Overview

overview

10

Static

static

10

65980c4eba...f5.exe

windows7_x64

10

65980c4eba...f5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

  • Size

    166KB

  • Sample

    220124-ccl3zahhh4

  • MD5

    9efbbace685671cc174a24989e4dda08

  • SHA1

    9234b5bd774ca12b0fe46ce74c80f1ea76d85600

  • SHA256

    65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

  • SHA512

    a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

Score
10/10
sodinokibi$2a$10$bypwfv5f.unsw7rpjyqd/u290witdfou8ocgln3g.nu1ztwwauidm3253persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

Campaign

3253

C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl
Attributes
  • net

    true

  • pid

    $2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

  • prc

    sql

    firefox

    visio

    mspub

    xfssvccon

    msaccess

    oracle

    ocautoupds

    tbirdconfig

    infopath

    ocssd

    excel

    thebat

    winword

    wordpad

    steam

    isqlplussvc

    dbeng50

    outlook

    thunderbird

    dbsnmp

    mydesktopqos

    mydesktopservice

    synctime

    sqbcoreservice

    ocomm

    onenote

    powerpnt

    agntsvc

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3253

  • svc

    memtas

    mepocs

    svc$

    veeam

    sophos

    sql

    vss

    backup

Extracted

Path

C:\gv0321-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension gv0321. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9A3CC6D3F664F39C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9A3CC6D3F664F39C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: haQM6mYAkJlDVlF6EPLsoPD9+TSq7T1CWwR0G2Kxwt/m5EvaBT2sd9pUtIKtY4Bb DqL8Nj39ZMtezueLpLopHsxVx3KntVf6Tr5xOY9prrEbRrTIFIOUdZN02FUvsPsN cn5eEaskvenFJvunyeqR4UuAgl39fCrupYy3OkKvJB/6HBtUPtDarJ3ReOcE3HC5 69p2mBZ2yJHCf0jpAW/qnHNC2L61npUMz78X+NWu+ZaqJEHE1IcT+GyJV1OXCrcT hrfhbwDSccuE4Pn2Rgrt5VZKvvAwKmD252MI3Xji3W3koIJRUV0Tr1Env9efjl5t JaPIC+pxQvrJhWW4lfnCcfQbBV9dFZHNGRAq/PPWZDXTk0Xy3ufPBNNed/ilIGM2 lgpGdS6VPs7Yo9+OvpEf5Zyw0rlrC1O3Y3snCpNxZiVogVNIQqpk5Nra8M/e2I3R rHBL//5uSJGD7Ph1uYz5pCl+spSYq2y9ycFtRh68wPBA/2esmJaWjLPzqZyj7uAT zBKFl0StWvdvkKXRcXgxh8Ce4NLd/Y9c3Wwg8Rtln75LEVT0cVxHI8tsmC7jGKOK ZrLLx4pGLM1Xpv0hLARJTGOL54Jf8AXXjoJ8EAO1VZ7sjsU+tnM2G93XAUk/l56+ tyvjJYiu9ROQMhHmhJOVtjNVGr73KZUEnNxg8IrT6QuGXQclOkfsb3roYwIE+HkJ zS9a4OrLmnj5gvvnyzHpvuGJelIOv6FECnetJNMOmMdWnfB6IB5dIdvpgrDoTt44 tCKYTMlfu+c77luCtGeCoj3er7i9X0e7UwVq4TMCvcnZzhexwgEA+FJ7al+rLBYi f1sIHmSrRa6cgfdgQ9PtARtp2cInxnnciXjbaoI9KTe+NMsvrqmDhU5JiafYczkq ikZdrV2N3Xm4lzxBYkoU/5gjkE7Gu36ZjY7X9Aj546ssUuW/IXPKMpU8nwKvOSqy lGKSuQS8k/6/VON5sXN1ZD8DhbOSEyLn+0AGbVwZKY86KVpMuNbe70zJZYJ2nEJ3 HlVqOK6/SfXWeV5/nWDnrvouHfzl6Z5EEzrZllSzk6OpBYBBX/2o4zCmCBPV+oLN PepMrJihC5f3jr0Fwnwe9JQtbJ2tZwvjgaxv9xaEfhWHlKwPuz6nI99VLYRitKGE XFNqJTVoJAG/yr1ct4+Flph5pbSH0Xh78Xcop9ffI+Pf3xK4WSD5kRFcKA8MOFko 5BaN8+QiteOkF5a0y4hr8KVyC+n7Tunvw/1ibBbv1ghraiEOZPpFzx6sxQs7lwt+ f2W7JVt3YfkLqqcwZ7n0yd+wM46ikdLr ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9A3CC6D3F664F39C

http://decryptor.cc/9A3CC6D3F664F39C

Extracted

Path

C:\8qbkd-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8qbkd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C75AB49F5E07E0A9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C75AB49F5E07E0A9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: hYMNFQmem2P8NXRr71mAH6oYDK8wuCICI99Kzn10c6gq9FnftOUqiSf4yDeGYo5a B6iKLdq74B69FBIKaTUgPXb+QvDCMPAmrDoCJdd+aTET+bl/DNDzS1sZP3cR5shi 1oxrXioBkbA4SfytUC7S3otleBruLdinNh8fLomgb4Tyx0tZk38jSAXGDw2kZc8p QDozxTXfonM1rv7L00yBkrPzaN3k6lcZ1N/OS5AezgEIvExB1XeD3Y8yvonXxuRF g0aAic/E1zTDCKbqmvD7C9KZdIQ1ZMf8MOAI6pBxyLOp4umtyHlS5q6A+tNzl8Dq T1jGc8qFywazu7UouaZCbgeXXzB0FZ5wGImkMplGTf7L3r7VzcVoOU8KMm2GYfWH oVJiLJOpSFX8/CF9SbHmLcKINNKcjxcVknVnI/+HXbJz+CELe0e49fUgRzobRrVC KwnDUT8uY9XqOEwv6VgVf8qNZISODiZDvhMSlqipYCCbNaPzPAJtO7KGH1qXeoJf SNFXuVH49rdaQRr+PfGaVYpdsm3eaeSS6cim4hQBWDQH4e+uvqrju+Z6uVlGJShK f2qfUwKbNTp53F44I/tkyipsdaFZpXYpWgp1N4PIjzxX5fPQ2tbSHyErF44zO24r OpraFIa5W2iOOIACwMpcfygluDkaGrP7jwhGrnqmO1CduvslT/mjFyS49bj3Ipdt 8MYz/WONlhsvQdaDRusftCLPTD24MgumzhA94R3DTWRg2HlDBHDnWiGuoGUsgO8l pwIBufd5TBI/ut4TD7sO6jD/c8AOvdBuD9ejXjqndMDfIj+Bb3GwU+vRwM3dxB+I 1zG534RYnubLch3k0mOQsZ+kYN2RKLOadpQSlfNBjRqSkIooh+8biEmZkR05J6zL XBLAr/SBgeL9AWAugOunSaA1HILs9LWwqYZJeOUdG6H1rpOmu5pmvwuECjxenSIl qx3pIWK+Ljkls0P0sgCYshoqTMLqsBmM2r5dzQQg1XZlAccr/zV/zbDt2lMqo7vx /X5YiHXmdpe8jyDLCdFWDVyxKNdOLDqiQSjnBjWZPyU5G+COBi7Qt6qDZ+gTRjD4 a6Jpbl+DpnQy21EEIFqrtkYv8rviEQxLX+cxKxmbbqhA766v6tDTMiRn22cFXJ15 vAjFB+V0kXTkplaJ4M6y2MiPlZ3+BGLafMqpmbvtTjutfWCUPrECCgS88r31slrh YstaEqhrXWO8ZGzHVRSz5RixukC+2gnH/WFpzrFLoqsm2KgZWTuRXPAdUW1CPbvW 0MfMBib8teIHDhNkEKY= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C75AB49F5E07E0A9

http://decryptor.cc/C75AB49F5E07E0A9

Targets

    • Target

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

    • Size

      166KB

    • MD5

      9efbbace685671cc174a24989e4dda08

    • SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

    • SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

    • SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks