Overview

overview

10

Static

static

10

46befb480b...a3.exe

windows7_x64

10

46befb480b...a3.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    46befb480ba7cf8b4050b8a2cf0ef5b6e73fb66691b54390c9b199cd557bcba3

  • Size

    165KB

  • Sample

    220124-cl2j1sabc9

  • MD5

    64476956ee59e373f47e81d45dfbe179

  • SHA1

    6952b2bad3cc19c61bd32b87cd1382e677938078

  • SHA256

    46befb480ba7cf8b4050b8a2cf0ef5b6e73fb66691b54390c9b199cd557bcba3

  • SHA512

    275ab8439655d51349acf39dd5e19891eaf7be2ddee942c66a81971af67d5bb4a8e6d2cf96f684439d57aa319f770f6a46ea653cfafa18937326a40cbd3b4131

Score
10/10
sodinokibi19312persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

312

C2

forumsittard.nl

sprintcoach.com

fta-media.com

silverbird.dk

cap29010.it

girlish.ae

tages-geldvergleich.de

kryptos72.com

aceroprime.com

concontactodirecto.com

diakonie-weitramsdorf-sesslach.de

gta-jjb.fr

keuken-prijs.nl

cotton-avenue.co.il

goodherbalhealth.com

dayenne-styling.nl

dentallabor-luenen.de

photographycreativity.co.uk

redctei.co

raeoflightmusic.com
Attributes
  • net

    true

  • pid

    19

  • prc

    synctime

    onenote

    veeam

    mysqld

    xfssvccon

    ocssd

    dbsnmp

    sqbcoreservice

    encsvc

    msaccess

    powerpnt

    wordpad

    thunderbird

    thebat

    mspub

    ocautoupds

    firefoxconfig

    infopath

    mysqld_nt

    agntsvc

    sqlbrowser

    dbeng50

    sqlwriter

    visio

    mydesktopservice

    sqlagent

    sqlservr

    msftesql

    ocomm

    mydesktopqos

    steam

    mysqld_opt

    isqlplussvc

    thebat64

    tbirdconfig

    oracle

    outlook

    excel

    winword

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    memtas

    sophos

    veeam

    mepocs

    vss

    sql

    svc$

    backup

Extracted

Path

C:\i95tv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion i95tv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C6C3320333CE86B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/6C6C3320333CE86B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NqBtX45knrzgs5t2+s78PF6DwVsEHNb7Cap4H4350EpsoIjMGuX55XDTFmUeVcZS pqcb6RI7Tfbr2l0l9gdMrHB6k3LghCHEp2BEpwr6Qnb2AoOcQi965LfHkxju1juH 3cqFZGo7F8L6vmyTRzPeZoy+4ehB574kHocnhhUpub8V7MSYGAMOzODUWVnh1N/s RmMBrKcKPEUUUL1upCCkOqruyfYe341Wa2io5oaWyc7DfYgdqfdipGQcoVoDcdwF O58OuerXS3NfVB7mLIDUHNkDLhfCDK2oeRAm9t0w/OmbDKYbeO704XsbG3bxhxMk 4nY6vo3LTHmLaNVjfk2rknbrFL+MkYqaZ126kfJLIIcciK4fAxM8X8dWCHUuErxe 9Kpt2h/DFe76k/pWhvbqkC5RpYowiir7s8KxnXRbKIQBXuDInCdiiR0Pc+WHnq17 Ci86aHNO6ZfwRS5ntyW3tdUM67ZQUDad2yLO1+64HV5ib/gfRrJI0Rlx6VH+NTmS 5TJRWDm5upRBgwUIEURAMXZ8Wsry6u1QdYnuiLys6tT2NggwSsM50/c0OP2mCXQp oVSKAJYyiICp4vyDB4MYRwXxipPW8hMZh753CeEZskBV4fR3aiYhrHdBfwJrDySp psuhdme5n3ffA3BmND++WCqpPiOk3Ou0/b4lSqUeJ7uRtUHrv+MsPkhYwbv2DDs3 HVu6O61zzv9Y2yrLvp4Qrh7/GZVweiYcN+q8FIL9536z8h8FM2tlH0bD5mHlSoSF sq9FUrdj7zDxPjnsEST/170e9RLYnLo4MlQQYCSSNlNFtxafz3G9Pj8vx9y4ueaC dzeV0782zw5JkEPr2IsVZMJsFo0a9lxHir2vMphMHD/AiZyDml3CjcLpNSeWCcTx mSXTKPegFaPCZvC6ap5hxfMQ1kYopDTw7KOQBd7rZmJMVRRSgiqQx+0gq8/JeJGF 55T6WTRJItxPpfK/T3wR5kLj0PREeaQQmmIDdwWpcXM/u0FS9h3FADAkCEaaJ7xZ orPZWcquEqIi/Ltxmu+wAaog3Wq3e8A8wxSHh9qe5bYdT7TJxPyxaRJB8Yf85J7O jzrzhM4l5+BwasSZwEdAuhxrBjZgzbNoO52fQDwpCwSc7RDvLAVAUyDYtE5UBcXD Extension name: i95tv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C6C3320333CE86B

http://decryptor.cc/6C6C3320333CE86B

Extracted

Path

C:\8w897k7l-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8w897k7l. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/586F4FBE3D9FB186 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/586F4FBE3D9FB186 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: GnTBbKbxj9gS2cLVnsEahcbudh1XOk9JetGtP7NIHUAZflnQO4NUOa7i1ndSzSlz XFlbNTomnfMamxIkcDdcndl97p9sFITkIq7YIh/AhMkxSKHVmG6MSQqq2XZXVvVY RcauEXJvbBHq7hq+0SH8NHxkOCrjICRp/HHroUk5dRKhtsl9M4y45oXCdghpHUTS zMfCg0fF60vIuSSigW/U2XpN/EtxmD64aU5AKUFxAs5pvXjhVmTj4n7Kl0MWvb5v MoeW0DuMU1AtJClya8Yy5/CAKHX2PANPM/aOCt1Mwh6Evr8A4HmkRStuPWJnIedX FyeJmaiyWkaDCbUHGkdceuqDKJhx9zpXRmeV7iQC7FHktWJvCcwxCS+Fyhz3JlHy xNpbH/RcGYFCg+OO6PLK1Bz3nG/XuV3//79AUqKm8LH5RDCpiLntbK5KcAV8jPZQ 2IcIfOnwqQbv4w9j5jrmYXB1Eig4hzXEUiS9kmhUG04aIbdrrdenR87c/nJeCJ0y Spqyw0rWV3vBfrpkcTKRN/zzkrQhPDjIomuiSS2wTKrDKV4B1VYNg3l2AZCXPS4M +UO5MuHH/PtErxXQkqIfsVIo/wlKHNYycka2CfkNkxtzErbuwVQq/Q1yZPHXU04N ZjNBAQ0xIusWpyiaqAXg4zLN+bfEDYBUxETJS1E3pykNw1LTnLVUXysADirFzH4k 5TTutiWtslLNgujbfJaGDp1QGPBZXAAe6INlINC8MOG3Zcgra3DfGJUXupIx9xDH LL1ZUNQh+21oXnulaPQsKvlfmhhJu6pxghCawMHvyg54CYxx/xCtjp56CvPJ8VYf LvbnHRMRsWLoaAk4YdJ8eBOe6iSMNDxyK2vpM0Blch3sbL952nBuWfYKakSGA7Fj oDhmRyu1zcD1SWk9dN9eT3LsTTA0QLedbVbl7yjcKYwHG4G0UgOvDRehlrdV3xpX kRfQpjZrZ+n5hhSQwYrKDHbAAvPdG1ai2khtaF9J3iutTDoEf8WnVEYF+nksE1e9 Vd5GoC7KdTdI5GyJQLRO3TSpv55i2IALvqyj9UqypJu5knWoZ67i9X7/CqBjZGys c6iB5nQxiBMpoxKfmoE6zoQaUHriD8jPRFHukbGrcJGkEBNJGmtKjFPi3619GA== Extension name: 8w897k7l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/586F4FBE3D9FB186

http://decryptor.cc/586F4FBE3D9FB186

Targets

    • Target

      46befb480ba7cf8b4050b8a2cf0ef5b6e73fb66691b54390c9b199cd557bcba3

    • Size

      165KB

    • MD5

      64476956ee59e373f47e81d45dfbe179

    • SHA1

      6952b2bad3cc19c61bd32b87cd1382e677938078

    • SHA256

      46befb480ba7cf8b4050b8a2cf0ef5b6e73fb66691b54390c9b199cd557bcba3

    • SHA512

      275ab8439655d51349acf39dd5e19891eaf7be2ddee942c66a81971af67d5bb4a8e6d2cf96f684439d57aa319f770f6a46ea653cfafa18937326a40cbd3b4131

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks