Overview

overview

10

Static

static

10

5dcf9055c8...b7.exe

windows7_x64

10

5dcf9055c8...b7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5dcf9055c8e624fcad9872f43e2a1a342a241cbe0b616560daed6d5735343cb7

  • Size

    165KB

  • Sample

    220124-cefnzaaaaj

  • MD5

    e4b805f67794c3035375846d926df499

  • SHA1

    b6cd80884b3d3ccd1cd98d979e8d51ef472fec1b

  • SHA256

    5dcf9055c8e624fcad9872f43e2a1a342a241cbe0b616560daed6d5735343cb7

  • SHA512

    742a5b90ec58865ec05eff5b371188ef683189464c53dc24a68e03b3f1940ba606d2fe1f03051e8db4d2169fe18c38cfa49656c0f23b92bb5a07ab7f30faa30c

Score
10/10
sodinokibi191428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

1428

C2

stanleyqualitysystems.com

matteoruzzaofficial.com

reizenmetkinderen.be

deduktia.fi

penumbuhrambutkeiskei.com

medicalsupportco.com

hvitfeldt.dk

ingresosextras.online

pourlabretagne.bzh

sweetz.fr

karelinjames.com

chris-anne.com

endlessrealms.net

ravage-webzine.nl

factoriareloj.com

jameswilliamspainting.com

kenmccallum.com

mangimirossana.it

christianscholz.de

min-virksomhed.dk
Attributes
  • net

    true

  • pid

    19

  • prc

    thebat

    msaccess

    msftesql

    thunderbird

    sqlservr

    isqlplussvc

    mydesktopqos

    powerpnt

    mspub

    ocssd

    mydesktopservice

    xfssvccon

    dbeng50

    oracle

    winword

    thebat64

    wordpad

    onenote

    ocomm

    encsvc

    steam

    excel

    mysqld

    mysqld_opt

    firefoxconfig

    outlook

    infopath

    mysqld_nt

    sqlagent

    visio

    sqbcoreservice

    agntsvc

    sqlbrowser

    dbsnmp

    synctime

    tbirdconfig

    sqlwriter

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    mepocs

    memtas

    veeam

    vss

    sophos

    backup

    sql

    svc$

Extracted

Path

C:\q3nioru-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion q3nioru. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/41832A15B7ACCEC3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/41832A15B7ACCEC3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: k4BAf3tgdHWgpi6DR8xvrznSSyW8AwGPRuJP5GRRaCR9MQGoMSJ8+vGhg+DAJ1Xr 3QZVmDRd4z3DT30DjyGlpBPVzEKJmt4cvKesM9xY3+d+0EtZ+/oR7R9mEiUCbC13 3M47WDzaXHSJALf+6eTrO/fVkGIjMCfUhoMtdi/382NR/sU0oSeuf/p19uIwvhgG mYFKvYwr4CVk3K+rovTtlrtoF0bIFP3A5sIcUJRNOGMn+mzy4fptCP2VVjzwKHDl X8fOVfhYbDCcPCMmB1xRCmLYXLO3kuiu8fcj7rbop/YURtjHuA98h35uEOK7kFmD G0LTvcS9H9wT7ijDP8aD7RUlvzj9Rip/JQ7AJOYjFFpoupeIU60EyYGF8Ay0Esqb o3rCyL4y+HAdsU6bs8h+Vxnbi5A3gSENp77nYv/+7dNfNh7hT53OWl79QywmLUni 4IKfkFcbVPOAiNvQsdriRjB4+/cUEGqUGhwxy6YWMNl45WB27UHyuPGmXHhbOzZB KTuuxCKD6YBG9ypdQmvu/AzGs5Nd+Fc1X5rNHK4+EFweohhWeVjAjRLZ2FZQ9aqz ADnhVdkmQN1WuniPrLOQYn6Kd57LemujRsUMbBspw+zUs7+ONKuHJsK0fHX3fn8k xsZOETnRCAUFB/71X1l+2h1MJ1OqLSLWy7Oe+B58HAOd6HiVv3vczMdJo50eCpki mftlpmPI+il9HKvsdDo85eZvKecvuQ9Md53VeDvb5nHmJRDbXgjKoE4si8ULWTN6 UcCmYPoKBnqBESeh7A0uuEMqJBLk8vHSH/R0EBWAHMzOGi5VzSjkjftdE5i23UUc +U1sq6fv6BVMA2QRRgPeQCtPXxEKcsyLHW6QqRIyc7kZcuDZW6egdD3OsGsRdK5d elXukABrmEHh91O1L8aQ26bFZdKhpJY6iK9W3vjDxsXIXUtNTC8iKnXIJ10YfUIi 6mZ1WsBPVuYCFEtwWYnJid/vgsRhNvY5CKky+sb+122oo+3NZe2GCZluPiG3HGNR mOBa8/JYpQ+sbFgE15sLHynYjUYnSa8YBR49S5Rxi4pHABUORpjHRGYWE1P9LVYq ChcJ9blqgfGw/sXgMyq4/Eb+tIGZP0u3JsZQOEGJsg6uZx0WS3Od7m1R4ua0/OxV GsBlK1Ld Extension name: q3nioru ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/41832A15B7ACCEC3

http://decryptor.cc/41832A15B7ACCEC3

Extracted

Path

C:\77v3961g8o-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 77v3961g8o. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/86B5012FD2D82F47 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/86B5012FD2D82F47 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: XHPT8gKzLxGlcbXN3OffnhwngciBEolEMtBXVU/BGuSFhgXmVKpiBuuZuYTaFEah V4hk7p97NcgiUBYH7Z9tlm5YJQdXSZAnUGnnBgoyvZoF2Vrdmytwws4bbUKrhAGT +STiEzjT8tmRZZSxkOrQxARLM8qyPuhM/TT9z57HdpDNyQLhHAwp9UFsDE9gfAjI S24JIlVVeVD4TDjXfSLjc70Z00gDECbY7h+PfAXfejFm8zu42tgxVwO3jCSQSV5j 9+d98WBzLLWVGvILWzAxgd2oInW4WSjihsR0CdHSkaBfUAqmOF05rb3OvINe+7u+ 857j8gnR/atN4AhvhwQ1BgrI//eLLcAhKGSEYA50pQMqdEJKZBgk7wYwqv8J9j4B bKPApHV9CcX5RBhBRoAmati+guD+2r2Xy+fwKNM1wBvYgdN1VSc7yZ4YUekabsf+ IrJ20i/f++j6FMMrC02yzUp0zcI2wmtRQzPiQ+VGVztUQbrx32uQIuaiBvLgVUOa tOpS2Saxl+hpav+1MvQvnGh/5JQ4WJHQTavull2T6nx343pXjisiKqdiSb7SC/AP 00gjZAKT9EVBiZySzUclrHYQPrzwTz2ZCFzNvSu4z8N5UQTh3etW3d4YTIpwAghp dTP+9Z9U2g+Q8TU3yvn/PDms0czDaBleuyWNMSYEo2wk4z67jHNf72LuglmshCAM hnYeP04dMpSrfIwnLTAOClpV2P4juC/bhJ1Dzb0fbMjJkHscRcCn1eoMP5SPpotP cJtQQ/WRTNtvbGygeOjqnZEVQ4xq8QaCA+QGCylcCLvsDioqGtcWngphekwjZw1A gHRXYDrH+rwJMbsUE5wcwgbkdwrOA9J4yvaT60jeHI7egoJ8E/ImUDjW5vNC0vH7 GE6CKmxoOMMFE7/3PFGtegHb8vEECOXfhX+E9PR7XNNsL2c9HAJ/NpyX5R6MBQPL 0OjI7K0EQWMuo0alJFPAOfxyEjVzOjcCBN5dId0NTB14heCHxIt7oW+SIvruWNi5 JR1XglgIY+FuQo7qUzcHPY8tjPvxrjm470nkzVfWH75q7Sj3pVV3dLbDP1hIVc7T 9vRKrI0WOFDX5kNn0BB60FlcElp49x46e/aMNUpJMQwFD6gTCy0wrbAYKnzcMG9S DEYAqw== Extension name: 77v3961g8o ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/86B5012FD2D82F47

http://decryptor.cc/86B5012FD2D82F47

Targets

    • Target

      5dcf9055c8e624fcad9872f43e2a1a342a241cbe0b616560daed6d5735343cb7

    • Size

      165KB

    • MD5

      e4b805f67794c3035375846d926df499

    • SHA1

      b6cd80884b3d3ccd1cd98d979e8d51ef472fec1b

    • SHA256

      5dcf9055c8e624fcad9872f43e2a1a342a241cbe0b616560daed6d5735343cb7

    • SHA512

      742a5b90ec58865ec05eff5b371188ef683189464c53dc24a68e03b3f1940ba606d2fe1f03051e8db4d2169fe18c38cfa49656c0f23b92bb5a07ab7f30faa30c

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks