Overview

overview

10

Static

static

10

68d86762f0...21.exe

windows7_x64

10

68d86762f0...21.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21

  • Size

    179KB

  • Sample

    220124-cbgf4ahhcp

  • MD5

    956274df4e08be7860ebb9fbf4a75930

  • SHA1

    d28417b371ded8b26e8f29b27c02515fb6154224

  • SHA256

    68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21

  • SHA512

    569a10c6e18b122e9e00768fe4443b1dbcc49e447bfbf239d5583cc6b3c862397fc75be8a2175e293ee05976899fff124b93d0c00adbd2d4530400b4ca585793

Score
10/10
sodinokibi19312persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

312

C2

envomask.com

lesyeuxbleus.net

yvesdoin-aquarelles.fr

aquacheck.co.za

wribrazil.com

pays-saint-flour.fr

ronaldhendriks.nl

brannbornfastigheter.se

hiddensee-buhne11.de

alcye.com

jdscenter.com

johnsonweekly.com

crestgood.com

berdonllp.com

aslog.fr

brisbaneosteopathic.com.au

mollymccarthydesign.com

prodentalblue.com

bluetenreich-brilon.de

bescomedical.de
Attributes
  • net

    true

  • pid

    19

  • prc

    oracle

    encsvc

    ocautoupds

    msftesql

    thebat

    mysqld_nt

    mysqld

    firefoxconfig

    xfssvccon

    sqlservr

    winword

    isqlplussvc

    mydesktopqos

    mspub

    mydesktopservice

    dbsnmp

    msaccess

    visio

    onenote

    mysqld_opt

    sqlagent

    sqlwriter

    sqbcoreservice

    thebat64

    excel

    tbirdconfig

    outlook

    sqlbrowser

    synctime

    infopath

    dbeng50

    ocssd

    wordpad

    agntsvc

    ocomm

    powerpnt

    steam

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    sql

    veeam

    sophos

    memtas

    backup

    svc$

    vss

    mepocs

Extracted

Path

C:\a4p41-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion a4p41. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2B6DD2795C7088F0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2B6DD2795C7088F0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: uNlSzxD/RV/jhl/NVcvl7oVS3+6Eu3uqTHc3p+YqEgD2sPYmyGrim+ReIogYEfTY Crvz4BlVXQciFo6VqEKWsXa1Ua4qam+1whOzLhRBo3/uEiqzc52RGw0RuhBs9VuK C6onyFLS86uP8+dKZ7vH9ann0/Xi3Q/oA1zqTFN3FQHUtf8iFyOaplxEwgwhUXLs dww+pfbsY4jlHlMB+wGxWzBkqt/MwXFm3wsvDD2P9XW1LnLqBYo1fdYA4lolME5M XaVjNwjCFby/Hvv9l9pVud9i6x/yPyuMp/fffeVWynxH9elBJBlPz0jNyCYuVA6+ 8BjknUco4HLa5y6qt3PNNXanK4YMFcl/GChNQPEBYDbTh1junlU50UIFATCDVyM6 6vF/GtJlSU0/aI80sK18OQsraJueqcc83pjyK8dzwsLKhSh3N9vN3OHJomRXIXDU KFhafOLsoPFvpBAo+1D+audM9mtsRqZdQS/9SQbj70yeloBe+bzuA0Vy5sDoPim9 Kw3l5eGGDs2g48Fm4fNZ5klbD1tjRXcdhWy5HAx6W71/a5CoaQJPIoYNflkiTL5h trC8Xz+C9bZLk2xMBEZ/C/QAaY1xojs4xg2MgNlqtWxl8Q631OAGmqc16prQJ+kS p9fbvlL/U09aXhtzTTL1PglOG3glfC/2h5R5qUwdwSCLatDwQVgH9Wz9bL4MCafX dEx/Woqpc9JRhM71fqgeNGOGOwcqCCLjyaMd95JOs7kJvCY5bK1AgRfzET+dRDxP 10Lv9ADGR+gb8db1Y67o2/3W1Q+MoLhTagBjTOiVD5nSg2+npWz101F9S/F7zT0/ z/nOXXF5XA7D5r9zw+n3dmiilBk4xCrZjtxFmca2mcgZ4qK/mdOVJBPPVUFa5wLx c+1yWEylmGtl5SqWjA145EH3YIN+L5Jf6SqwS3yxIkOmY3/8O61zJ91OH+dUBaKh EAhQ9GLrxCs3+fj5RiZrojbEH5I2yg3P994Q43EKnK/zACOhUA/oio9+2Ria8ZN6 wDY/3EmwZVCE84faIS5DfBx+UWAFD5Dny9MJdUPTYmzjteuvGZCn72WR5/I/GPnh hZ93M3V+HJ2wFxHZNOBeb1/YpbjarLdNPpokSie11WRDXC/D6Pnjv3pqsC/xtHuc Extension name: a4p41 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2B6DD2795C7088F0

http://decryptor.top/2B6DD2795C7088F0

Extracted

Path

C:\cjghpt3jv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion cjghpt3jv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0D1EB62813A842D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D0D1EB62813A842D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ez5mG48U/K2+s+zI+fUOhtf3DVvtywYozBc0F2CodpHlP0iTHVdeeeTS+3ayslpr 0iM19V2B6Oekhoje6FBEysYo+c3OOTyBWD9Vq4qttwwNo71lyfJRZIipXs3XplM9 Q63Oi7osNblZWXPNi0fWPirMuzfAIhLlbJREsnkHb7chmaM7Xn6NxDAWOmPXDjhP lzUu+iEP7tshvZolouUP+GmwTQ5sF+ou/lhGiOOFrF6xQpLkeU+KmRyNzbG9BKAy e+cKDg8RZr43kvYr4eGE/J9TPX9cQ0T2HFVet8k8uKlpEVn5NG+ECqmZDVf4mN/p IlLiNTX8isvlKAiGW9tbATPPGwukaagPO6y8T7SemVCgQH3/uCrr5u0uCAs09yvj X0qD4Ip4NUQ2+7LEYQ/VBnzgBkXtqkxlNqh86SAAZdGVW8SHhZyHCYTC2W+47iSF C5pH6+I2qP0EvLfSJSG9nZDvXGt9XeDYNr2EVfhnDuxDwsxz5KHcUitUBIoUESGe uqxzpNbho4M+zcsQMP1vsEXSc2PV1QE1IROXYrqbQxPT+SEHAZ7XGGeL1e1DN6Si rbDt2D8Bto8SbTkPthbNhE0o2hPp8RImxvGIMJsyRWpQ5yKBfHYl4Fotrwvlp79G z1yZ/formOnTlghFYV9h9X/6wPPJunJtVD5DKyrLm8+qz1TL2IEYFRXrF7P04yUf RLVOc1tT+X/5cy8e1oz/2QL7qVk8k0oDgEgv5TCtZ42FHtVseESi3Vdcvi2Te9gI LGMmUzZK9Tg8OUhOgeJyNPce39XWJyHYvzUSSQWJXpT/8ndn+jANfkIQyjpTQgIx dpWuAf69VVa2lnSlS8QxMrpwb3KY634d5STJf2wvERCWUyb/uboLvucOzPRSwf23 mJSR8ptKfcuo5KCdX4tfFXV/hqEAhbJucCfh+ewFe374excw69UadHJXZ0qfaeNk K7yA9Q3KV6YyaJ50E8psoee+ene0SkdsGhMiY0b1MZwYuDMuWhRFH7rTZory3T/s XjoZGTblZzOnuNKizS7EpKXsuf536vgu3wRcOesvJ8dh1hFALNJ3oZipQMpTS5Tv EOfeouYOKSXm9c4dbgqcXhjxkjY0OjIfmn6HXx69Scyhh3tfwpMEAfJDhVOjuBlU Extension name: cjghpt3jv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0D1EB62813A842D

http://decryptor.top/D0D1EB62813A842D

Targets

    • Target

      68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21

    • Size

      179KB

    • MD5

      956274df4e08be7860ebb9fbf4a75930

    • SHA1

      d28417b371ded8b26e8f29b27c02515fb6154224

    • SHA256

      68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21

    • SHA512

      569a10c6e18b122e9e00768fe4443b1dbcc49e447bfbf239d5583cc6b3c862397fc75be8a2175e293ee05976899fff124b93d0c00adbd2d4530400b4ca585793

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks