General

  • Target

    3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

  • Size

    1MB

  • Sample

    220124-cqvx2aaccp

  • MD5

    bed6fc04aeb785815744706239a1f243

  • SHA1

    3d0649b5f76dbbff9f86b926afbd18ae028946bf

  • SHA256

    3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

  • SHA512

    1ed873577545dc52ffe3516b10848a0474c7f30dbaeed95c67b9b5a690acf4045c05114231dc4350e60219dea00a7e2be4cedc81a9e8655de59831ac09f53100

Malware Config

Extracted

Family

sodinokibi

Botnet

1

Campaign

4

C2

domain3.com

domain2.com

domain1.com

Attributes
  • net

    false

  • pid

    1

  • prc

    mysql.exe

  • ransom_oneliner

    Image text

  • ransom_template

    Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://z2lnrdtp2u4tl7agvqfgnxr7jxu36egfhft3w6zklaq2fl5be7yt4gad.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://domain2.com/{UID} Page will ask you for the key, here it is: {KEY}

  • sub

    4

Targets

    • Target

      3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

    • Size

      1MB

    • MD5

      bed6fc04aeb785815744706239a1f243

    • SHA1

      3d0649b5f76dbbff9f86b926afbd18ae028946bf

    • SHA256

      3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

    • SHA512

      1ed873577545dc52ffe3516b10848a0474c7f30dbaeed95c67b9b5a690acf4045c05114231dc4350e60219dea00a7e2be4cedc81a9e8655de59831ac09f53100

    Score
    9/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks