+zVvbqPd6HVGmtnMdemb1 nESVNVQ28ig9Ho0H9GeMMeLTNQwyjcQxP+d5OH5i ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B9D7786AE1D7FC38

http://decryptor.cc/B9D7786AE1D7FC38

Extracted

Path

C:\6u028f6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6u028f6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C33A1DF3229395B9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C33A1DF3229395B9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: TDqXwcZT4VwKYTm2PYJxw5z3Y2dZAGW8awA44bR5v7Zix8YeyVlzA36OqD046UBW Allaf9nL1avGFNPnejr1t/U8hep80QVzsQWyJbyGX2oF132bCHDY0g30Yazw8CWJ 5qdGiET9LfzQcDDRATp+VmM0Zp+FcqJdQ1y3gLssdj60DaA2BA7NO13k5enFfMKD YTvU2s1eJeNNeDXPTNMkgd5xVVeXpsq/uJxqqN3Afw6sNsXwM9QtlRpXyjqartWn iJyRSnyMZ54fXrNaxNKMa1BGlRfuyR9FfUwUJh2Lh+tktMpBnsyYY4Lnj5KUVEeR 0D3C18AAScM1SK9exnn4HEELRYTUGbU7L4A6ZvdI5PVU2FIxEfk9hQO2lk5vrsMw 8/wwfQhCPvncNH5BYqQquH96At2mpRW/wbPwBqt2GbMy6trI2ULJL5GOcDfRzFZ0 i3tFdALLiRXv8tBrWVy00+ECMPWhMMYTeCvFr3GyqndH0QEcIPydmqN7ICl1R9PB KDmAHKlHfaehyAAZlvA2sYZNsRjBgG/myeOzTKQP1ATq7rzeDWY+g1P4baYci1a/ QxU6JVEHtKG8jTSMKWFy7IeWOqpSyFxs/t4qcjIQMF3ySFVdWykyx+7D9ldELJlW SVQ7CtIXDZkdJODGKCWlvX9kPi5sJr6cLz+xvOOvaupIJJokquk/bJ/5AuE4g53h uClSXHGov2FdBbP1+jBOdP0ji6YW7RMQOdZAvXbCJ+/aByxN/sxZed0dYHi/mliH 5Ea4L03IXa6HnHi+y4h6+k/acx1lOj7Bj/BOK2PNEbcRGgIWPOHRzxtMtZYcuvGi 8IVmwdtdvCTTpO7mGBmvan0VqlxvpjRNo/6JA1UBorM4pgvsi7FoJw0rvRRuNkEG 6sdKOWgsywgTdPrseSxpA/JJuDYApxo472Nbh/FxeTm8N8E3o+JZgMtsZ4PmsIT/ w6/zMSsqdNcSo8JQiu8V/euztS6/LTYZrMUuubGHJGIpxdGKR8PelBmWN/9g+R/g HkxMhpf7WdMjAR1RPNKvASgYzON7wAozRAIqAXVH8kiUGoyA5WpktNDVHdy0dM6X V6JNa2Hm3opBrOC/yv5nw7HFQi4AOUy24nqMhtFpdmC5sHG8BUKLUXdZSTvCpV62 158xnZ8BHYmRVTnMYBbCJwb8SSidjbnHIQGkFMZamoHNcJ7YSt7nqQHDRrbJtF3L AwvcZEYCIdBzU7rt95Tc4NuVKcEx+P1dJgG/Fck4qMlpHhWNy+jjPbs7myBAXsDI FrXbSOEirXQ3hy2iKzmP2v83 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C33A1DF3229395B9

http://decryptor.cc/C33A1DF3229395B9

Targets

    • Target

      6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

    • Size

      115KB

    • MD5

      da50c8e2aeeecc39e8ae49cef8271733

    • SHA1

      768d0597775446938114e0b5f1ad74b7c51b2a5b

    • SHA256

      6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

    • SHA512

      adf77baf9095cd1be5a9a2639978e9b1150485d08c09d8146645930528e552bb1329467cc4e70901c17faee0b734b849d5ef83feb0da760ef7d636d75e1c4786

    Score
    10/10
    sodinokibipersistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks