Overview

overview

10

Static

static

10

2afdacf8f6...34.exe

windows7_x64

10

2afdacf8f6...34.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2afdacf8f6fd1ccdab90f6633c73ecd3ffeb8bb952949efe3a92681fecfb9334

  • Size

    226KB

  • Sample

    220124-ctfyaaace7

  • MD5

    ef5c73fb8f9cbebcb2ecedd1486fbe60

  • SHA1

    bacfe2bc6562cb5126b15960fafc3c720987165b

  • SHA256

    2afdacf8f6fd1ccdab90f6633c73ecd3ffeb8bb952949efe3a92681fecfb9334

  • SHA512

    588cb1d765f641682cc425cfcf87b2a8582b8299ef05b137b361208e8879c63dc0319dc5d4b95de5aa31c4f66044a3cf150de0e34ebea724d6791a90c495015c

Score
10/10
sodinokibi1999ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

99

C2

luvbec.com

eatyoveges.com

innersurrection.com

campusce.com

anchelor.com

medicalsupportco.com

photonag.com

rsidesigns.com

o2o-academy.com

hoteltantra.com

gaearoyals.com

arthakapitalforvaltning.dk

ntinasfiloxenia.gr

eafx.pro

smartmind.net

delegationhub.com

laylavalentine.com

michal-s.co.il

stathmoulis.gr

mariajosediazdemera.com
Attributes
  • net

    true

  • pid

    19

  • prc

    isqlplussvc

    firefoxconfig

    oracle

    ocssd

    powerpnt

    thebat64

    onenote

    sqlwriter

    outlook

    mysqld_nt

    excel

    sqlbrowser

    dbsnmp

    msaccess

    winword

    dbeng50

    visio

    ocautoupds

    encsvc

    tbirdconfig

    thebat

    sqlservr

    sqbcoreservice

    mysqld

    agntsvc

    xfssvccon

    mysqld_opt

    mydesktopservice

    ocomm

    msftesql

    thunderbird

    synctime

    infopath

    mydesktopqos

    mspub

    sqlagent

    wordpad

    steam

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    99

  • svc

    sql

    veeam

    backup

    memtas

    sophos

    svc$

    vss

    mepocs

Extracted

Path

C:\3cb0p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3cb0p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48068D2B55B23C98 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/48068D2B55B23C98 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bJX/2oVEhtToAkSmNcBky+QQUazM865BlxZns3ZJwR8ooZWCDsWSTCqiqr5/5VOH gLiz1DZei4WLF5/9nBOMIyZDuip6s+FQfGPelZXgDi4daVvsUJqJvM7uIPLwX9mK bgKB+ta1elMNnPyKhAbYa8Xkl6zuvLdw2EOc8zL5I7GbUqKedYVPfIP3rn1huTY2 q2Td6Dmw2xw+TVafHRMGnvIazlbF2Jn7Nu+HppXVamoD/RAzvwRsi+68qLry8mjq RPwBr+eWvwBti2nPS6wnuslqKj7OOlFZvn80ncHzaC4SZ9mC7M5bLf2MgMj72kpS yE9Yo7+dhr4MrWU/yozlXe4XwGwa6DA2zC523Zu5LX+Ld2FXkFxbO+nQ4vEtjhuX Nok65MT6fXJn9zSp4imoPBN81QjswfPOOv0ECCaYvH1kpxroqHCQlr+jEgNz6UyM YHnuhux9L8F6mnJq7rrEytQ4Xrhk4qPdnRtrNWS46lKf7pmFQgqUD+3VfP5ui88c 6n/fJr5ZcNflRUdIz8sVMvlYRdQg+AZfLqMgxvSrpjHbgPUOYp0kbJ06vGjFUN2t FiwLmccbU6O/DsO8zAef2jC7Y9D584XLVwAABZZeFsLlalLssSj+V1PmJ91bl3Za hQaU51WKARGEiRc7GqHk/wn3k99Ddos4bc8M7UXi2szj8kaPGfMHTjkMCo2I9aTB XpdgXEtNPpPtw2oet5owjzdc0T7Z+sIm9bJx3YBNM0f4D62L9LZsibOa/PBf5sPJ dPjt56XUMvtmkJ/4eHgnetmLj4az2Y1U2I4kI0rgt/baIJRY7Ttg3mS6yzJSmAlQ AT9kE3io2qVfNQa2wkhFnYXwzLrIqWt/BkLU9qSAbk8H+M+9pobH903b8Y0V8qjH BZBE2cjiSZnd7LMwpWdCojEhOVRV1RJaiLfIsyO0XO7bb1PJwIerX4lM/TnWSs71 jbf8lCg5F7AcNPXlRmg1LLUiwPCTDIOfgfyqSVmqjThg4IWaCm3FQnOqRDK7+DCY 8ZKkrQcgZkt7kfnH5MGGWJX/1OymuEIHr6aL5TPelCdBZ9Oo5mUe4qmVTirbHk1B QlNtnwl6w61R3ajzYssqzlH1s78r25teskSUuVuh3tz1TpCvXfgJkXIaK3sAYQ== Extension name: 3cb0p ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48068D2B55B23C98

http://decryptor.top/48068D2B55B23C98

Extracted

Path

C:\a0mfke-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion a0mfke. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EB958C8A2F69B93 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4EB958C8A2F69B93 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: x4yQu4H6pY0IAZ5jigElE/Hy8CQQD/VDZ28Qt8kn18W07wZrpyiAoWNM6oIWvcxQ LQv0BkwialYkNRI2EsNEDgflBrS1j2zHE1BVXaTzCN05OiFiWUChApJUb5+Y3C1T 3YC/p89FlOYgGufQ+GfUeYff9HkOV4zGAOR7C7NUjtDuKqf7xgUyZ8jq2zXnhqs0 AIiJESaYv/bzqlK8b/mWbGa8jw2bUewPOXZiPD9tD2RjdRvXxD/TVdj+mrSNuuOY /9UQnO4DSEnLtf2mtXRMcPP/09m4AM1iGaWG5APREnRWiwOuGrgwpUrLQjEFg4si VrLX0geMp8Xj6yAwmTtSJSEpQcRvs80Ki2RCmKi7zacGkOksc8424NosI0/pj++H kyKCBLK4gFb4QNny/zursQTlvhvzt5IbD6qZS7vTiL9swE3tb+RXwi+AxllxMMMO Vs7ytz9SQjqSYU36rFxChxTk03AsZHn/nXq38hcA3dPAtwLQDPTfe8XOQi59KhEG dQ6lIA5+SZCw2Kr3LD+6dpcc308bMxJFK7u8GFAvceW/0/9DzJCuUpFvVG9uFIcW 0wEobdEmIl+QyL6/7UtmbTkfc3IhQnxH3OuKbPv/vBANWbUzksTIG3+gXEgZkY9h zDLMmrUuco79q6vHfDLpRJHZlUSP/d1qin2X7DCblRPqJ5uk9HY9ggARQtLppuO0 inkQUxYGq6KyuLaW7kVne2xgaoOscIZHGILiyqY3IZeCDU81UWqfwpsVoCf+c8m8 LUKysnETp0EV9JKDROVbD0zhGmLcsaj8SGUx/sTBhsb65qNkL9ZQVOzkG7ul+A7q 5kWI0t3CpPPVvwkz0wWtL4LCIcg2TezBJKald6L2vAcHv1TcgN00hmxIjP6UyKlm vUqe+MOHvmYOeBOJrMiSIpgLn3uKHjjtW7MjMDKy7h8kesYphCcW5lmGe1jT+EUq XNx7qZVGKAbYtMuqWzYSiLJiyPPbix6CgNw0rvzftMdKjs6x0L2Qai/vnu5LTAoA DOdOunrLr5gm7ZyENI5U55BhL1ILISkr3qfj8Qa/S3GU7zvezf/MW4VFjO1m/KR4 8L3/++qsLibpXSz/LlxL3yPnyBEJ54A0xuMajDu+P6hoRHRXVZHpog== Extension name: a0mfke ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EB958C8A2F69B93

http://decryptor.top/4EB958C8A2F69B93

Targets

    • Target

      2afdacf8f6fd1ccdab90f6633c73ecd3ffeb8bb952949efe3a92681fecfb9334

    • Size

      226KB

    • MD5

      ef5c73fb8f9cbebcb2ecedd1486fbe60

    • SHA1

      bacfe2bc6562cb5126b15960fafc3c720987165b

    • SHA256

      2afdacf8f6fd1ccdab90f6633c73ecd3ffeb8bb952949efe3a92681fecfb9334

    • SHA512

      588cb1d765f641682cc425cfcf87b2a8582b8299ef05b137b361208e8879c63dc0319dc5d4b95de5aa31c4f66044a3cf150de0e34ebea724d6791a90c495015c

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks