Overview

overview

10

Static

static

10

57a70ce9e3...2f.exe

windows7_x64

10

57a70ce9e3...2f.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57a70ce9e3a7dc9c67716bb4081e39660f5deb45dd88a27d93ae7c52b65c132f

  • Size

    196KB

  • Sample

    220124-cgcp4aaadk

  • MD5

    145b70b64dcb5a87f27ccc32775f4ccf

  • SHA1

    1ce103540662c7097ecb9e4959c5303c4c7f0306

  • SHA256

    57a70ce9e3a7dc9c67716bb4081e39660f5deb45dd88a27d93ae7c52b65c132f

  • SHA512

    9364cc346533abbe69d4cef5bea592c93b492d02c1fe4bbd50ef0306f11b4367537c2f503033aa552f1a1ffb1e1ecffd71401e3353a75bc66862703f7510e914

Score
10/10
sodinokibi$2a$10$r6jfdy.02ns/tl60z.a74o5dw8.5eqxa63yzup5x2nso0l.4y0gfa1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de
Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

    synctime

    sqlbrowser

    steam

    sqlagent

    infopath

    mysqld

    mysqld_nt

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Extracted

Path

C:\43kor01-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 43kor01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32E2D3D8A70B5F7A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/32E2D3D8A70B5F7A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: k57qMyO1BamE9df2VkengNi0/KleljslFTmQGFucQn5aJ/wBoAxcXV+yiVBFXwlc JjBI8VeCAY3lZoRDtLAiYjwcmYPYnmwevBRQDY1vHv1iYQQVT1pEcVYTDZVzT9Km MVd4/z0TGQ2a/nX8So+tYQmIUGhbctzSoQfIsLAQYVCj16U7mz+NGb6RTN6FrpjO GGnOAwsDcvcKyizeTQY46TVIY+GOl/faNAwuanLNeD1NpI4hY//t/PieSV8IokGm zcP9Y5vAohOpF4axdjvibFfDoXaNuo9BIeuFzkruWEl49+SRJIwf5lJKcXO+MMhW i43PoXxOFFHMmNnXwnGz+SrAWM2r8iRuF6qcVxeA1iSqsR4+W+kUtbFmu1TePMBW dt/rH0AVsG1HJHTDpIrY4L4FKaHCpURGIKcIg5MFiyNFnKDj4qgK7yhO9Us729qe PYQGD4el0LsR4fMisnEeLZ34GoArrkHkbsFDoWnimpprTMEr8MEnXeoxYGe3dxo6 FLo+b1qnh1+yeVdIaUw6+YoAPIz/HKm1mDCoyu6LQpXC1b1tzFbDPpJo80tOgzEg fYbfkgKVlfVSvZba+Bkm+cwOraG66z5V8VvHg+quZQwQa7kI0iWQHYe5/ek/mLQ+ uKnhk5XGL/07g20iyn4K78yxDDxjSxBL8+p4U+5Q1yOglaKkvXuv8l0Nx6pLbsB+ KXoGNGmpWdP7dOTTj8Iv4rKwIX2KyyZ9s/7FzeVh7wv/XGQv9i1/AZXtsyoA6rUw 0bUzu0R1wjNm0Ds0O//HXYlnybaqqRXLf6Ya9DFYQDzz7XX5p9kG99cAskYK7rBY kLoPFbVDVhWZmxZRpF9QhVFuvw5prCL9rcqvVUmGsi9hL0eZM9H4a1rs9/z7Ac2D CGSvcR8LNRDuzumJYZ5PacvWSLlMm+UR9a6uYLkss9isOqApkIm4cEM3KSEtDbXK /DVM8nrtRhqHTKXirZRScrTA3LljcHh6yhklWXX+VOGcxNUp/iY5NnoMKmUUIvux XK2q/BQbSj2RS/1Qno0uLtzH5YMx/l+Db0ZHfeOsEXD6/ghse3xeYGhmzVLVGq+v egIe92ECbpWB2TceytwdfxoY0WfuL7RR4bIOI4/SQlzu2Gm5RmqpNnO8fdGP9iDd 4ALWPpmG6V+MFTcGLBZofiXdpxvZhGPFqZuv24+aRVrhgTQBiFMsrx/ceoSbOquU USdZPluOKbV18DRD7PnAMLuUFNECW+fTu8X2LS1e0T74e+lOV0izGw+qNzlUNo70 WLeH65NNtv3ZpFFwW7wM5gfTndipif7tSJI= Extension name: 43kor01 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32E2D3D8A70B5F7A

http://decryptor.cc/32E2D3D8A70B5F7A

Extracted

Path

C:\q1lp9b4x2u-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion q1lp9b4x2u. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73FD84AA0BF3D67A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/73FD84AA0BF3D67A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: oDQdLmct5j1meAZKvxbSRraeMsZ1s7I0OaWAuZkbI4haoIS1d6tDxdh+sCd5wYRN TnLm/T61p8mOiGRP5gH86i/VFLnNrccaMQ+HN5Z+7h3ucWizEMxGpy2wPHZMqH9X WtFVvOLsipP8e4mHmNGk2+8IWpdKZa0l5LtlU/mnLp54JQQuWGyFFkWxr9zOCjWO J7AxDD2kcOsNaubaQ0F0JZgSNltOjTKYLn/Vxm7SKpcu1S+GpPxM7ySP60qTolsU vqZrVh8Nb1rcmcmsbeHuaNoUMhYsDtbdz623yHFPSmtbLtb144O9dsDl7wkD0QEl gTs1RWxbqwyfoHQ6l90YnaRj0zbaccp11YLfLpYe6WHK2zn9gQCpUMW+M3YQV2IF kbiKvTfMAorE6LOaPnLCFo+xugo3erbBALexPsEEQsSRqLsobu3eEmHOCOQA4Jdq VVvDFuLMylOiLRQN1U2K/ekManZsiEUNy7i3qvyq1lEkk0IHWcgpBiBT+3b157Nh phkN8MMP5jFSsDU7SESmBI8fMGWXmVUC6L0EtxSuzCIwHhLGbWYgbG9eaRMDPXrl Jb/qx7YXygjdTpzKsZlBhCC84pFQOlJPnQXzQN/BpnQMc4UmtUkpWWTMHseLR0Tl K6MhY+JrkJgBMsBrQKkKXzBf07JQFmJAN28k6w/K7SspE1U95gMAezqXU4bG4oZQ 5hRvUXOjYwWKnNgVSN3R+/IZk9bIzq4EbTokM+cGifkH4MsJeGq1WzSe5Eh9GuG+ ybTDNi1az/FrRGy29VIju+1t5zpmbalL9jG+lFB5H35PEpFzbdn05Lbrssitby14 vC578RgjceScHdqLcxSfYwZJnKuNZfg07NfwWME/8FsG+QuERjKjyaGoEscHqhZr Y+EeXVfmDxAiBvWAk0X25UbianfsPrU7BTPdXjdTOWtlKEBaOd84+s836bpqyJrw dGuCVSd9gxDjX4aFperQ6szmhW9LfibpT6HgB8QcOxC90c/uWchZvJnEpYh7uzbg 5uXVKW588/cx47hfzij7a/4MdZ/hWGmuu8OIgQM1V75yY+07TZZ1Mpgbld7WnDWD x80pIItE2Pgwgf6UmGJWkj/vLucX+dt+4YVokUnQMKDXh8WyHObIZuJZzPq/p3Js +ndmwEyjRJH210gxTcnX6FFWX9d7ftbqw+oAtXIX0LYLS3hLT1md2QMzGL2JwpJy yozHET6jsL3Uj6uoPmXuYa0rLlxxh2KNg7pY8OLoWgqJk09HsDj3MxOpgn4I/eip lYxZPFprwSW/F+3XfZJnZcuM2PkjmFbZ Extension name: q1lp9b4x2u ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73FD84AA0BF3D67A

http://decryptor.cc/73FD84AA0BF3D67A

Targets

    • Target

      57a70ce9e3a7dc9c67716bb4081e39660f5deb45dd88a27d93ae7c52b65c132f

    • Size

      196KB

    • MD5

      145b70b64dcb5a87f27ccc32775f4ccf

    • SHA1

      1ce103540662c7097ecb9e4959c5303c4c7f0306

    • SHA256

      57a70ce9e3a7dc9c67716bb4081e39660f5deb45dd88a27d93ae7c52b65c132f

    • SHA512

      9364cc346533abbe69d4cef5bea592c93b492d02c1fe4bbd50ef0306f11b4367537c2f503033aa552f1a1ffb1e1ecffd71401e3353a75bc66862703f7510e914

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks