Overview

overview

10

Static

static

10

338e8f24ee...94.exe

windows7_x64

10

338e8f24ee...94.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294

  • Size

    164KB

  • Sample

    220124-crgf2aacc2

  • MD5

    327bd8a60fb54aaaba8718c890dda09d

  • SHA1

    11dc514565e12025e33668e9f41b99353db4628e

  • SHA256

    338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294

  • SHA512

    23ef833c7873085d8d3867f99ccebbf26244d74d59c977cfc8cf911e80539ce28f209ff9aac7a489147315a4b72f50b54713cce72bc7896e783aa15f818224e9

Score
10/10
sodinokibi30128ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

30

Campaign

128

C2

bridalcave.com

mslp.org

cac2040.com

drbrianhweeks.com

parseport.com

patassociation.com

vapiano.fr

blavait.fr

alcye.com

legundschiess.de

turing.academy

topvijesti.net

prodentalblue.com

bluelakevision.com

jlgraphisme.fr

bcabattoirs.org

rossomattonecase.it

fotoslubna.com

encounter-p.net

teethinadaydentalimplants.com
Attributes
  • net

    true

  • pid

    30

  • prc

    dbeng50

    excel

    firefoxconfig

    mysqld

    infopath

    msftesql

    winword

    dbsnmp

    thebat64

    wordpad

    ocomm

    msaccess

    sqlagent

    onenote

    isqlplussvc

    outlook

    synctime

    thunderbird

    sqbcoreservice

    mysqld_opt

    powerpnt

    mydesktopservice

    mspub

    mydesktopqos

    xfssvccon

    steam

    mysqld_nt

    visio

    sqlbrowser

    agntsvc

    ocssd

    ocautoupds

    sqlwriter

    tbirdconfig

    thebat

    sqlservr

    oracle

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    128

  • svc

    sql

    veeam

    vss

    svc$

    sophos

    backup

    mepocs

    memtas

Extracted

Path

C:\c0v9r-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion c0v9r. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CE5F1BFDA648CAEF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/CE5F1BFDA648CAEF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WkA9ay9Q31IDkcGuj2dp9nixy2ooZ1PFqTyhCNXTBwqSMKi0QCt6okF/HNY3Vhib REFc3lqdT0P5hMUosxqSQGhis4mlJA76Z6fMb2ChuO5aCuzDoHRpiP58n0OKR/Db mDoq0CVFVozbn9pAxAKvpopdyPbZhNCoXwmG8ox9VpLY7mZy1kDyEpKzp4UzjaEk 9lSvrSwhR9igwZ/ZklmaxPMCDaFO2r2eZE2KmGgfXaqiPn/AcxR8m8k/gRgpxJ1m +TTWLsopEYZkAbaDd5FrjMzFz8FEH44e/R/0ygFZT92uexQp2bIlQgHGIK0Mhufy voT0eqS53putgWRbxPbHRCUmzVEnPg8AedeSsUelDIR1X445oKKAEi0FF8QGUlcG r0xhfe4FkV6jeKG2mVPzj4V6bP8aT9IXWwghqLakxKnGCGN6lnkOzDIuI1w2tU+h W2r6d4BtVwb/1lE1KSHMauhFcxidcCkjHed7qpFlZGDfV9cUPuTYuvo1loNUB9Nz BIlRIqbicAnfYRG3IjcYLl2QxaEpfQ5nDxJSwwXFzcIR0oo+YPZcqDh1DheWMoDt fFZ6D2PG/tIu5g2j7Rq/LVi2lkQNp0yQaHzFJ7AZ2IfSJIAkjjm13wu6e6FUzjpa GxAgoiPgZ5uKuz6FmiuMTW6hEbCoYOul3mjIsB2An5WSN4JbaYPqYQTVj6gGE1JT Np+xT/y4+ImeeGf359dlQv4NKRy7tElOMW/zxKkB0BCobspScy/u964ES5FEUGTu 5WSXwtS4QbzFK9bOkdYIdreXow5Ju3vveageKn5ZCmq4dt0qccjCklYX6JOSko6k KJ7hKFeSpHEhNSZ/kFRVrcqNKq5fSj+uStS8GAccupBActqVDgzkkoqqNirJFzww bYge6Hj/YxIy3cwybVvSuuRHf9L0vNgq4B88SDugOMTymI92Fp4O2OyLxOylZe4N QhrXQlB8GPUzHly48ZbK39Cbkd+o4e1SFvWcaVgm3lQWJL5oj7475fMz1KksfU4c LYuP4a5QaRNfZq+vbfL4+Et+pQpUIcjwqluhQuT5Ey/8jxcB95ikUDZuotDOhPAF u3wtiZgmi1uQWc5AwsXmdlDPBdUzn76Gc88SdJl1VzVLDnj+OPEtJ9S5fdVEtR0A Extension name: c0v9r ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CE5F1BFDA648CAEF

http://decryptor.top/CE5F1BFDA648CAEF

Extracted

Path

C:\t55fsxuuv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion t55fsxuuv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E863746DACC052E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E863746DACC052E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fzYV76UtO2XdxbRiGtkJj88uaHY1JJy7M0t4Q9XYXf4Wg+eYipG8FmeqcC5XUyKQ nWURBBvuomxWGkStHOi7VMSNes5T0VfwTlL1O6jrXofECDy05/rMf48rjqQcih2s KNoEV9EEwN050PHTl5S3XTo9nZukTDENPaxHqdUvSvj2N+eXpmapquUNKdS4JSk7 DMGAxgr7YcOBreC+sbSwBu4tXNQPgSJTx+Wtu2+Irs2BQ72KWIhH1naJPIdp9y1M e7RXXEQH4J3GWy31DkCntf5RDDx8hM2ju7/voGXdpXb4pMPpGNKjCcXFXNYnNFh/ NourLT3AKTw6WtPKzfIBWtdfn2J2hV7oVeIl7hkNIprNb/u2taOD/6eVYoufBztg 97kP5rMaoD+DEQuCnmlQRfmIBhYOJzXYVBZ2EbG7aU4UAkKP9A2zxbuuUL4F6BEr 2p1nPwmuHcpAPZQ2QHOBC1mWVKRJqCVrFHZBGWFhliib4Lx613YwVyT7aTGNfy1R 3Z7llqOJcyBdOJGDbhxNM34jMcjqv7LqavIKZPfIemGLICeINaXmn+y93UOIFxRq WV+ylUcg24RryMQMZ7vrWhm88fpXXAnBUwq0Dr677ybXSv3swu3/m1mOeSyPNNSO kldNKuk+iHGgYDRxFLFXnpToDPgEp8A+SaUcCrw3d/Pn3VwnA6vH1oVdctH6J7tj nSqSZX/rW4UgX9GM7eelCKng9PvRhO4S+TkiT+gkUV283XecwM65nkd5qZhftOqa 9D3NCOxf76Lj7Jj5kDI0XnYAfh3iY0fReINRa9S3hwTQQ9D2QUFkIhim+iiXhD8r 2XXkgZrbjqcJ/rV7Czhlo2oCMJPacK8xMZNZV//f1FTZ1V0e11eGpmWlDCT5YEbD zrjYXZagU9/W2mEfm2qtsQfCAeoYYsQsnizzpjGaeWSpguqxedJnKANg/T/1Rfwb cLngVVw5EAsqh3FQpuYPlOMPicNe/e1tfDXkdrhAJxMSxZtcf3l2wrFS22FldtEF FXobdXSiAhQM9vwSyCsGj18qHYtAVIR+Q0BBS/R57tmHJBz8Mg8XwCGGTbMaseW6 M+IQ2/tzBOJjP9X2rqMw0Zm+WFBCxong2j61AvT+0+zYEpcra6tXoiPON5B53grw Extension name: t55fsxuuv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E863746DACC052E1

http://decryptor.top/E863746DACC052E1

Targets

    • Target

      338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294

    • Size

      164KB

    • MD5

      327bd8a60fb54aaaba8718c890dda09d

    • SHA1

      11dc514565e12025e33668e9f41b99353db4628e

    • SHA256

      338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294

    • SHA512

      23ef833c7873085d8d3867f99ccebbf26244d74d59c977cfc8cf911e80539ce28f209ff9aac7a489147315a4b72f50b54713cce72bc7896e783aa15f818224e9

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks