Overview

overview

10

Static

static

10

4c71dbac02...92.exe

windows7_x64

10

4c71dbac02...92.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c71dbac0293d43784315974e48ad78094a8c28d8c0e9324baee9af99bbb1292

  • Size

    391KB

  • Sample

    220124-ckmz8saba9

  • MD5

    638fb46f5d50c93ce5f962d8ef936bc1

  • SHA1

    70fdc258a75c3265514ca1e810c5267def870800

  • SHA256

    4c71dbac0293d43784315974e48ad78094a8c28d8c0e9324baee9af99bbb1292

  • SHA512

    454e5b1b55d4a1584c94d0db6bbc977cc7311c14ebfe3f9d7370a3b6bb3a8e6bb3810ea86a6471e5a12f034f7a09ef37e1921ef82c8c60b9ad2ef7c8e6f67d32

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\y683vy7y5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion y683vy7y5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B1DC3794419DFF87 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B1DC3794419DFF87 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: qDMc9tHwxpEDxV+wZXPwpeBvIQxZTwN622VfjTE3+XJyeE45ChXKHE6Ywfks+1MO KV2Cckp3UZP+8F+T/NPx27YQHOHrBRB8AbS52HsUNF5Vu9HHAiji8IvzvA/q7Y44 yf/m2HyMWupPu3du5X9ZGEFEUqY1nCvJVNYVfC/KfYsziCLTNdGdVWOmjpfxn6ki JCWSagmGvmPpk2ILw6QyojWG7X+IKKCLyLHZU6lV+WZ7YkQdRvH4QvcrGjJlrVr6 PWscbLTuJ+NvEkgDb0WciSmU6D1y4u6JkGhqlCsqnCp+cetoCNRymEoHiZw6XSmT zRAi3v/NXV0cXhZmLhYTzD33uhNqivca3w94GIWga7uo+A3FlPKupHvO8/KFA2di p78QFaV0Fed7hL4P+ke4Dcj8jiR/iyFMblJ6we6/B0SUVjmOyHOS/dHO6mZJxJlX XcoqhYJE+zjqeQ/MI0idHlOTV21lfQCPokVPVPuP53xmWFSLtNp5X3gz1pH2kKhk 0HNL7JKEfCET9OjeB7pbQ25Khg4aYmyORAq2NDQeKdl0hMNyIcx8UTd12Vi4JjNd l3X9dtffKNN3u+49qeeDeELgiz9s69uEQ4tDsXWeKmC9eX3V6jvt+pqLsOgAddDa JVXaLm56KAdTkBYdRMn7PaqbkBm6JpAt6xRpsXY197GrY3HTn2YNiAJelR9tmoGQ qvT/lyhhQEjEsUQniX2iMRxkW+yLYY93pEeSnb9XX9v14e09lh+41aX0FwZhcA1P gYLD0x4SCYv4sUQyrHmZzaDDRLJ/0sn0F8CjtdHpbVDM6fcqCURdeD4XplWgKuGZ PEdZwBPgzrD0kzoZ9ZqZGUTPApPJy6UOQ6eS8OjYG6Qb5+GzLjrTnVLZyYad2DGY Pdn1kpZ7p5DAXK2T2gUOoaRtvZvKIW/n/f0uIyMmtAQGKen7kweODveC2kTKASUk XYS7h5iJ0JrTRaIkr2PJJsHmHnnYM/1G5P+GlR5oRy7ExxPLwKi2gzDwRJElTbes BAIohY9NxdOmSka28jqMs4xmNoNUOQmpT8cFu0XpjDbTnbSLUQ/W6irUKeTH5S95 atwBHpLvjkzxIvuGapRlsOLmzf3hKQh6m9zD1WRTzKGbOGPQfO66P0amRllH4RPB /A+TDsEQ4K2ySSiWpGI03vhfv4mgaiFQmcRWV9IqwslwsjXine+XjCNEgQl2ptL1 kxrZ/2nHqkNWDhSS7V5WZPC8Zt5zvxmp7cW2ia4LOTJ51Jww/ntdZTFuePaor2e0 VMbRePb0NTk+YL4meR0XGoZ3j3rWz8jzdlmU57BJ Extension name: y683vy7y5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B1DC3794419DFF87

http://decryptor.cc/B1DC3794419DFF87

Extracted

Path

C:\0s0hyqu6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0s0hyqu6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C27FCDE20D08F5D8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C27FCDE20D08F5D8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: d6o1CumyoR4R5QyPp08z+9djuk+K3XG1WzK6d//9wpGaxOEPHy4ThYADVkfhQR9l X7P5gQBKq8+fYqOzqsagpb3zNEWUZS93hTEqRr9GKF987cbmmgVu2aY4Re2RtIP8 4gSG5P6OHDcx3sLKC88b2M5E+GrrYNI/kZzBnwJvwYiqNp8S0+qs/+7m9cRlV9sg ytbbla6Uvmt39cwpQHjb2C6Dr0EGEt9Ua/NxKIzbIHkLUwuT6lfOf4aWRptGAQc0 IlhffpEorKpelJGBGeRPFxXupue5oiVJQ76+PXORgweTqVVfxpMqLBUhDmypWAon KA+TclJnozg80ET4yueg8dzm9YoXTpEgafE3Fbm7SeJs6qUzqWEvf2vmh8z6Qfmp 3Og+EdVsB+aBbiDGMwzpA9KQbsxsFy1XgsR6ui7msjryerufFpL8TiwG/M5nFVsu fs1rpANQyibZmFaExFlICQNyfQy3S/wGTbCkP7kewXzBugwsJdyOnFlLZ9uBVU5H CSaIndxmPneXn15jaS1koXrBIXGNTYO3KGhTvGfPfp9jIhbamzxs9r+1/bVnrE25 itf4tA1PDN4cfBs/SJMY9GkTEfut+OqykAuyQC0Tc7tqBTiq7A75S6bc5e0FKPZN DpLUmn63Z/mBVi1qdA3Coxa7nZkGagmXZ0q47XM5aEr5KfS3mJFQtfDGilk7cEyh 2KrWW9xPlZEztqFbcY7wKy9ribhFN1INZ8nwaaLE1Au0ULBHqB1Ke6lNiiKiXzlU cerW86Sbc1i+FRoaEQa/XeytKqF3LdwBdyHb74tTdUES3jc+RnDjIBWHt9fBr3Jc T4sJ0TU3RDiQasanLIaFm1SeXAUzE8SDGdJs2dmQGRxRXIfgTGd9fXa0m3/k0gPP ccZtjHxPCwIQX+JYhDSJIg3vEQbJwl3XPI/kzrH/oexzHh7ZCcDHrHQsNz12USYE VdaJ7oPmGHpkP98QTtd0C6kUP9rDJ6SFrpxupjutxScalaOvb5ZnxdVa28Icf+7r Rzuxg0cShD2J2/BrAItFzGd5AmLYMCotPt2QxojyiBv/XQcR1cHzEs2CD/6LP7JF kQRXvCpTteon9pdVRjT8WVHneUCkX6jPuIaBmW5AyO9QRmPpTN62Fho5RDb6GC21 B9ulecXSyXDxXuA/k6T2869ExNtEKbkQzo44GnTY1wYEC6kkxXEQBoTrsfZ756yS idz52SDmP9Y/TGKaArPP72YkqPNr9eHNckUx/SiCSfWoD0YRqCAcIEJqZnc8VONL Rrs/b1ZDcTfYqjaFyqMIIO0TmUw= Extension name: 0s0hyqu6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C27FCDE20D08F5D8

http://decryptor.cc/C27FCDE20D08F5D8

Targets

    • Target

      4c71dbac0293d43784315974e48ad78094a8c28d8c0e9324baee9af99bbb1292

    • Size

      391KB

    • MD5

      638fb46f5d50c93ce5f962d8ef936bc1

    • SHA1

      70fdc258a75c3265514ca1e810c5267def870800

    • SHA256

      4c71dbac0293d43784315974e48ad78094a8c28d8c0e9324baee9af99bbb1292

    • SHA512

      454e5b1b55d4a1584c94d0db6bbc977cc7311c14ebfe3f9d7370a3b6bb3a8e6bb3810ea86a6471e5a12f034f7a09ef37e1921ef82c8c60b9ad2ef7c8e6f67d32

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks