Overview

overview

10

Static

static

10

44121b64b5...cc.exe

windows7_x64

10

44121b64b5...cc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    44121b64b55e6e88929a3166e48ba0dc8d96f06010c65638a8f52c1994a37ecc

  • Size

    154KB

  • Sample

    220124-cmndsaabfn

  • MD5

    e2db4d7ba6666780ff4c5d0ff5278b2b

  • SHA1

    e7c71891ce5eee081190366f24549f161e44e9ea

  • SHA256

    44121b64b55e6e88929a3166e48ba0dc8d96f06010c65638a8f52c1994a37ecc

  • SHA512

    4d032519f312e82e79db79b028707d8f5131dd80d483a9520bc0f58d76931322917ee79779c1e39e5aad13027072983e511c2d0580077ada51c8ca4d919cca4d

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\vp3ss29p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vp3ss29p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DFCBB7B3FB22276 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4DFCBB7B3FB22276 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: qaOS6uRbKrcRwUyHFGV5bOWvfEtEdWYq+Sepq3EUiIi/9oHQUyCJhP+ZMuP5RcVJ n57M2v1LSfttzuLZEdrQLBw1C35IXrrDnGEedvV6ESrKLLKVcn2RmvHq93BtBxZi Xd7g/aTnHq0TD9G1wthzGxD06QYV01KnteyjTVKVTfAfzo+GbKVaUJYdA1bWU2og Kh8bMlYyXNoPzBGr8a9FlEoB+b+0SwLyTURkDQzyLw0tfpdhR6+c+zhpL2L7/xQp u3Jsg2a49YHUEFZSOCw4+X2MWg69rUT1p8hyCtH59LGIEjI+wVLEnGLbL+ngLCIb MNQoDZbrLfGm1s8Vp7gztKjP9oQibj6jNaIRGYoIiAhtUET86N71CWV0jfCPL/Na gWPzDHNlO80jCXWcx+XRqoqGAhH+vvPOUoUshBP2Cmwk0dH408GEpX0/hBAwYM1f MkhHBoewG5VzXKqaLZHsDCDrI4uZ1x8fEhxc4JvEeZ7ZZDHanL23jERgXLzWjtG4 bcVHJKJughPxSCaZT9G5L6QjrV2EZjaN21gVigZHZRkdCvUKpElGgTzpr7oDlL6m D6636pHmvVcuZ7r+Yl6LEB6R7FXvj02Ep6xEZv6NdWiJDoOhEidqahU7YgEkwkTr gxg6In7jdkRbvcO4DlGjTJJk9OMTLEmyevbdV9KMKba+28P/vSF7Gw/pQ600XPVN dplmSW9GQThZVDzQjBtUpujDD340ZjPh4MYUKHL5hGrSa5862uQKvccOqo4wcQcV sFqIz3HvxRJdZeQl6r4WXG2KQ/C0fILCPE4YJSQbQf0lwJGRrgCE4I7BUAEMvKcn XhE9Gxhk/oiwmR6RcxdU1WpFMx2hLPMR3jVfKY/Cl7rQNnBYalxPWRcxEYKK40N/ HS1ZRWyOV4+DC/UpU8cYCh5YzSrLvcZNhDh/h9+ZyTdIVftfiuk9OWECRdR+Spio GhJ6DqioiS12NAcTFQtdE/hDPfWMQLdhC0rC6XqOJMi0yDvVQUhk9FKZprBjC+Tr V8yTiY3ykhKfMJw64qWMvgXeugz9zNmLaVAaD4R56IMp7YDzzwEWZ4/8Fe2+ujY5 WMpOv9IJBdYsan066peY0cnxmmUQq+dxJ+4mIbsefnphUnhg6amys7dq5hTeLIX1 T+hcY5pvcCJupyy26aHHr9++6AmCl4CuBG+h0vQHDC6IIw+NMZhegcjxUBSyhm29 exkHD+TMHgH7nrrOnUiKEK9GxahUJDaSLAT6TSVYT7LFMInhrv5P8cVaZS7DY2hp QXSDbmJ4tGTtQXsy6/hCwUjMTHppOdiDPzrs/g== Extension name: vp3ss29p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4DFCBB7B3FB22276

http://decryptor.cc/4DFCBB7B3FB22276

Extracted

Path

C:\m33p89-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion m33p89. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DC87002C4E78C2B9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DC87002C4E78C2B9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BnVa9R8+ukDMpeZ3tjHak2vbXpsdIkXWXu/2yrwQ0G0Isp+eP6GZIphHSPMXHxbR tPfNmHGH3zIfTLmwqJ68RJtJ4qmP3gKTSm+a0OuXUrXpBogfqJFCwNkS9Cg6Yr+T ec4t10ruSoZgkFyRnsUeUsgwxV+fbNy4oxs3CS/mHVJrTWFlxLYES+b57VEhXmt2 ESU4GgOwOzXYW1gbkKoM5Xu3DSDhIbMyhyx8AUS2bcH2cxLu623N8cUFpgtrnRXo l8p4xY63rFbfqdNTaHgGy8Ryy6fM+iMkV/Xu7HQdQ29t2kfZN/iRPwFNuEVIiq9J b6xfsgRAm0Ubcwl4dpL4M5TOpV7Vw/5B990iE7946mYT3qPlW4dsJZxq160CCwqd PMhIPoupajpcQxjmXZh9vMQCtRHt46BjfRKBT4DEFhqOGOqDFiPSf02++QIDX5fi cFijQhVtuzeQ1kik2WnIjN6T1iOjjRm28FKKmVknbiWqtPkTqdyRKgio6CrLd8WD YScEhSY6ti3Ef+i7P6ZN71BZwzKff13suCYc1DRcuv9BF1CDzqeQuCb6U3/XB09X KkhVulum8/lHD4rNBq26PotbfnMZi35V438x4ReTFWu74agGhQJpMyZ6Lt0rcTWa bWl6DPcmOn2pOH6XS/7cO/WhfoOjkhyjwYQeYrP9BfMzfcyozooZvkAVH5MBFG1Z xrYp1Y0tuT5WWmTwcJTOSfpoRBCfg2LHMeu/lVQ34r4r45Dng6nBgO/Gigm0rTnS zFMhuITiIWV1G+3tSmLDWrwtxl4nkjbnDw5x2G1jVidTht2/J4Dof/QjDlthsjz5 PLw2TDp+H+gwjjyizle1qpgRV/RwtFpad+kIZz/cE3tvCi6e8t6YrSMiji1YIPxG n+hDpEXueDFBJXRzy5J7jGoxAHrEKq4+TwPky4pjnPr6rbSGwW05iFV27smQizRO 04y0uwwWfTPDx0AKADfQvKhMFp8vikWTMfnY4bwQCOJZMyXnVPFgbdM8Qzy/r5kO z9y0qeV9oAr8+SMqQQ9nrxh9QIfuUprCqtR1qnXZrPU2U1AvTT7hOvNPG0E8xTHw KWLAhbZhc6nOvPPBe6/aYqlCnrGvfTKsDw76murlSF8+k9jhQ7YJKYX0RKncwuz2 tKnvZoa7CoXJMyr8sX9y7AQzhfd1PNQP+L5c0PR/nEnC+c3X+xTYAsMNxwrCzGq+ qizrx9twalaU2wwyAN6FXPebhJSxV1apdlDvp3Kqr5bl1bmoIeTvyPHU7i1swNbJ PWtU+cMAPUUoxX0BcqUj6g== Extension name: m33p89 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DC87002C4E78C2B9

http://decryptor.cc/DC87002C4E78C2B9

Targets

    • Target

      44121b64b55e6e88929a3166e48ba0dc8d96f06010c65638a8f52c1994a37ecc

    • Size

      154KB

    • MD5

      e2db4d7ba6666780ff4c5d0ff5278b2b

    • SHA1

      e7c71891ce5eee081190366f24549f161e44e9ea

    • SHA256

      44121b64b55e6e88929a3166e48ba0dc8d96f06010c65638a8f52c1994a37ecc

    • SHA512

      4d032519f312e82e79db79b028707d8f5131dd80d483a9520bc0f58d76931322917ee79779c1e39e5aad13027072983e511c2d0580077ada51c8ca4d919cca4d

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks