Overview

overview

10

Static

static

10

29ad3ad319...5e.exe

windows7_x64

10

29ad3ad319...5e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

  • Size

    166KB

  • Sample

    220124-ctx7kaacf3

  • MD5

    72e82c3418eefd708ef7887848278760

  • SHA1

    cda4b494105853375379ae9009152a274e8880b2

  • SHA256

    29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

  • SHA512

    5041aaf1e8246933a1df0b34bb8772b7d7573a6767c29f728addabb89c5800701e552f5794f3e109cb9fb7b95190e2f96c115bbc9dcb86942bfa7bd56d3b5e5c

Score
10/10
sodinokibi$2a$10$eexbkjbosgx7rhv9nzhif.mbiht5kcvbthgjgld4p5bskezrqeck.1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

Campaign

1428

C2

architekturbuero-wagner.net

socialonemedia.com

nuzech.com

kafu.ch

mediaacademy-iraq.org

pocket-opera.de

katiekerr.co.uk

bodyforwife.com

commercialboatbuilding.com

naturalrapids.com

mapawood.com

fiscalsort.com

baylegacy.com

koko-nora.dk

markelbroch.com

hexcreatives.co

kamienny-dywan24.pl

shsthepapercut.com

destinationclients.fr

shonacox.com
Attributes
  • net

    true

  • pid

    $2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

  • prc

    mydesktopqos

    thebat64

    encsvc

    powerpnt

    thebat

    mydesktopservice

    outlook

    msaccess

    ocautoupds

    excel

    msftesql

    infopath

    xfssvccon

    thunderbird

    visio

    steam

    winword

    mysqld_opt

    sqlagent

    sqbcoreservice

    firefoxconfig

    tbirdconfig

    wordpad

    mysqld_nt

    mspub

    ocssd

    onenote

    dbeng50

    dbsnmp

    sqlservr

    sqlwriter

    oracle

    sqlbrowser

    synctime

    agntsvc

    isqlplussvc

    ocomm

    mysqld

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    svc$

    sophos

    memtas

    backup

    veeam

    vss

    mepocs

    sql

Extracted

Path

C:\lnwst6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion lnwst6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3ED1820CDD37FF1C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3ED1820CDD37FF1C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xheWJiSKVTXVoNygG+Pt1f5+FJcHMal334wrSyzWndmPTbhU0t+9jos4gt9+K/zG Tkkg08QS0KE1+u+aI3bXP1QE4LqK4PACEddEhiWuWZhM78r7vaMa7V8/VRyI5kSm YjMGKJ2ALeWjLkQ1YHKRGXkVN85cLcztUouJritCBZ7lhtUXY8cpFXy68yrr3a9E +Bh85PyqHT3McLiR1CvYIZ3ZsbI3tRgMl5/w3tRBLubmNYDcwNFot1SYJjzw3J/0 JGN2zBLpAOSj6/kpq0mpsUgAfGRqaLvZ10ePin2Whyuw15M8kzZrxbbu48d8gdyk hUttNlHRm8mhk3HbkIbNZqZwB0fI4ARSveX+6qNEu+bWtVOHIDmLYz+lRIr+Nkh/ 8h/7JH1oikfEqhriskwahHMuFZbFoAsEdx0srsBAHlijutukpiDY3EuKzifsIvqr gzSfXbh3ibUPWVrBSbIAbTlmXhlQO8y6Y75MsU2Y90KVTsuS0bUctMA9VY9Hk24s 2+cQ5mUASN6LLhwJ0qGIC0y46kYPK7PNRJbIELhNSaP0P5R6DnvuZvPVRFUNWAwr zEaECfPoIrHA66Y9VUAY/uM3yXgXfNh4Gbqp1L7LTAmwaPGS4JCx0oKCxxZ//t6p 4wQVLL7OrkkzyzsewLwI+L7e/POatIAopEd/mqj4dkl+0OPV2ZJARMm5ZaXdWhNg fB3XG4nwnpcjPtcwFqq2DRpjnw5wRMQsvG7uh6ZcMvJYivjNZ4xeKErw4ZAFABqt cAsiZZtMF08cQcC4jSL6FYXKZLt3Ji/npLvcHV3YgBjEBBWFm5hiFtxWytLmYREY ONcXPyngkIz5LNZzwEt/cwZHXOkLshwhld7O8l6QtvQKvK4+rrSBQVbHrPxPq/Wn In1hMEDuMw9f8RD7+joe7Uqw9Hc6nMc9C6gah44rc1SYi3ZSmEVuGzzQNh0oyaPg nn6iBZCyIc7Ich3e3Xkyq0nwhLtJNENd1vuwsdrhaCva3Lg+M6ruL27H/w2Ypop+ J32ZufPIIkHAMS5upIb1gw++s/BbP/nu8ql2/25moIgzOZcPCtVGw+VYBVC9hRQ0 BubJgyPmi60s5GTB6qudqKdmwTHhyXxQMuf1aSZH1+kuSDqLSIXQdomE5LMvkwIT PpRs+I/fci5c37ZgWifMkv4YYE+mD/djiOb8H5p0RopHt8Dj5Dm8U8U1pC7QbMM7 jto3dXiYFyCl+EVWmlcBT9XzGtsx2yi+EFrH2k4bYTAZXckPKyVTy0j0f8fAwahQ 9s4tPeFrBvW7Es9zOSXDAkTAgLv/PUy+ Extension name: lnwst6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3ED1820CDD37FF1C

http://decryptor.cc/3ED1820CDD37FF1C

Extracted

Path

C:\d43a4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion d43a4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7A474367F3126EC3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7A474367F3126EC3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gOAX8lhahutZEGL75k4tiSnRoLt0sCMrD5ZU91wQq4VWsBrw+o4LMvkGh9f90rJM lCwAV+tvH5gBirKM/BzY8mQNecPIWjs7woe1HnmuRgvE6wMuJC6q+Jx1+zz/qAt4 xq7RnoVN+xPQN2+WPgSro6GUy4iU0HpJxvGH5BrNEoV+vZEHO16P3O7wpddTYy/z lnU0K16nj+yaSAZOJ9zMytPouGBXp34S2bijx56V/S+YmuNc1EnrSxwTYogDgcIA Z74KOr9Lkp9KrTpiwKDJmvQmuh/BS1IZ4OVDiW+tcZxeEuLlj6B7BYOfgWKB5NkY 492MjjDNBHRB+sg2icpOWoQB7VHKbtVtFdR4f8kinamHIrIKEwQukaC/g5a0DKy3 GOvPDYYTKD7PYjEI73LNsBWSlX2l9Kq+nexowdf/M5DhoHQUcBlrE9pkqnDhFyNc bRjvJn1bbQZtUCq3t6oOshgaM7+BYfG63N1EIFT+CHvz33Lq4dyXGLggZ6EqR5Mn CqPsqdGUEA14fKI0vtZXMlY6WxY5P5Rw3aqmHu5pPLqhmnfi3f8csj6VFaTF++ha VE4RFiz4xEiX4diiEnP49e06zOHjDURE9jVd9cOPanV4JzVtY29w09c7scZfGJyV pCMHBd7H5RifrQFGrghaJw/pTpWdqiWE0K/QpUGGgxc4lP2qPZ9BqwX7hrxjEuPk PE1bBVQTmcxRmWKcmhj+jt9hZYoDX9KCHPZy0mPI2t1BkjS6Q0VEPWxkBBgUQkpq 2wO9lZEWWJFowFpydUqO8+yuePamm1ByiU6gK+2l+wZj86zc1ypcLQL1wQAB44m4 9DaWVaZrXgNjxDr70KrDh3xWtowTAKItk5x6mEjdL7Mn6scWe6JUTb4PCqmX8twV a88S6VWXdJQOq2yeitt/jeuymh9ZdxDY1g7QnUSW1XU4p2OTO//VIHnek/8gWQa1 q1zWtNomLL5UuACzKu1PDwX0UN1SP1yI7G3/O7hKLI6JtfR1xT7MN9nncu05WT/i hSZt1E9kI55AchKb8qB3EUQVpSYgdqUfPKCP1OHVGLCyqkkaEMS22Ao+jbc5Q1gj 2pPO5FXj7LEvshdaj8haYYq5X92SH4huSOUtdnBtUAV67+Q9R/aaMt29qJqR8daI kSdWUKPebFtjg5gH/wOl32Vtz8Ua3fxZxSwXLIxEW8Qu+2BwIVxK7VnwSHj6LsAc HRcmyCDqb+SOtWCoYq5EggACS5aeeLY/5v+Dkwx45ahBsfRjSFDAAOlezw6UcdEe X/uqIO1hbtly2/e31g4= Extension name: d43a4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7A474367F3126EC3

http://decryptor.cc/7A474367F3126EC3

Targets

    • Target

      29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

    • Size

      166KB

    • MD5

      72e82c3418eefd708ef7887848278760

    • SHA1

      cda4b494105853375379ae9009152a274e8880b2

    • SHA256

      29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

    • SHA512

      5041aaf1e8246933a1df0b34bb8772b7d7573a6767c29f728addabb89c5800701e552f5794f3e109cb9fb7b95190e2f96c115bbc9dcb86942bfa7bd56d3b5e5c

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks