Overview

overview

10

Static

static

10

2d6d522c78...d7.exe

windows7_x64

10

2d6d522c78...d7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2d6d522c78364dc29ab849fe45e77b703c574566ddc475c2f9df9b6ccfa6fed7

  • Size

    129KB

  • Sample

    220130-jrrqbshael

  • MD5

    5775a592ed670a6693c66c3aa2d83282

  • SHA1

    6025477114a546e4f946c7d506c53e9211beb1eb

  • SHA256

    2d6d522c78364dc29ab849fe45e77b703c574566ddc475c2f9df9b6ccfa6fed7

  • SHA512

    0e3424cee19b18e95db590b886d25612f9c9062a24df405c868704287d119f8f2d1d4743ac516abd3667dd0216f2382354058db7ea8dc4b2ede49e98d01f7300

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Path

C:\1v442h6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1v442h6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2276B873D229741 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D2276B873D229741 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 92RB3CPSRcUCEtTbfYCW0BHbkb3hsie7122pQXgXtAiGtfCWyqTajCcdAJNLrbjk qgwcx1l7RXl2/CR6LI13HBqljIaFgUgSGtd69kiowYsJr00KUjKsBpnKywQUDs1C eXlUJ1FiRzbbj6YMOaLuH40k0mWgiT/JYdbPHuASR9BefZCMnS/yDRpR7ltxWTep 75xSQ45zHI6tHKcEX/YUXeBkb9MkkHISVxidJKsTBJdR1yRMXD053dCZ53PeksWo zrItkQi+x0WCt+4TpmikOb2sDyMzTGi73WJ7T13XCjRDuqK4zuJUSykMS999dUCx Tu9YH/sXfZ3/9MqexNUtUHN+PQTVCbAzaczbNIL4NR3j6PM7qjnEqiP+UzR/s3Dn zI9E0cS3PT6oc3OZ4UYuHzSXZQu2dh3AOPcQ086hxKVhc8jtUsYDujzVNvUfsSDY 6O49nRiFnXktkT3KYADDGKPmJi6sHA/6WU/ceh18OpRuQknKNmhMqkPKCLw1hOxb LCDso82hWfvyleu4otsxQS+0sxc3P9a+jYfzRAjytSxIAdvKfRxlSKN+XQPmRMwf 9UCeozpZs4jckXCtWR5+kRD3IjaH/g3SeHOVit71BTLuqnqGxI5FsCZHxz4+iFQ6 p5STO3z+77+Nt3iQGKwqkgM8Ale73SJ6/aVrrNs6r1R3q8hWnXS9HXFllVPSfhI6 hzk58jDRXsKKNMlzi3bNkIZHtO0lpIUlsUeYkJMM7CpaRdmpl7vn43mvx87Wvtvx G5OgGcOiDScOo3uxFrqzGgvgnieJIWqoy+N/IpOpO9KXK7RM479ZJMeIgf/PEjGA Kj2aNaLmNvqbirHuluZWsGW2Ffm3y2BkICkMLKJpDrnZzMQsRKaaowLaNDwUDqQy hzqNYM1Vz+WQDtnUUrM1D4OC5PI2k01Zs3WV6vbpQ1s7f7AvSqv/AAOR8+v5D/FD 1B4nhi2dW9fTOnzxw/nCE0qdfMCkCxPtb3rhHB+MVJ48sCrytsoEQd/ET2yDaxxU IHz2jcrcSfepcmGuXdQVM/SBhtMD0zS2o8pFxGYIDVlThZ2wREXblD5Z0IM3gST1 ec6Hk5jBeATXXRY52sgnCfuAWnzRzD9BqL6Losw5rMragN2w1yUL/6ky3MTHuzM7 I9XzWLOB8GWQKDlIHKvY5u0ShAjdbrkWSzVazc4wiYGh1OBR7vCxI6ffQcoPF7en Kv+wCIw2aTyYHUGTNQpXOz7g7i1DpB81Dm/ks+aZfHKF8b+3lX6SfALdit+9uVQ0 AhZJrfdF3AvZv38+SQ5f6OXNZe+T4rODp0c= Extension name: 1v442h6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2276B873D229741

http://decryptor.cc/D2276B873D229741

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\9281d7u1v-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9281d7u1v. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FB537244BD5D070 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7FB537244BD5D070 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: hgF8hpmhCGnhTbOklR2Npji2YAXmTGGxGLdbkNV013Mw0RtOhb8m/0nNxYy66wXG CZy1fO7tZNDV0uyl5cz5DpYiz0EngcWPAhAHJhSJ2Y04uvEWD94H07HIWmf+SACH lKWrLEiyTmmUapXl+UD/4Zji+ox227EXQYNlWqxdj/uyLS/gtWYPzi0piLZFmge7 MSuCEbFXWYX6/2nKk1qZ4jlmR/BEiptBFvGKEVH3faUBpsMSP9G1ZnfTH9ufx+oM z78n82jkken9M/HQZZeew7gWGlQVz5c1/Vgz/Qa/8xiPDI+GbmeAjQrKWlHk9xVA C7kM6c23QGkwuCu0ggY6s8MLi7U1+C82MlmrTlGUKD7HVmYchJK59e7yUPqo94TA wYw6B2xaZm1SOQ5CprASmbyFJigKYL44xzMVENnMHvxerNy5ydQgzyDU5HkCUQ8R /v4mugNdAHqrOMgl37aCPStU7DvL+Rrpj/J1z3mQLWDOE/HMvtcB29cmWLOX33MP s8lqWEaFkNKyf5zGofxJH65HpcwdFgczfyKMOftVKFeTJnWEOyOxo/ewbzfzItpe /UPOBoKNIsuudgYzxr5xzv7k4i/Qh7OLEe2nQ7W1olR/5Xo+0eZrfU2AJy6g2ff0 CVRf2dqrQ7huU6Gx0QYTgL/J2CZACHnqL+Srs9GS+avhwRCh1IOew/Fz6MB4G4PT 72MvxQlq+bphBYzr3xkNBIyWzVoJ1mp8euz3602BRek9gYtLRVqBVmNO0uPqZt1w wzg356pGGK9dPC0NIzq/3wYwJQv+AUxGPNYHZL+v54MGIuyA7XwUAnt0qimWxDoS Y6boPT+yF2KusxWpaK1CPQcP2b5yQb0kfqjGlf7gnTtGe73CyRg2Z94wDLkZU1f4 WA7fMN8kZW2+hypGTYl2W9AMCsdgYi0Hp/iT9/fsZqrIUdnFs+ZwoDOeFYNrporZ rHlYvNtto2wiE2O+GErihY9oSlf3EbOcJgEt6EEjEkiiDA+2aQCoRwcCYftz8a9O wooti6Pn0gZuRfsKfHGF4Pb0vpln7DwAF4nLpelizZ8knnyLpoIwxWeTTlDSGbXF zAFk/HPUDYyX4Frsdg67vutmrNP4bvCx5YAyaurA69PMljO8WnDyUemUz6BxX88C M+DuRmSLhhYiVNa2OO9MgMBLM+K6M8ZvekHVm/u6msiJlXdgUxMqj2z+y4egnDT1 RX7mr0N01ppleSi9n/eVSlgcYatsRIY9gPAY8kwW9jjhMnSG4/3IXYrkhHSDzJlY BUCNXaewC5WBGemYudQ08skxypYAEg== Extension name: 9281d7u1v ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FB537244BD5D070

http://decryptor.cc/7FB537244BD5D070

Targets

    • Target

      2d6d522c78364dc29ab849fe45e77b703c574566ddc475c2f9df9b6ccfa6fed7

    • Size

      129KB

    • MD5

      5775a592ed670a6693c66c3aa2d83282

    • SHA1

      6025477114a546e4f946c7d506c53e9211beb1eb

    • SHA256

      2d6d522c78364dc29ab849fe45e77b703c574566ddc475c2f9df9b6ccfa6fed7

    • SHA512

      0e3424cee19b18e95db590b886d25612f9c9062a24df405c868704287d119f8f2d1d4743ac516abd3667dd0216f2382354058db7ea8dc4b2ede49e98d01f7300

    Score
    10/10
    sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks