Overview

overview

10

Static

static

10

2793b9a4cf...7c.exe

windows7_x64

10

2793b9a4cf...7c.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2793b9a4cfa9d05d63db4cdf0f4ad64b48a02468de5b30769459bd7d3cb6f17c

  • Size

    182KB

  • Sample

    220124-cvasnaachr

  • MD5

    1a17d38237b1becd68c4cd246e39b124

  • SHA1

    deea18fbb1cdc4e03fe069db2e85d458c1d017f9

  • SHA256

    2793b9a4cfa9d05d63db4cdf0f4ad64b48a02468de5b30769459bd7d3cb6f17c

  • SHA512

    f78b6adea3ae41ab3acb265de9957514a6175990f01e2a1af44dcd805205802c257e3555c9c0d61877fc40f80bfb56d7d997755312cdadfddcf73abc3fb4b467

Score
10/10
sodinokibi363099persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

36

Campaign

3099

C2

beautychance.se

crediacces.com

lubetkinmediacompanies.com

almosthomedogrescue.dog

adultgamezone.com

hotelzentral.at

hebkft.hu

ki-lowroermond.nl

blacksirius.de

baylegacy.com

glennroberts.co.nz

profectis.de

klimt2012.info

ladelirante.fr

oldschoolfun.net

schmalhorst.de

partnertaxi.sk

brevitempore.net

ihr-news.jp

offroadbeasts.com
Attributes
  • net

    true

  • pid

    36

  • prc

    isqlplussvc

    xfssvccon

    steam

    wordpad

    mydesktopqos

    ocssd

    agntsvc

    thunderbird

    outlook

    synctime

    dbsnmp

    mydesktopservice

    firefox

    sqbcoreservice

    dbeng50

    encsvc

    thebat

    msaccess

    tbirdconfig

    mspub

    visio

    excel

    sql

    oracle

    ocautoupds

    infopath

    ocomm

    powerpnt

    winword

    onenote

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3099

  • svc

    svc$

    sql

    mepocs

    vss

    memtas

    veeam

    backup

    sophos

Extracted

Path

C:\03ivla8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 03ivla8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E4D70F800FA15AC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9E4D70F800FA15AC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eycFzvyILvmi0qgFc+c6ZSgB4pofR13/xo25EaEvBRin44E4wbhi7BZc/lPQoHY5 IARDo52Axs0yeAPzK9HjUwi3bFeBgNkeHayMIv405lgPmSSEl2gH/ikT2lIK1uYk 5jwNtlDN9E9fMALFFAL9xygQGKgu7M6ZH8dpdMyed8iLZVDYPNWoVLPWwfqTRd+S v6gb1gA528uIIbZYdiqG8zzXCiREUC7LZRK9wIQ5AudFagJxVWs18uRzgXdhIz5G xkF9HjotkTXFnwVEKig3Lhpgzt3lnZWutFmnvUy7L6Peeybt9UCCUzD8nDlCF8TK IDlg6DzK+Q1IAfzNCqQ6g56Cp7fZTZ701wUVwT2KSLOuAbtENWEA+g+O+AYV4dHN 1GEL+aySWln8TlgJNJsJjOnzcEo+mDiM3osZDrUL9HczWrCiHLyuAIxGfS7yHihf Gt5qCs9Rkb0SdxqMUqpX9iJ4d6MQty90Pl9R9yr0fmd02rhXgv1JFDj6TdLU5c2t kQhmeMGTsQOLu6LCdR6HLvQ10H9QEczwIGw9xq+/S7jWfwU6cbKTbp1ciXmOiXI5 OoKAp0qwOmIV16Nr+DvpwNCxzpoLx1PEpT/N/oMCT+mch8GnbvgtxSPUCJX97puN W+HzH3Z0sd2tQ6fJ5bVPYyfsdpKPrljNP1dSQMtnuY87iSkmpUphY/660TNkfb3v hS2+crLB+cRVepRNabPBaARjdR6diCoEGUxec5DPfkWkd/UP0SPQNAlgmebnDx3o QxyDi7ea/OPdWv9JZuwbYf844l9Ol0GbFzsoDY0IlkT3BC8KF5aFuh8PbMVHzh5l aYxcoirJwGMNgvMCHdRzeXEPGTcUvgDxzYZ5gGPwj4Ahvg5IdxOOgO0VBkjSrZQa pzfn4acW9Nz6YlcYYuWiaFmbw+aOm2tBblDfuV3SjectPZAVay1wrqMGjch8704M Bli4eBtnyf9cUwd/oNe2gDpnkIm61IMYQYKVRzFOb69+N8ONoAfzamYlL8OPpAaF d2NHCg3KHR6GRSdu9ig6Q14rfEr2jq6OAmcNkyElBzvb5Ynd7XCEmC4blIAfHQmm KEZp/hAnzn6sIRGcXThP3woheCVQSmWhPJOdXiJ7qOtrPjShFCvsp15Ry6hpZF5p qnLA+PR9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E4D70F800FA15AC

http://decryptor.cc/9E4D70F800FA15AC

Extracted

Path

C:\742mey458-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 742mey458. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7B6AFAA1BFE4A2AC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7B6AFAA1BFE4A2AC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ne946PbMdxcQ5pn30zsMYlZNKaRbHcAJ+Ssc0RsWK9IbhEaGSCkcFMk4olJuUSuG pDCc+rXzPvk7AW9J3Cc6Az/RAQxQ9KGiRBb/ggl/tZHX8dV2OAbHuN9garf4glPF gKrT8MfLEnmCTxRDSf70442IqDxtMUuLTmk6VmMVO/SYQioLsSNZUV7xTyc4ShGU weQSiEIzD79N4V2RklBA0urd8Y1RiZ1N/Ig3+Vy3MN7WdOPnq4h2c4Rh0LCzKLm1 vXIgoZKUneCE8kdbMyc7U2yn/hNPghCcv5YCqoEBZNzR1ls+wScRj4XSAtRo7ZSP u20TI6eHCUXl56hbEUE9evaa7OJxMiouij3Qqmmwq/iRqC3fbIYLFssXlS+vcJil OvT0yrxYdZJVcJQ+cPPL2dRQk7C/MlrkZGwI9LKEzTxWRMk2Bj1RiaAyhLgYmP5R rpkFy05kyLX2GBFDjH+xuUSzDXc/M3lajpkXDAqWgFZtm18ONFt58b4lVIfeV8qO h8nBXE9GtOfzkypqx0w7ddkf2/obUKRK2siXUMlRUkA9EtsA8RTzyvIvDRl9bb1p eOcaso0r7hare/PFZH5ipqUHUYM4cvKIUWW/WTtBB2UQdJawiywYmoIi8ZqNadAi 8anKvNI5Iw7ugoGJMY9enBZxQxxdhHzcosGqhXOzroGEpHoeYkVSPQdGA8O+F8jc iro6r7r8LNNN5BU3t69qFSHeiUjWBUgou1VXS/7WmPTGIdMDxOkiPTlH+o+oplZ3 8kM7156Wfvx7pHFrfw5ZyvJK9swrV800Dkj+LU+vw0KL2Wc+mW62bQF2xwzoViEo QoMFbpxzhRFbc6ANU96dID/RHQKNiaxF7/umDaaPuvlsr6NTiJvrRwoWcOyc/VwZ mEo1tQaju6AYMTgMJFVQqgbpSIy1D9NkX+AJ0cJuTPxZuw1SQ0BjfVX9dpTwiHr+ X/oATlxlJPv23L1U0JT1EkPZfG6lC2vR6VbpZmYDKbsbsGlCTL+Ynkc9G30zYTiX Ff9eDo9nVu3HYFbfF2UQJln/tp1s0QwQib4hS8R8y7MSbOGt2OlWF6kkIrlYmcR+ S/oxpBxoXGDEmo49ecWjkC5+ReJfSIYdehltQlNDC04Z7eoqfhc1O9uTpg6wXO9v HE0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7B6AFAA1BFE4A2AC

http://decryptor.cc/7B6AFAA1BFE4A2AC

Targets

    • Target

      2793b9a4cfa9d05d63db4cdf0f4ad64b48a02468de5b30769459bd7d3cb6f17c

    • Size

      182KB

    • MD5

      1a17d38237b1becd68c4cd246e39b124

    • SHA1

      deea18fbb1cdc4e03fe069db2e85d458c1d017f9

    • SHA256

      2793b9a4cfa9d05d63db4cdf0f4ad64b48a02468de5b30769459bd7d3cb6f17c

    • SHA512

      f78b6adea3ae41ab3acb265de9957514a6175990f01e2a1af44dcd805205802c257e3555c9c0d61877fc40f80bfb56d7d997755312cdadfddcf73abc3fb4b467

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks