Overview

overview

10

Static

static

10

3d17d8cbd1...a2.exe

windows7_x64

10

3d17d8cbd1...a2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d17d8cbd1c4c8817e9f4e22e4bf12744742868829eb76a70ce87b5bf1f4dba2

  • Size

    136KB

  • Sample

    220124-cpdblaabf9

  • MD5

    0cca574fb86fd4e0df825d420437498e

  • SHA1

    4d44038628a97c075bf867c193232c758bcf58ea

  • SHA256

    3d17d8cbd1c4c8817e9f4e22e4bf12744742868829eb76a70ce87b5bf1f4dba2

  • SHA512

    d1fe1783445d8cb198c476e1d39989c5633c28788c4e26ecf6571e7ed6345acae48001bc36f87dcd636c9646c6488d6ddcab01b32457594277ac2f71b5a83f38

Score
10/10
sodinokibi$2a$10$13dqa2ykn6gqtwdkmps05u4rtq1hevo1/pdjtxff7nvj.uxqfkc0.1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$13Dqa2YKn6gqtWDkmps05u4RtQ1Hevo1/PDjTxFF7nvJ.uxQfKC0.

Campaign

1428

C2

fiscalsort.com

ampisolabergeggi.it

sandd.nl

jorgobe.at

greenpark.ch

leda-ukraine.com.ua

baustb.de

dubscollective.com

smart-light.co.uk

sahalstore.com

gamesboard.info

jerling.de

kamahouse.net

rosavalamedahr.com

123vrachi.ru

chatizel-paysage.fr

gw2guilds.org

slimidealherbal.com

marathonerpaolo.com

charlottepoudroux-photographie.fr
Attributes
  • net

    true

  • pid

    $2a$10$13Dqa2YKn6gqtWDkmps05u4RtQ1Hevo1/PDjTxFF7nvJ.uxQfKC0.

  • prc

    xfssvccon

    tbirdconfig

    sqlwriter

    mysqld_nt

    dbsnmp

    mspub

    visio

    ocomm

    thebat

    synctime

    thebat64

    outlook

    mysqld

    mysqld_opt

    sqbcoreservice

    mydesktopqos

    agntsvc

    isqlplussvc

    dbeng50

    sqlagent

    oracle

    ocssd

    ocautoupds

    thunderbird

    wordpad

    powerpnt

    firefoxconfig

    sqlservr

    winword

    msftesql

    msaccess

    encsvc

    mydesktopservice

    excel

    steam

    sqlbrowser

    infopath

    onenote

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    sophos

    sql

    vss

    svc$

    veeam

    memtas

    mepocs

    backup

Extracted

Path

C:\ck471igk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ck471igk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7679ED2C7C224084 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7679ED2C7C224084 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nz2DQ7fNutK4vxJFfTPSizJZWxTXa+FsqzDzJX3u5HpSQ4Yze+JabcMxYAIUZwFf 2nQOBjp0PXlBMOSv8nh/fjJMRiOLB3h1C/dQRWQOlisFGJFcTLJ/6V6fZrqVEFTj M7H7GUefBEVAXB2I1T5PVlCVRJQ6Lg4mLpcYxbwmalL2NgApVaDGcI3FGFBVYsTY PMsELG4hAjUrNGWPmsvQzQsU64ZrcWh1G8DM01M4FlQfD1hUWxTZ49RU/HPHAfhQ 6D3qYPinwyVw0A/PenskRCQ3n97LY/Cd56UmWucD+zKoRf8LQdWr3qqo9xzSGwzL 9oswoZzZQK00HY7hBgJ7QEuizCetn0osj0xc5Mge4NPQVt0UtPBzymppo6cvVNiF I+6SJQJjC39i6pmmdCvMhh/FCrDbqk0cxKB7/DMg5V7VeIuhIgIEpebSDZrKdc0V DTMu3ojmdGymrI7RxOLmG/xHGl/+fB+/UzolO86Wq/lxInCX4m3FTr4rkiN9CPqz 16HJJgxFpJMRJm54WIKa5FCxUZDYxlzjs40npoTPqWANsgfBklDIJPyouTzeFX+n +ei7yJHPiXqVulQKGd5fVFVhOglu+3Ayv+Aj8IZ08GsNZL9/E8KIcjrZJDEwTV69 CFdyd520LzVckntSH94E0yVQsebC2LQIrGzBFh2GP0YCOnxR2r3SDpl0OK7rNCjy k2HI8yd7I0tJALtFSEKMC5EGpRtdC6KxXt/9igTYxjM4U7Uy2VaNQjs7PFtLfo/l AKx/KUn3lz5pkk8HNTxSlUhT1wvm0tpKoWxAfJyF0odh78onMs5sYe+rU3DCCHq7 aLFIugS+NdABq9EdIqUMs/Ac/8/nINN7yd9gVy7Axj43g359KvVINJkux4deJxzq 8pwfxCqrFV14/ASDIBed+ylwl6v+XHiI7h+RgJaHQHcDFr2mEAos/v/Spaah9z4O znARNNvDG+SvuN8IzPDFoFUa/OHMfVwslO9KYl1zx3IvpcC5mu0c6kIMwGV3Hq7i 0/J8y+qvNAlNADxo0iFlsX2Pyll9079uiBM0OjXv5Ahyb/S9RBECTHq7Q6hl643z vE806bWmNI2LpgjifS6RFrFUwoiNLbuHoVrr6CThNvBykk3+LBO8h3KBjEufIkn4 FUW99sPyIgvNz03QS43RR/7tFO2V5GsgcFhSPKmFbyc+p3pjbzhDsysAaIJLU0HZ 15ddirvm5Q/oXEXcGBlAfy1d1mwb9CIXz/AYQ1r+b1sC/U2Fs9sQpgJOun8KBI8O IkNofQ7VIAnchZTmszq6jA6woI8ffbMbUSW3QQ== Extension name: ck471igk ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7679ED2C7C224084

http://decryptor.cc/7679ED2C7C224084

Extracted

Path

C:\32v8qpg99-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 32v8qpg99. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0EB31D0EFDBF1E71 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0EB31D0EFDBF1E71 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3WncUz+7WvhhjjhoqNC5Nk91hV1uN2xiiDJgIBVDZDOCXwX0ue6a8LhymRJHa4Kt 690TjHFtOAwiNhYCS05IsiOFvIzxRbr5pep5+qJ5ahF6eZIFLyBBshSTEkU45FHc 5kxPQgxjvcoCohiMuqIAns/cQP5KBt4fjkor0C7UVm6fMuzTBxSMpnklirnSfqV9 NpQLpuPgjISRKzaEKGGqPrpEsneWGq4uVF5H50fC0IPgDeFIE6Ymp1Z5MdUaP7nJ +/zeOI8NnDS+YjnrohRhoBsGe/dPBnZ+jwpeK4bFPjMV0RcjiW9vhjRF+lvMcGfA 3t1nz5EBsrMojLmjPCjlFaQrl8TxkutnI3JCRvmPBBSfMr2lVdNUPL7Mim6TmGrz dO9TTwpvSz8ZPjTUa0Oz3pbGaNLkI5VWeCyNynwp5UNYj7jeg2pFKztieltacAaH Ypqwn6RpSSCjTT23fc1od9FLx6dK9z2u2tvQfNiPkTKkfdUWdu7nPD7K+6fm4fzK JSMlYxn46/MnkhW7WG/JWvyw1xDBeBzCzgruJy5xaFWcpXrM9mqKrmjcc9gVeqBc dZSJ8oPH0i2CwbGD3xR7XeEbNIMW2+Bdj77puohr8FR7phQQvrioT34RtUb2TfuA f0de9zEBAOOvG27uI4M6SZn9RYXSo/clOREC3xAwA7fNYea580/84CsGS9oNLaAu Yk596vyXHYxtpnNlNuOoCjVVC5bXDbDpkshIErT3WYIW7sMUcrvR1iYeqmjfJjv/ EC6JAygXpKAo23z8hwoTbHdSRD3idRZeDIHy+VtD/hhRvweU3vbywwiRHe/OHS8n S+Etm2NzQedYoVMkNVPtLqlf/sQjjZodi8XnBEo7ZidSDeMDrvd5OKyxnFuzsX83 9x2fbN+MfKa03ss2mDYdQ2Wsgjk2EaPRjKqkMAYrm+yf0QR9FXOqywguPZn7aAxh bPzE98m1KPtaJMsQZ7jlw0/e8UvV7lY00q7nzCiwe3lt04LWID25WtD6APT8OoB2 X35AtqgmUaDBcQtZq1tToZzCpX30J2oh0xIx5JlY+0bO+ZgHy2cBgIchdMtl7mkU o1yhq2AHE7UiCsqcBu2GhrZaeWv7k7ggflUmd9O+Yxg+NmlgiAX2JQQpd88vGEKa 9Q5lul+fxg1Z2X64hEPZTpsfd6Cj+IzWE7/AFr92+6ocKxysurtk8zGZqm/r66PB L87AU2AyrGzqmWUUyUhcl0+cJK/n18VAt9mTmdWpf4knmY+GUyzbzmzuka2ySKap kkD9WBjvd/CjwcOG2MIggdGnT0A2zg== Extension name: 32v8qpg99 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0EB31D0EFDBF1E71

http://decryptor.cc/0EB31D0EFDBF1E71

Targets

    • Target

      3d17d8cbd1c4c8817e9f4e22e4bf12744742868829eb76a70ce87b5bf1f4dba2

    • Size

      136KB

    • MD5

      0cca574fb86fd4e0df825d420437498e

    • SHA1

      4d44038628a97c075bf867c193232c758bcf58ea

    • SHA256

      3d17d8cbd1c4c8817e9f4e22e4bf12744742868829eb76a70ce87b5bf1f4dba2

    • SHA512

      d1fe1783445d8cb198c476e1d39989c5633c28788c4e26ecf6571e7ed6345acae48001bc36f87dcd636c9646c6488d6ddcab01b32457594277ac2f71b5a83f38

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks