Overview

overview

10

Static

static

10

2a2c69a2f9...56.exe

windows7_x64

10

2a2c69a2f9...56.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2a2c69a2f96fd1e6e24c94e46e42159a82b03c0c7dceb5bb3b8b3b6c3515de56

  • Size

    139KB

  • Sample

    220124-cttt5sachl

  • MD5

    8cfdcac134e0956a534d9d8dad8885e6

  • SHA1

    0e76472934d01dcb2d84b7ce4fba7af60e5d7e3d

  • SHA256

    2a2c69a2f96fd1e6e24c94e46e42159a82b03c0c7dceb5bb3b8b3b6c3515de56

  • SHA512

    808101dfe7ad5fe1439f5d398d4845efcf67c08e53eb70368cd294dde4dcb7b93c02555bddd92bdf58c9e99f3d6aaf50b3449e01bac29bfdcf8dd669f546a11a

Score
10/10
sodinokibi$2a$10$vzrhqqnarfixqkucwcgiyum7d7u4uukwnsmnnieq7mtc7ndevn.xm1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$vzRhQqNarfixQkUcwCGIyum7d7U4uuKwnsmnNiEq7Mtc7nDeVn.Xm

Campaign

1428

C2

turkcaparbariatrics.com

camsadviser.com

deltacleta.cat

katketytaanet.fi

corendonhotels.com

cafemattmeera.com

plastidip.com.ar

apolomarcas.com

artige.com

yassir.pro

bee4win.com

pickanose.com

caffeinternet.it

cheminpsy.fr

mooreslawngarden.com

ralister.co.uk

admos-gleitlager.de

cerebralforce.net

ctrler.cn

innote.fi
Attributes
  • net

    true

  • pid

    $2a$10$vzRhQqNarfixQkUcwCGIyum7d7U4uuKwnsmnNiEq7Mtc7nDeVn.Xm

  • prc

    synctime

    encsvc

    sqlbrowser

    sqbcoreservice

    msftesql

    ocssd

    thunderbird

    thebat

    ocomm

    mysqld

    dbsnmp

    sqlwriter

    visio

    wordpad

    winword

    mydesktopqos

    ocautoupds

    agntsvc

    oracle

    infopath

    onenote

    dbeng50

    sqlservr

    sqlagent

    mydesktopservice

    thebat64

    firefoxconfig

    steam

    mspub

    powerpnt

    mysqld_nt

    mysqld_opt

    outlook

    msaccess

    tbirdconfig

    xfssvccon

    isqlplussvc

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    backup

    memtas

    mepocs

    sophos

    sql

    veeam

    svc$

    vss

Extracted

Path

C:\y6zb175v9c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion y6zb175v9c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5C7ED4D345EFECCF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5C7ED4D345EFECCF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /1r/UdtD//3V6XE2AE5s5LuevRLgPVXMF3Q8hP+/IeW3J5J5/0mo8Lkm24wIrsSs 8fvDfHLv19xd7i2oOkKaZgervlQ1V0S5MdWgkKGNnAuml1PifO7iJ5QBc7GEaDPG YjVlavSMFhq6FWdLjGTiqx3OrxiMSWMxbw2tDvEKg/MG04zEo5OuoElqyhJMF7J6 bArJYcbREIB34s024kUJAfHFwHFr5l/iZXvJwWkjRB/FuNYiUFquc5DssHzjB4+b VZD4V7ieSrLo4s+h6QYULTMYItpbGhhIaRXEoDs0MUPKhTQosq3yqbpp6xN2D3x7 Tg5ZuBWjRjLG92GrjTWgzIfVxCEafPwbx3LonfVqR6wH7MMLBAsEsR7dsg+eGty2 4v5lg07/dMmUzin8+l8Tz1hzkQXAs3TCtjdWfNESdv5UjzW5lrs5Nh5zfbSlBMNd Nuip5nf7ecWHq86P3ibe831VyO+AbAQTNrMxP4DvsROTs+TUZE1jX8NcmNYWGdUW x4XXQUHcgQNczF4+qdbIL8OByuyObzLVvqfTs1SKNJ1QoZhwBnCm4PO/PDY/mNLi lPEpT+sFEJfOe4LpMqSjadvJFN+JCHg2Ts8mne+5q34cYav02jkqg1jKKvE2eQqr u7wXpw7avugUEsbW4XlD6pjhdds+Y48MfN94UQcR8tr+pj4MQalACsGUcxYnqFwW UEiF5gq/fmR0F4evyrtzi1FAXwzQ2OBwd0sK4udwB4Kk6gqoFEhF3D3CtwKElj3Y MEGBNwNTz0tcZFfxrK9DxrGll/ZStJQg7scLvsphKQIeLYjpOTKpHIri4otqP1W/ pVQd1zR9VsR5FbvNAIeOfE4D2DG6z9MZPwlVEn0rpKvpG1Eow020zDb2t+qUYi4V kFgagqp1v6NMI+Zzv+Lra63P8pIG2LClKvZ6qrhoDDwoBS7PESpl2NVvINz24rSn 0DEkeLXy2gOwmgB2Stn+ut+DKe/5lydhH/V8nIiXGC0hLUmfV/l67vom/EkFHq+p kM6YVvPSgcHYgRHj6AbEE6iI2JNHlHfekAXQslGy4l8DRX2I3XIW9j4rBXFiqewR JI8BOQM/1Zl/XzVLbYUgxkwJ5zQOzTSMIOXWPoMiDaO/KRMRa9FS8yv4OryWpXXN w9+EfHi3rto6zU1cURup8hFI5B6p3e/XBAsQ3HuqFGcM8qfmNUd5gFUru7zdzLv6 GB/RIkJkQ42RnmLnVj6kYFgWYIXvAwiJChegu5ZRRCDrc7zqnH8p4Zjp8H1WvwQk 7qVK/ndzWQJjd0NvO0616Hvq8BR4DQVqe5DXBZIXvjw= Extension name: y6zb175v9c ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5C7ED4D345EFECCF

http://decryptor.cc/5C7ED4D345EFECCF

Extracted

Path

C:\hy27m07e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion hy27m07e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/825AB5C860FD87E4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/825AB5C860FD87E4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: W+tT1bRoouldcFDtcEYGgK7Fn8H6ru3D2UmrBxPe+UBHWoz1zKjc+2PNqTFW8I1i 72nakTeBsuVjqD6y0tAuWY/QCZABM1f83xH6NC2oiQtPBu8VHI5pScafuoI6sI/s aM44cPVWVkPFBlF1gmb8ZkrPUl9tryowMEMJeMZlOBUrnxDkrua4eisSb1viuN7E ZV/xJIQTfFELUGF33iVa6FwrNG3dNLt0N37HQuYRlh8jxumU/LwaysBa5Wb/Xh6P rwQcyIKCjJLXchSXIdz/uZBteyK4G0zhEc9inQzUDnCDqrkjfwpCbc5Sh3mQQnsd dLUsj44rkfSqMTTuz60IS3YJXW/e/4G1UYWtbODlJsm71ACe74zIpBHx7dH1d10a Ewyp7gOV+wSQEn9GEovocdoWLf2CkCCfNA0FAbhtOiwvs4KflfPZB15CkuYPhcFW SjwN+iWZvZgIUX/3Vp910oGJ9L3tnQjme4Dr9fgRXd2+JYjT//P+TAfBd9jfVgV2 SukqV3OOamUqpnFG8VzUh+GVo4D88L8Pu+LVUTszYFkPs7p4AGPVBQbDU6eDtl6x IqZ+11dOKVucrptTBKse1zvdj0H9ek27Dc/wjp+AlJVTSuroktsKKvQ7yRFj+Ndo A7xbwfm1cDZRyTfC8bX51XbzPVNjKiiqpQ2VVhVWh3/MLKgY00tW2KU6ScnYj1io 0zOZg3TvMKcg+eceApy7Xu/8XeBP+Ia8cz2QhedVv40R2nghRdBBjDwxhc9TVQ+K 73C8Js3WCRw7nOlG0c251P9MvLtKVOcowzC8MSmeWZsIGYgiyfduuatZZrAzuW/j t9UckEgNk6+1UkG8au99y5MHprWoLVRSU+yhNYnor3SYNg252wzhJBPPt1O9acaD ya1J2FCXbiWnwJZe0St4zRAWniWHKGMxlpKGoam0XWUjxj+iWUNyUTO5rp32Lfp1 nqKIQmwfp3kwff//xkWVRrJDIjgKzdZNDanAwd8wZwO/SteJT1nUeHDpAnjEPD68 WFI3xGKktxA5yGEOuGo4YC9LTyGLZDyEwrD7IP3DulR9yWcm5ALCY/9UGZY9xApx 98ajY5Zq2H6Cq8ffQmVRtyZHWHT+X7aeh2MDiefOIx0Q/1lkZCL1RaVp7IHn5DPw CmHyU5OwVxHYMQbZXnJfjebABIzDCX3VsaL8TBQsW49xMqjIO/ANohgc5ZoD1iup OSctzlfHPUhyaYVfw4zOI2glX5gSgSTCpYjuulsJQL5pVDNzfSWDACu+YKJEyB97 TeuyzYbaAMfvoGbOOnaRn8gn9Wg= Extension name: hy27m07e ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/825AB5C860FD87E4

http://decryptor.cc/825AB5C860FD87E4

Targets

    • Target

      2a2c69a2f96fd1e6e24c94e46e42159a82b03c0c7dceb5bb3b8b3b6c3515de56

    • Size

      139KB

    • MD5

      8cfdcac134e0956a534d9d8dad8885e6

    • SHA1

      0e76472934d01dcb2d84b7ce4fba7af60e5d7e3d

    • SHA256

      2a2c69a2f96fd1e6e24c94e46e42159a82b03c0c7dceb5bb3b8b3b6c3515de56

    • SHA512

      808101dfe7ad5fe1439f5d398d4845efcf67c08e53eb70368cd294dde4dcb7b93c02555bddd92bdf58c9e99f3d6aaf50b3449e01bac29bfdcf8dd669f546a11a

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks