Overview

overview

10

Static

static

10

13cf8b0859...63.exe

windows7_x64

10

13cf8b0859...63.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13cf8b085916c4760c4fc1b98cb6600a39b2de25a629af27cf3341b9d07dd563

  • Size

    139KB

  • Sample

    220130-jw1h2ahbdj

  • MD5

    e9d41045b50546a687f3e0e331fa3926

  • SHA1

    42ef8ac2ab613e22ae7cbc55a74599233b7db550

  • SHA256

    13cf8b085916c4760c4fc1b98cb6600a39b2de25a629af27cf3341b9d07dd563

  • SHA512

    0090689731a3dda7caf23194584e90d7fb85bc6b8000c33845612ce1ae46924468f45b9406eac4286b4567823c5c84eda1f9ff0b4c2a1a0836a324f6bc1c2513

Score
10/10
sodinokibi$2a$10$i4qf7gefcz7lwodqqwwhhehj42u0knqewmijhygkdn1nhiwuca2va1428persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

Campaign

1428

C2

ecpmedia.vn

triactis.com

promalaga.es

siliconbeach-realestate.com

bigbaguettes.eu

web.ion.ag

spacecitysisters.org

abogadosaccidentetraficosevilla.es

blacksirius.de

sipstroysochi.ru

foryourhealth.live

schraven.de

mardenherefordshire-pc.gov.uk

pubweb.carnet.hr

joyeriaorindia.com

makeflowers.ru

seevilla-dr-sturm.at

podsosnami.ru

stupbratt.no

jsfg.com
Attributes
  • net

    true

  • pid

    $2a$10$i4Qf7geFCZ7lWOdqqwWhheHJ42u0kNQeWmIjHYGkdN1NhIwuCa2va

  • prc

    sqlservr

    excel

    sqbcoreservice

    powerpnt

    mydesktopservice

    dbsnmp

    msftesql

    steam

    sqlbrowser

    ocautoupds

    visio

    sqlagent

    thebat64

    outlook

    dbeng50

    mydesktopqos

    onenote

    sqlwriter

    tbirdconfig

    agntsvc

    infopath

    encsvc

    oracle

    synctime

    mysqld_nt

    thebat

    xfssvccon

    isqlplussvc

    wordpad

    mspub

    ocomm

    firefoxconfig

    msaccess

    winword

    mysqld

    mysqld_opt

    ocssd

    thunderbird

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    veeam

    sophos

    vss

    svc$

    sql

    mepocs

    backup

Extracted

Path

C:\qqy01ck5b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion qqy01ck5b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/115A8C2EBD9FAB71 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/115A8C2EBD9FAB71 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HUS5IGYY6KnidB8d6knzSc2Cc2eg+k2EAD2UF8hVAndsh7qJmg6HZ/Xzm+DOpOTU YLUWvviwTM/WxaF3QnFEGq1mkBfnI2zK7jo2Gcv77J/KxmGLtW97SHQo7YZcreLu 0bIVtR4PHG7IPbYs20a5hs0pB3jpSZJfwlmDD6/2ygsB2sSPt+9pZb7PyhbQ9oBg 9/5pcVe5HR4XvWH6bcXaKyX+VpbYLU+Vef/jqyw3ol58RBWNqusntz/mCGyAIjQ5 X9aXSF1RT7FE/e7UV5my6sJJieH03QGzxqvPH/U9G+T+mMs7WPuTO1YlcT/1nBAY hsS+YWlgtBZSPKiIhXso3x5U2S4+dlglRbThDq2xwmQFKB9Yq1dyQIQvU1UxZPNJ zwSwQ4RifZvO6CUhmwn5jMEjOdCEpgB0bIsGiZbSNUL0vSb78ow5QHm0zVNSRfr4 vA9TiN2EMdY24mlvyQc8x5aZ4rFDHmeNfCKv8EOjhdcLPKgtiOHhQnb2fSR0oG3m iApK6mP3qShmJh51VXYAFOV8DfDp0t6yjnbCAv66GVjQxHw6g96DKZfE0H3wZwAR oWfkBJA7XueJSVunxr1/KcfnyUlzQ8Qj/kSnDbbvjXSsbY8oIYoUOM7hdCOSaZAw LjYIc70I3j/7iQGN6lIs4V4AAFvQwykgsVCuRmd1BAY4YAdaTwbZDM5GccI3kypP sMniUC+S+bgEsMbxcBxxjSh1atYh9goHrMx1uG0NmwdhNV38pnbTTWsHQq6U6sWl 9BwzptvI/2bSnyH6x1ndodPQ79Fw/JyWG0QQXFW3VZz4yPb1w746ujglqLbVd10H MZakrpO2OIVCa/TYyRriuyC7SPVGPbGPYipOFbbdntLp3XmrW+SSdgbFAXsOWWuL pNBwBhiiOsdwArcr3C3WaFzpeRfnPSmG6wTj3T/9m5kctv6U2gs8m+26YBd3L6DJ vvn0N5tfKdILh5DPpmFY6qFiW0gYlCmtrYutytWgeeNNEwB9Wa7LFzFWWOen8BUl I1bz5eHZLUJsOcTXuoY67U89/X8A2lMRFk6hOXwi6fyG6laL6N5n/JszM/Dr3nLg C403u4U+gqSo+jZdZuq5cB2jrJzdLuWZhARJgIfcI2yrAmQk6nllirscwpn+xFLm 6Nh2CkL3DeQ79gQ5IIKvXw7ZfjVdcEfNHO3HCCkA6sCqRapMVKG32KGWBAj30z9F XlibJ5OP0bb/Nx3MFAUYvl7swt2dLwsmgxks/gJhiHxY4fEc55Gw2rJ3PkkDYkPQ cEv9nVLy6cMoGOqt+HPMo8HclVjfZTKgfMrGEGjE Extension name: qqy01ck5b ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/115A8C2EBD9FAB71

http://decryptor.cc/115A8C2EBD9FAB71

Extracted

Path

C:\v7z7t99-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v7z7t99. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/17416E5B9CB897D1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/17416E5B9CB897D1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IJW46CuDPkFQTAcfCm59S14lObudrUVAiobNwxFDCyk9/n5tY4NquV2AA82g0Sag tbl1PVWtC5WQYOzFljvrkQtKOjTd4+QwHTULXM5Z2OQ5LuqOB4BioHrqg7YR8oDp 61llE/dQEpGM/ANGe6XjKpNYOJJCBGmwpThX/1MDXcDLAWoi2CBo3x1Vp4KYMSeM cyTYvBbskht7Be1WL3czu9L2+t/+l8FLqA9nqBqay+eblCxFlY9/uXYMD++GUMdg NTzPuJjb2MACLG5jghU0aYDd9RY5B5p+S32kL30xu/pzxMN33UvEajER0getJuJc LuB+RLAip2ly2gRA7fWtTel67uQ+u0LKEFbqMcLDH3tUzrLHwT4La6SGL8OU8sl1 9G/mS2XQTTWOefqSDrZY2k0TSGB+yXrG07NjCVLsTbaIyNBwEEQWBeO4Pb4Vonn1 m61GO5MO56jKGX/a3eLrRGpvd3F4Ct+pTfOk2XF9hGlTLBmGDnktAfzTwkpHJxp3 VN55Bnz/5FBTPIEbNcFou142whSKTTQjIRvKRRGV23S7hWx8S7nWa591bx/AAQkm 0t+2XPQgach5wm4Qh/LUUxeOMRhxFS674/bO+5mhBkT2JuuQFDr6ZyLVVCGk5+lH lwa4f8PEa7nvPbMqVHHAQFtJlwiceKozc2/RfG8+rfIpCmTX8V3t3e4/TGDzZhdd a1YcdcRiwZDfZmZT8rs73W3DmLOlPVcNmtqBfhQ3oYRrwoR9/kNcJwhpgUF9AkAh v7EfP2uHkgaB1lfHyzGyR6pQOwuS96RA6WkJ8mCDmd5p2oxxf8iuFi6QQisae881 zwJco3zOWTLhTznystRqQACptJEMeJ17agJ2dEw6x7mRKpb6+XjRICEWDvlKGZeq DP5ItGv9r1l6oeilm9eFuUyiU5GnCX+wYvoIqBpfBpBe+DOc9PoQZ2FjMQ/uxbZt RJqI6/zuuzgGB796Wt/0WoaPB0hi2dm2kNe5MkNHJHGg8nE1UXE/XnkZeo0bVwJO egZnIIfnb79tmQSDiahLoDjkDklMSSGne7LVeizQ/zXvXIJAhOQUflTFdsnTXXOe zBaXp/OXhxxdOarJqgd5w4/Yo5iU4UmeQqhIUkhaWrCCuzZPWZArZLCZwVRIS/7a SZhbAgo0nTyhJ81ndirs7UtFzzLm248/bPv4lq6b9zTi0BaY2w54hAJoFirswmd3 YP4cJN7O+QN0JlC5SFvNgG+mUGPHX1L3U0KOjkfPGabLgi01uMc8ynE7OYI0Zv0s Acg2+lRiwLOgUW0f1eSNle5k Extension name: v7z7t99 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/17416E5B9CB897D1

http://decryptor.cc/17416E5B9CB897D1

Targets

    • Target

      13cf8b085916c4760c4fc1b98cb6600a39b2de25a629af27cf3341b9d07dd563

    • Size

      139KB

    • MD5

      e9d41045b50546a687f3e0e331fa3926

    • SHA1

      42ef8ac2ab613e22ae7cbc55a74599233b7db550

    • SHA256

      13cf8b085916c4760c4fc1b98cb6600a39b2de25a629af27cf3341b9d07dd563

    • SHA512

      0090689731a3dda7caf23194584e90d7fb85bc6b8000c33845612ce1ae46924468f45b9406eac4286b4567823c5c84eda1f9ff0b4c2a1a0836a324f6bc1c2513

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks