Overview

overview

10

Static

static

10

216a96d1df...39.exe

windows7_x64

10

216a96d1df...39.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    216a96d1df7735943a85398aa702a503432f72c8007299ccf3c0362f34fa3139

  • Size

    165KB

  • Sample

    220130-jtdlgshgb8

  • MD5

    58cdd67a2bf76df91f15d5dc89bf3ad7

  • SHA1

    a80562d1c23141058cf0fb7c170e53b8157aa331

  • SHA256

    216a96d1df7735943a85398aa702a503432f72c8007299ccf3c0362f34fa3139

  • SHA512

    b100899c1afd566da19d8aa723649bd9579b2c4bb0b27c92b69a31a651c50585066c7721f3682b33f5a8b8c13a44de04aac719bd643d79fb0f11c876a55a52ec

Score
10/10
sodinokibi331953ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

33

Campaign

1953

C2

altocontatto.net

malzomattalar.com

concontactodirecto.com

sunsolutions.es

catering.com

leopoldineroux.com

thegetawaycollective.com

stitch-n-bitch.com

masecologicos.com

bookingwheel.com

finnergo.eu

mariannelemenestrel.com

alene.co

taulunkartano.fi

jdscenter.com

imagine-entertainment.com

simpleitsolutions.ch

solidhosting.nl

hnkns.com

burg-zelem.de
Attributes
  • net

    true

  • pid

    33

  • prc

    visio

    tbirdconfig

    mydesktopservice

    agntsvc

    infopath

    xfssvccon

    dbsnmp

    outlook

    excel

    synctime

    sql

    isqlplussvc

    mydesktopqos

    ocautoupds

    mspub

    firefox

    ocomm

    msaccess

    dbeng50

    encsvc

    wordpa

    oracle

    sqbcoreservice

    winword

    onenote

    thebat

    ocssd

    powerpnt

    steam

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1953

  • svc

    mepocs

    sql

    vss

    veeam

    svc$

    backup

    memtas

    sophos

Extracted

Path

C:\9a356w4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9a356w4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D3D81D5DD7DED066 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D3D81D5DD7DED066 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JlpjrGbET1iqNph8C6NE7EwB7NZqN9CGlwtiDT4HNK3yjE5rZqloVGDqA27MpUSa otW9btHbiuOTSkvhzgHgIsZawshHWG5I3QNyW4a4dA/ummQMqOt6Z3UvjBiVXPI8 hCCiOttvOKfHMqKK4cMe9rkICNTl49TaFjeFH6rXDZxbCUabls1nv/69h8gxP7i4 2i7/nJQek4lLBhF41eLmxL2Tm1nwtM1MqiDgss3mzevE5TPTy1z/yXip1fr2x8lQ wkq/SPcNPO7Faj3Z6Qnj00zoj4b/P7yOceL5uGx2+yG3Xt4ZRke26TrVRptkbRBQ IcUdQhezpKZRyN4NpPZATX17AO9YNrvP9wr5xSclYluA+lUF7TqMUB8XUTgDuVvU Qd+v/2r33QKrCxQMzFMViJc2vGR/6/NfgkkxEJ1ZaabunDxbZfoNjRUTv0oX5hi6 xsXj0JqUZCWwWfSMdEE4L72k/8sOtNxgJ/ZZOSKeTAUOPFGKaqfcwEUiF62bUX66 pePeZ/QOVcdSOaZQPD0m+WakkhEreWyAc0ANC4ZWGNt0SRsNKOCWFB5F2dzbb15g Jm3SYoqweveTdaW+0Pt4TqByUqjE8JEG4inTcNeH/SdQ4GiD/jYvLaJ2xemuQN8Y yZ1dibEVbDkWivX6HTsMbHNPiJUBWgMJRNQBtCxtqfThQxF+nsJHjcJ0Vz7JQEz7 X39ZueUkNerqpxeUn6FbzEQExxc+Q+FjWoEpookABcr19tyCEZpgHiaObMW2BvF6 ogERLd8pCHs0O05vh2ZHOyLu5prA+JHbleBy4dg07wXeoUtLMOF7sukbBgcuFPW2 cch6guN9LIZgOUl+BJj3mxVuW0Oj86ktKBPYsxvU2XGbP/Oa+d2TSqvFX9Z7pAmH T9wMBcqx+mpEiVodS2JQtnHTa9Xi4Sgezz40NrI37VVllw4COVorFMmox5S1iMVs R+7BiHYk1/o/w9Vsehupr3MyYsZ7I4tAvS/IElESU5XJ0bSsJUb+q4yzgPmhw06u 76FUvi+Al7PFscs0EanZXUj7JYlz53oATJkqY6I4mgcA8GugplFVM3AiArAIkLs5 rtS/2jQ5gCwwZkawUGIccp7NoigrkQpLxabK+pieXV75D2PUWllURLOJstDbWFgX TSt4XORo Extension name: 9a356w4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D3D81D5DD7DED066

http://decryptor.top/D3D81D5DD7DED066

Extracted

Path

C:\83mk8ff-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 83mk8ff. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D42FE16C8447155 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5D42FE16C8447155 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cGO5zsOXE34eWIEN63Qa8YPEthbL32KR3Ise17uHSM0SqMouTmB7RhN9/mfih+aF Kp6IpyRRL7pvwSkY5uUGml7nb2UPbe2peSBa9YME1uS4Yag8IJ9ODU+N2xaCFHmD 50ciunxkKmKIYE/coksCW8bEAy/fUjQ/HbIQpjdAt8Q2hOmJd0/WK6Hpvmmqt4mo /F3UMCvWOY/yR8bBaGBNhH/MSeSZyZmGr0sOhsCuYsat2nNirW/m7RK7octBw4hE d0Zfcl2Y5rWM9dr/gGIbG+R6i1eYjHQ4/HeSxggbmiy9VHgOx3Tx5nBxds8n7UD9 ZaQ6amH9RTOQUEBtUFeGDAu6++5CXPdMfDh60UFRNhVUQzbGg18ZBqUqhmzrDly8 fDtmGxIltgEq2TwvfKcZajGbRQyAhFcfyBdRtg6Gv3HMGWmeEKp9Dz+1kqvXVJfl nlqq/MpPwm834J37jq189XcDCHlTvAxlV2cBpCwa6knJPec+Gospc9yFJeLnDSmy UKmcTsgAtouzXnWFNNI9Sywquusu443IPOZygzjJd+CjbsRTWkv9vyAdFvn5lR9I 6v8uqmORwZlDvUO9qV7zpxq1YiAwc8jD818Htds4ufinoQJFxrUThZ+Us/CgbhiE nhwHfZe0cNgF0Jytf8HlBGSK/zf/eTOKsKquYm00qB3mtUgdt1nlZ5lFyQC5t+1c 8HAAoNOge2hDd/RvSfqqa4FWOyKJ8z7ekB5hjpvwbLl5s4xCgRxLXD0I5ufgrsvz Z/hkFDlvsLcEZwh4RHiY3j28XrIB0CF7vvPxmRuBStIAW8pEPuq2HtRw1mfUdaOI 4jRHburISihdYWFoA7IN0YkUCu+P2OpuUMNKiZv4sp6Ci9vab40n49AeOHXG0ROu ixK8kdjDeVAfFlu+W+NFB+YzxfWvHoTdJuhTJqbdwuYiF7IYem8hCAwal2jy6m+W j7EDDipez69cFQIcBSfUx42ixXnbcbS6xQIuBZwRVTCACr09pP59VeA2wf+zrfn5 8y63A/uDMHXu0jCBoOFz8+ybWhJrF0NsLoa8xa/HiJh5RD6hHwWEXDo/XULF59MM gfRGD/PeWyMmCA8XcJ33/YQnwnG5h48ABUc4t/Pl305TzmS++A2lgKOozaMCRQ== Extension name: 83mk8ff ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D42FE16C8447155

http://decryptor.top/5D42FE16C8447155

Targets

    • Target

      216a96d1df7735943a85398aa702a503432f72c8007299ccf3c0362f34fa3139

    • Size

      165KB

    • MD5

      58cdd67a2bf76df91f15d5dc89bf3ad7

    • SHA1

      a80562d1c23141058cf0fb7c170e53b8157aa331

    • SHA256

      216a96d1df7735943a85398aa702a503432f72c8007299ccf3c0362f34fa3139

    • SHA512

      b100899c1afd566da19d8aa723649bd9579b2c4bb0b27c92b69a31a651c50585066c7721f3682b33f5a8b8c13a44de04aac719bd643d79fb0f11c876a55a52ec

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks