Overview

overview

10

Static

static

10

3de61229ab...ee.exe

windows7_x64

10

3de61229ab...ee.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3de61229ab0819760f2a88ea16a6bdff49c9e6e9ab80d653bb45624aab1c36ee

  • Size

    140KB

  • Sample

    220124-cn82waabf8

  • MD5

    054714a9bbfa8b162784b81a741a38be

  • SHA1

    39abad5276c841b6002ff9d21f5d6476cc33e401

  • SHA256

    3de61229ab0819760f2a88ea16a6bdff49c9e6e9ab80d653bb45624aab1c36ee

  • SHA512

    a9f86d5f4a0b9248e00868379fed0be72c5654ca51d9997d4ec8e0f7452d86158f3a1e75e5937f33b31580ed25a24217f88da4a3f51d09545bfb8dbdda757447

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\6dx6er4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 6dx6er4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78858E2D2688AB4C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/78858E2D2688AB4C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: thH6AEs7DEOMJdy6zTtbK5nToxYlH/SG5ql2eMpiLo71FfjmMSY48NCtdmb31Smb sjUGVJpwVXPQgW7GSJryy31h92UmBKuXLBXVx6f/uR0Enf0w6yd/bJvp6kL5cEFo tniIxpCLXpvrXeGRFs1NWO7m8gImhpxbFSPXp51HqMy9x0Dm1Q65Nf609hlWZD9o PKzOkrBshwjL//8WZJWE03V5knoa7LO2aDO4ToXV2aNGsW2yzH3Jr4fTXW34lAGd /AXYxscX4eRXR+nUBiv5BZg/Ai5J+uNKBV+hPrpIId9xbl0965j0uavu2CSPwT7g w2Xl6q25XQb9qomUUIolzEHAdLwxlI0/rN2v3ZnfmpCCxYdguxBnU76sPOl2ZSmQ YVIY6yXfAMi0+kg0/rK6bFpzt1CmWMAe7ez55Vp1MI4/wNssXvR0+gu1RtuQganC k+62f+Sq31A1JDDbiVJRj6AEftkvoukX98E+jcE5TtCuH4qMa2c/GGnMXncdVc/1 wWguk5fI/4Sa5DhrSipyIPTjbemh3ZOExoXJy5AhUp3zy9iqiA+Jp4BFQHScSqAP j6Wtr3TokjnTP4Pv3ezRMgl/kurHHwFn0fQAh/TDA7dN7CH9DvYcmLH6j5EmBaLd SceKf2V3XNQzxJhQtV/RrYaWqBhsY74OUchl5wTfFM8G1XAg+01o+dcA2+LOcmm8 ObBY/06EPCX4k3i2MBQcP6xq1sXRVHkeOaFtjtNXUdHZTW+2PjMJTdMW0kT/sFwb k5cJVO+9ic6tEdnVPs++p+cKAudZm9AfQa54wkKH8XNda3BN49yQ4y5nkqh9OkkM IbxBMlRaZacgoFFLKK9hssArwPKZhnnf2lZRZxTrB5hJe+MWm+L9lysb9w8QJhX+ QNOOU6/qcw6xHUi529A5VLuu6SG5QAe2lrMRlXTtqMxqh7CSONlaKOpjCibOZW9W V3BzxYgIepKbCBjTK+yhscU4WWwzVrbm2wenrzIb3m5TuqYWut6dFqH7FJ6DVoCb WcrZI0bi585k8J59c3bSDYVHa5d53wDNKnB8WutTAsLOQ89crQTHNPdTOmZt2Zst vIhWwZfFPml4Je9qe7kbuRQNDvaDx5nrDZGxexjVWrlqfJLqDh/MtNluUYpIlSXu uNRpZvmMtIw1sU7YdLazTW/j/QXnAAJXmQaxUTYk+PaS7HmGyAa9TrMBTvFeTS4p 8X34Soc/Bu9TAbUOfxmbyH1WKwYxsdRgJIPy/u5TnxbfZfd8x5hDq4rJGT85gYYc CccOcogXYMYkuyNeX4kiQTzcZRialUzCIp4= Extension name: 6dx6er4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78858E2D2688AB4C

http://decryptor.cc/78858E2D2688AB4C

Extracted

Path

C:\p6ga1e5mu4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion p6ga1e5mu4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B88847C1170AF12 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B88847C1170AF12 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VqAJuODmeTJNPIjLQ8owvT10vLCHhZuydmGdSnmYwAjraDbuWwmubFozq1GYP6p0 EfAqqXVI8ZFF0fG0bI7h3CjLxM6nVT6KuiiW1/YlecONZ2DIEHCPa+ABAR0hgbv5 oJjpB3JWBfYVHM46BjWrAa5YOF5jOQHudgd0d07xezZb6aPbqydLdB5knxBN0qEN SFZTFhdYbF94/kka/ykacU6qE4mHHv5+0tKch5yUThlnNJmmNMx87fbn1bk7ZI7O g2xg/lme/HMLHfmj7qJUdl8uXyb3Ymkj4aKCyImI8gA4EEXM5m8r2VgIqA0Tcy/k 2Sef0Rc93yKkXma5VIh6lXJkVG+aA6UGY7XLLxuxINTiJEloaZa/hurJWl1Jvvuc SWQnd2bI51KYEPDtdP4QRolZ/Q9ZznAQXC8dRWuERgHkaP5AjD5HNhwKx4+n37Xm oC7ZI26WELnptVqJPwCWV5XbRMcl3DVdQchA53LcGk1nqIt9pniKYHoGUoL2UgD0 a5g2OoSjN3tOJqGBlpSm40VbbI1sMkvL3GmfBzPCLxA6WLLNix0ZldmHtL//IwIV 9zE2m6czay80Ng0X63zTNPHeKyoK1iTd1YCkSqpgMhxlj7Da9vR7Pb63Fzjak8KG NzmCg8QDNejIPE0f5dbbG33paLxdOqAmz3fzNwDZ49jL+sg7xIUoO7LeoabXN6sl N+/xqCp1uB279v13myIuw/rjqGYcY7TDooLnzKCkxzA56ZP5fEAO4/EjptoSD81e G5H6Yc+toDrzSvLxWjmSr5BX7lkoVVizMjtqugtv8q5oMq3SEqAaWoDeA9Fjh69I HkuGGB/5GxqTlhlhHuy1msd7B5iohMVWKn5vUkUKU8fd8jzQDEYqu93E7XsW9Z6S HtXMnE02Ha7p8MkZfug+nEnTqCW3zezIER6c1K6ccHNHiWyxnvXnj0bv6cIJ5qt3 5Dd2ugVQVlfGwDOW3O7Bv0ZGGgZaxKHc9DtfpS/Zj106LK3bRv5RWliaVGHJ0+eS YkF2HW0Awb0Uq+Z4TO7A39twJkp4dGMbT5/pCI4hVb02yUPrS437iZp1Rw9wyp4U a54xJsgJ3UTyeK2fK9ghuctMBNSuiugEpIRgEJECuGq7TvNTYIE6oy9FGRfhCJh/ LjLGHMrIVw1JNIAIShGGHJT48h9aKcCb/vs2F6oHqhNKrP6jZSLxwnfGlf2BlrNt tJfZKxNt+l22bBtrIIAplzcwSUWi74xBWuRTkjjrZStU0o/uOA2fR0okvitQPotR SbW0QKmsPDj3cdaK6JH/nl5b79jB3xKG Extension name: p6ga1e5mu4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B88847C1170AF12

http://decryptor.cc/5B88847C1170AF12

Targets

    • Target

      3de61229ab0819760f2a88ea16a6bdff49c9e6e9ab80d653bb45624aab1c36ee

    • Size

      140KB

    • MD5

      054714a9bbfa8b162784b81a741a38be

    • SHA1

      39abad5276c841b6002ff9d21f5d6476cc33e401

    • SHA256

      3de61229ab0819760f2a88ea16a6bdff49c9e6e9ab80d653bb45624aab1c36ee

    • SHA512

      a9f86d5f4a0b9248e00868379fed0be72c5654ca51d9997d4ec8e0f7452d86158f3a1e75e5937f33b31580ed25a24217f88da4a3f51d09545bfb8dbdda757447

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks