Overview

overview

10

Static

static

10

4e7f5cd6ff...62.exe

windows7_x64

10

4e7f5cd6ff...62.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e7f5cd6ffb82ae7aba256fc09d949b724d93eabd591cc78918e488a7a2d7662

  • Size

    164KB

  • Sample

    220124-cj6e7aaba2

  • MD5

    b75daa2b6c7f484650c281aa76d8e5b1

  • SHA1

    4ac3d0b421f4e280475f8727afcb836857f4b79a

  • SHA256

    4e7f5cd6ffb82ae7aba256fc09d949b724d93eabd591cc78918e488a7a2d7662

  • SHA512

    e40f3545882b4bb7bef516a4ba924a92df9b7412a661a52576370c3cdfb3195c8238a02977be6315a9dca52654eb175aba772c88f4a431202042be684f6db09e

Score
10/10
sodinokibi1935ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

C2

towelroot.co

designimage.ae

bluemarinefoundation.com

qwikcoach.com

signededenroth.dk

b3b.ch

thehovecounsellingpractice.co.uk

janmorgenstern.com

the-beauty-guides.com

smartspeak.com

prodentalblue.com

lashandbrowenvy.com

thegrinningmanmusical.com

jlwilsonbooks.com

ocduiblog.com

morgansconsult.com

stagefxinc.com

janellrardon.com

alnectus.com

mesajjongeren.nl
Attributes
  • net

    true

  • pid

    19

  • prc

    sqbcoreservice

    encsvc

    ocomm

    msaccess

    xfssvccon

    agntsvc

    tbirdconfig

    thunderbird

    dbsnmp

    sqlagent

    excel

    powerpnt

    sqlservr

    mydesktopqos

    infopath

    wordpad

    dbeng50

    thebat64

    msftesql

    outlook

    mysqld_opt

    ocssd

    steam

    ocautoupds

    mydesktopservice

    thebat

    synctime

    mysqld_nt

    visio

    mspub

    onenote

    isqlplussvc

    sqlbrowser

    firefoxconfig

    mysqld

    oracle

    winword

    sqlwriter

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    backup

    veeam

    sql

    mepocs

    sophos

    vss

    memtas

    svc$

Extracted

Path

C:\u3173r5p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u3173r5p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F299EAB620C006B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9F299EAB620C006B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7ty5n07QI/V3/Ab5BRTi5LEln8IRHScsSiNb+7BUQi0gPaQVBzb+zCtvv4CGQD0n hhyFJmOWXxo5ecyOn585TfQM4ciuv9n5LOZan9jMd9TStJ4sxJrSiE1GRH8pQarl 0HsEDV9ILqAUzxO2dh0/72/MjLMRHt4KYbqJ9jrO9FEqEHMHYUwWMFG9mLZRmOEi 66UktQ0xa24itZZvMD4mWzGX7+fwzXa0Nce9RjXyJo9moCOmR2nKtNuOQjA3a+yc mKp6crxvf/SIuX3wastuu2vr0ukIa+kw/P2IULEkpaIvKGyi60nurpyrkgffhfXP 2aVr3Cb7ZNFGx7U2XCITPK7p3YnpUPJmMc/jERUUHGgvDigwwci338J36T+X4qlV VtY7T/n9ZKEIdUFud8+TZuEpAS7DuP8BW/hVtTomRsU+CpUEGmnJRU9eR6L+pLoA 4RxhUc1gTgXza+lK2RHsrw3uZc/UbgJOnq+CYhSg4pn7b1SycWorCtPgxUxGEyTX 31iFAqvkotCqO4FWuDJ9cJmBVmzJ6cRqFVfqrjzi/xpumTEXI6sEKPg0x3b8zXFs Lo5wRg4okaswePhaYgSfTBKRGZuTlQnBTyBVT1FYxHbNalE+IOtgDmbF1m4YsUqh 6l8jT1ZP6tds1tORJVjVY9Ik3GVAQOIe6+VamPmxfXEZudHdIl4D5mOAGFLZ8qLU gvzUPCxCnlsQY1ZO8zBuMK/UEb1QArn2lnQ9uTxcS9rr9ph5vrmWk7AEVDSzwhyI EYddBb1vmhDnvRGCNp5agYttcAJeLi9lSeqYJ+J0yhitUs+5Hpz77fQ+G7lQQYKW FFYx9MAiCSQ6LDHBN/LLhuJJZ30Yw3LykFRrz/q7zK6lS69iAUp4mJM46hmVx8K7 l9AZqyr6RqXZ2QQJRblegsCvRwG7rZae7pgHN/XC0x3J03MhqlBkMGF9/dudXk1M NojZ1eZslxOFRKNgG4GtN/fgajfkHjiw0b307j5uAc0RyPb3d+nRoT3SvnUUUYOy NokY3jO/6kl11XB1ukn87/N10FwUsVj0TIcmqd4l8MoSgWX0wwA44pAwRyguH222 s1OiNRQH/nvtoufhkpGUD+4Z+2yrDzR7HLPGiJz1/zzfN74d0up1hwvXzKnsGvoH UJY7Og== Extension name: u3173r5p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F299EAB620C006B

http://decryptor.top/9F299EAB620C006B

Extracted

Path

C:\uoo3n7hr-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion uoo3n7hr. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF2E68DF68A8036A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/AF2E68DF68A8036A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: L3JhkYUXpzl3SWPtDc0bzrwO+Y9lvaIEurvy/JUbbrovn0QWTOKXlLCEZJRt6FY+ jmNfEYHqGAAZ35oSgl5hMg1eBlb6sficEfIsqwTNRCyrpsgoGcBUAJ6XFcs310aP cKLtRqql560jx2JvP8TBYl+hneu4dB0N5Sprwagtb7e/QwFVp32dKhwgpu31q88k jQwCHWt/ANWvK5NmMVkHcCw1YHnBOzlTdixeT2xGr/WFvcMSVfAVZSeq8ganP4S1 4QLWQEM/leDoRbG1OwrMK8tGC9yrJyTzLXuWk8WfSK555UYujOnOtfM7SD9/s5e6 H54RT2lgz/p9GsxpFIXq32+NSy68YYVa09xlvLBB/uqN6nBKgCkN/XExE9gbl3Dh vMV6qna3Vna/y4L1XkakT3wQE6al+8SmyCaxtK+uVtQ7tNf+nTFJQfBWrIugA2Wk 4RJkWE3Eeb07iN+y/Rlb7S3Opsp4zHwU/889rUULwunqOnXCJjGXOFEmfaG9Gkem DHX6HGFEpC5m15CLG4hP/j0L4odzZ+/lZLtpLmSQ04oFNArmRqER+HEpNutS9DEI OPVecFiz97wPgfjVn/7+a6oL+qoYuVh3U0KV9uewjxWxRRwk1MMZjv5dfl+20Ugf zhlMSA97biBuZpqo6YNUDsB1HphMc0LblAAnNh67GZdcfcf9rGMJFwXRiv/VEyYo wEx2HkheJpo3pLMtGJj1Y4YKoX6CoIbS6f0iWIcZhUPuP2GUrk6cZ20jGpCJRJwx 7zUV7afGMv/xrGauTx6k6ZrKhIKbfON49bbNjOGep7wGnOrxo7ju+SNarEeVUkX1 XEGwgif1pDY7J6AkfHMLjRfSc4pZknxjQgtT79A3lZ+TeCjOyezqcwm2dhZYFN7N syNFXDH6Zb0nAakWatKNKocT+5JKWAXfBOVJwwL74EyY0zteVBgBCwXe78PlBb6W RKihAMYu92h2O5FVNiY4pY3tCC1fDwi/kNjCkrXdbJFgCeFxagMAgcj8d0dRUgj9 NR6dHkVt8Q8F7e0UJJEg9O2gyvE3Fh5th+8y1UB0VydoRFwxZ0bzE41u+QDyU0DC wuY66GBCoEpJSXh8FwI+jcP1Oza7TL1Cl79wEKXoLGUQ2zLihwuW/qRfuVg= Extension name: uoo3n7hr ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AF2E68DF68A8036A

http://decryptor.top/AF2E68DF68A8036A

Targets

    • Target

      4e7f5cd6ffb82ae7aba256fc09d949b724d93eabd591cc78918e488a7a2d7662

    • Size

      164KB

    • MD5

      b75daa2b6c7f484650c281aa76d8e5b1

    • SHA1

      4ac3d0b421f4e280475f8727afcb836857f4b79a

    • SHA256

      4e7f5cd6ffb82ae7aba256fc09d949b724d93eabd591cc78918e488a7a2d7662

    • SHA512

      e40f3545882b4bb7bef516a4ba924a92df9b7412a661a52576370c3cdfb3195c8238a02977be6315a9dca52654eb175aba772c88f4a431202042be684f6db09e

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks