Overview

overview

10

Static

static

10

1bf0a4e28b...01.exe

windows7_x64

10

1bf0a4e28b...01.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1bf0a4e28bf8d9858900da8597b04f91f36473f003a4a5a1f6b271a40c883901

  • Size

    164KB

  • Sample

    220124-cxv7daadej

  • MD5

    b9275a192419e6615f3c1ffb91155ea2

  • SHA1

    21ddab364fe4be701625cc2a61dd116738e2f4e3

  • SHA256

    1bf0a4e28bf8d9858900da8597b04f91f36473f003a4a5a1f6b271a40c883901

  • SHA512

    82452d52a84f3ad149cf80ee2343bdae896e70bd0686f585cc4333a9243183eaff8fd06b222aeb007cab5a50cfc019f65d8ec6907ee7713d3c1fa64936182209

Score
10/10
sodinokibi13981ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

981

C2

achetrabalhos.com

mercadodelrio.com

circuit-diagramz.com

brunoimmobilier.com

blucamp.com

karelinjames.com

zdrowieszczecin.pl

physio-lang.de

broccolisoep.nl

tieronechic.com

pilotgreen.com

magnetvisual.com

eksperdanismanlik.com

hypogenforensic.com

happycatering.de

grafikstudio-visuell.de

kristianboennelykke.dk

metallbau-hartmann.eu

subyard.com

wasnederland.nl
Attributes
  • net

    true

  • pid

    13

  • prc

    visio

    agntsvc

    steam

    ocautoupds

    dbeng50

    oracle

    excel

    ocssd

    msaccess

    ocomm

    isqlplussvc

    infopath

    wordpa

    synctime

    sqbcoreservice

    xfssvccon

    mydesktopqos

    winword

    mspub

    thunderbird

    powerpnt

    onenote

    tbirdconfig

    dbsnmp

    mydesktopservice

    thebat

    sql

    firefox

    outlook

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    981

  • svc

    veeam

    sql

    svc$

    backup

    memtas

    sophos

    vss

    mepocs

Extracted

Path

C:\5744i7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 5744i7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/743C80815C1ED9B2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/743C80815C1ED9B2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: oeYmsEVVZARAnp3kBpP7sYpqFaKPb/tM51gcCXIht/i0X4b642SGTnjoR7SxTgME Lzo9ND3sCiZHUrpgKKd2hKwJuPW03sb9u+LcCgOiukMaXP5bD2Mchc8y8J1Ye1be VTW4xx6o1E/2ikgWosyQLHLo5RwKstbkkG28xBnbMk+3H7mUUDR5jLZJReyzOfyP n5Bl6mdz1W1eONncfqefwg1vKg//mUOIuoF5LmrztJUPktxBhXqSAb2XlZCwle3+ E0k6xVNlml5/ag0rjykZ3t0Ocr2QQ0niIBhRPTKQnMiHRUn2LSoAV5ezO91whEB9 YOTcZbs4H1uEhjMr3i8hz2LEqS9pOOje8+QVWdv2ZkjYnfLE+DYvx00AFbvA936p YleYbyaAiwolQdcCSZyS3AYE8cGMMYzNm/rjx671//kyxDhQbwrdN1E1PoXXdMHp uDGpFCOB9RFmTjBMtjtD62AIZgI14has/GGMv6ZKLZXKSvodr+1SO5eCvzP3lyQm KIkOGkmF60oil4v7iLEp2anQI9LzHTlJNAFOkZtyiC2VejpLrlAnhirnFZ68ttkU oP+wwD9dPot8PNGKRe0XHKLvAVzqROQaMzXYEZA4jWrzXbkhbYb5VddehuKAIMGW 5wQzf+kru++esdIvGJW2CAd0fjVX6NBacKWU72p3L0+95rUInTjzFIQoSOXKnpZt zmIYWXpQ+B8+tqUXaW2Ri0ZXw80Kd7T3SRrn9cnGNA9EOYT4QrZJCLH97pTam24g LCuhMeBrZs88cRslJzLWTcqEx8rCxkPTa0XrkxBBBK6eLJsPPsrpPXWoRdkJrA4h u2MDz4Bky0V+Gn1DJNtypK1PGhQIDz2nRUpwWlTGcKKHxQJ7EK/OkQ0u6G1+abCo ZYBe9e8JtaaOPRkHZxabYFSXFDlvX/QXcuOJu9R+HmouhfS0q5mAdYlY/nQf6fG6 YnLNF9G7pXYk4+5VlJOCTM+6pWcwLxEEKFvAS97UME2Ynj4KcSBhqOWJ5nlZeVUm qcYJCmk84FdUbc2tf2BZ0MF4jCSAF3qAsK4xzbwkgc9ZVA4T+qkUt85cRGiOohDt 5jGzIQ5qo4TRzFdsnxUrzA3MAWeoBfEUJjlrYsktD6gXcYRy1Avmukvwmlqr0cTt EFU= Extension name: 5744i7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/743C80815C1ED9B2

http://decryptor.top/743C80815C1ED9B2

Extracted

Path

C:\5r7h7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 5r7h7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B71B5F72EB872451 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B71B5F72EB872451 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: B+qqEVF6cpfS0BWKYbH4fDHBYhdaErU4zP60SY592VVRKGtOz8djxnvzh9S5WV5B aIYNpKgRmKhtTtWPFZTX1b5OiLBi6R2SXWSs30MyvkiPIr5V1gqC92Vj/Rq5MjRQ 1a531BrX5yDQAKb2e5odz7m1wXRdpAUxTBP53x2tjgTANCZfDntA6FLveMA5xKuG L2+PyaCoUnavmkOVhTe97ZhThAHEMOXQ2SMBfWfBeq8hKE0kPYomp8o6L6llfNE+ aKsTdac5+FlUj5KLC32cFxRxWUO5jeUo+FcJSM4l+T526vb9uXEdxxPGPLyqgdDV QmC/KcDU/zjVVwtSbvPDXGm/7t5VclM/TLPdi3rdM5NC2yDPVPfLmct5ml1r+oiL bBVd/1kw08OapJ7YPLcFzPgX5ACuL1ca/AP6Qo8eTisZw2oz72ui4eW2cEvAShcl jtzN30aJ8XQLM4xyydz88xIhT9uv7lKQU3RPwHMU9tPh2JeBzyhMt0uBS6zHqC2q 6Gs/djtuCw3pDuJWdtzgXkc+HpFOrDrjDDT649X9iLpswRH3UL4ZqO7PMQD4wO// /rqXsPv/uck4rhcpVOp5R8YjX8aKwOYYIithp80cpHy/44P+1EY2izhGaRoommp6 b3x7xz/Tsr0lIIY8PBvkLPrnZXCMZIV5a0Yhtx63ln0jLWrvJVYqGzG/XYBmy2Nq P+BOOp+2aKO7Nb56TubL9EtpNMEDPgB9tgo9nuwEEEYp3/ZCAZXkm3VqXOkWhWC7 xS5r6HuTSj6Had66jWWgzbGLZDWkApOhAoqrUF/HLIxrhAoEKXoxITgHok/5lPuU IWD6slBdRt7lraCH1yDP3rf2e1H8VkTUuiYIVtkrTYgs9QE7K8CG0NsFZOyLoLjx V3SAD24n6MazcQBVi/v2lX4dUrzV2NKdbr/RtuHVJHrCBl2izZVFucjTBSTOnE2J 0MGHn/523tNTohytbrwzAG+mm3iTC1qCozJTjBoWtDC95d8dcsgqJV8dZP41PJHE Yf+dAJzKGxbYj73WGWVQocC8ALKRhHLIvdyQ0sXYXgrguh0cKKocuMk8jU4J70Ai vEdWR4vXRlWj6jTzUnvsF99yz0L0QmkX0ubitg3qK158pWacFpGnmA== Extension name: 5r7h7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B71B5F72EB872451

http://decryptor.top/B71B5F72EB872451

Targets

    • Target

      1bf0a4e28bf8d9858900da8597b04f91f36473f003a4a5a1f6b271a40c883901

    • Size

      164KB

    • MD5

      b9275a192419e6615f3c1ffb91155ea2

    • SHA1

      21ddab364fe4be701625cc2a61dd116738e2f4e3

    • SHA256

      1bf0a4e28bf8d9858900da8597b04f91f36473f003a4a5a1f6b271a40c883901

    • SHA512

      82452d52a84f3ad149cf80ee2343bdae896e70bd0686f585cc4333a9243183eaff8fd06b222aeb007cab5a50cfc019f65d8ec6907ee7713d3c1fa64936182209

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks