Overview

overview

10

Static

static

10

10d24ce42d...d6.exe

windows7_x64

10

10d24ce42d...d6.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6

  • Size

    166KB

  • Sample

    220130-jxn7dshgg4

  • MD5

    a975fcb157f5d3cb1f18931d529098c4

  • SHA1

    b33ca444868e3864144b1ac5a1b62644cbd70270

  • SHA256

    10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6

  • SHA512

    6982cc58f43e49cd50a8796bdf0cabe74b4411e010224e5a7baa63cd5080bb3b3800b6418ee7a4e0e762fd75f40ebe4e27b3af6e3e86ff5febde34310e139c86

Score
10/10
sodinokibi$2a$10$fjespszebvmrrqrleiv62otz3bubs9w8p5vspdfyu0g7isozxvlpi4174persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$FJeSPSzEbvMRrQRLeIV62OTz3bUbs9W8p5vSpDFyu0g7iSozxVlpi

Campaign

4174

C2

asteriag.com

enovos.de

sipstroysochi.ru

tanzschule-kieber.de

delawarecorporatelaw.com

wellplast.se

dpo-as-a-service.com

limassoldriving.com

eaglemeetstiger.de

consultaractadenacimiento.com

cuspdental.com

gadgetedges.com

sanyue119.com

boulderwelt-muenchen-west.de

patrickfoundation.net

olejack.ru

ncs-graphic-studio.com

spargel-kochen.de

werkkring.nl

femxarxa.cat
Attributes
  • net

    true

  • pid

    $2a$10$FJeSPSzEbvMRrQRLeIV62OTz3bUbs9W8p5vSpDFyu0g7iSozxVlpi

  • prc

    ocomm

    isqlplussvc

    sql

    visio

    mydesktopservice

    sqbcoreservice

    dbsnmp

    tbirdconfig

    thunderbird

    thebat

    onenote

    ocautoupds

    wordpad

    dbeng50

    msaccess

    oracle

    firefox

    ocssd

    powerpnt

    infopath

    synctime

    steam

    excel

    mspub

    mydesktopqos

    outlook

    encsvc

    agntsvc

    winword

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4174

  • svc

    vss

    svc$

    sql

    memtas

    mepocs

    sophos

    veeam

    backup

Extracted

Path

C:\w4yms4w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w4yms4w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F98B1C4B943C62B4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F98B1C4B943C62B4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: M0ANP8SpPnE4SjJaiFRCZYOx96M5IWX7nHBYSSSy0O0ha1jlWD7w6T4rL1nSNXJb yC6Yz2cJFpP7adPsVeRUy9Q9vipZpTemiediUJd3+vKBaLzG07ho8HgdHF2MHVXI vfBGKnnTm3BaqNPhmyxR7Y7NhzVS0+qJumtYMdsp2b/uogx9T8mOCCRHkWyW+mg0 yoCIuJw5KSyuzmxTyX3196nR1GSyY0i+nBqHuyZmyCpF4BR3EM0SQQJr5ZxbwkQE UR1y3BRcgs375aFrhLA7hceujEkXPvdZAsmfo9mzyM8oFbjinbbqLAMxhaYzqMyA zI+fMvoP9WK+CVMCnd1rCXsKR8DHhV+tgdCZnl7t/iNwU56HlueRd7gbgMUDktyn ANUQLSHNJKuEQJVtQjTPla4mdZuOoJbyEyWGveblDj9qGXddTLYToUtINzPFU8CX Inv0dhQUtKhf7hQMEMzHTPSJn52AIuTk7b8++ejChFisgj6Jnz6/tKC9BWGAKgui qQDjfd2gdT4nUPmYEUAIiMvV0YUW2RUjWLV1+NaVlQGOuibHZXZ37Pd1tU1j9dra aoq/yyUB2JwZzulcjEjMwCDPe2WNFKgFtQxhAXLHf1PDwzmHKlKTf+8vanbDxiTi cfETaWgxuLZgt4Sf3eceY33gRRJ5boeNHlfvgFj1Jtk65R/JL445f7UJN9hsuG4b oWFpmL1QfAq8B7xo6N51Y9ohMxOszsoOYNWPEGwyT8zUMrux7FANydp2Menmq+pW 8+wzSAh/utnjBqVMkTvjfBLFuX4eyOr/lbcG7jNG0O0Pc1Vqv0OYBGHRIUc25Qb8 1Wafwup5PgvQY6O8Nva9/XYQ7OswTVgxvymHJN/wSZTFY06mNMCGBiu7ZogI7D++ +1UocYfjYtMEX7COeY0lWnKO307Z5k71w1ZLU/hkjATfQHa1eQQ8z3WeBVMsmpwG zPSAmksY6VTasIyXpzqJ71gSpfv8LNRM+oLYv3SzJuMjiWmjaXEWXIajo1IvGdjs d9XTeLJkHmxNTMPC8CniiWjus48YZwkRZnKkp+DNeNMFwpPQFfsoI+2i9NcoYqTH Ymd3A5iuOcXQP38MPhl46G5MhUxP4PmtGCkLbSyXxUrK4W511yKGYTiWH9kcw520 Yys6jmn0mOahj3+1eS2HoBVrlP14B5Ux7/HDIHnyX7y/Z/WZOUeqK4BnTyTgrGvf MFlwy0x177cXxJqM8qEwWb6TocWFASPkunFeBoOy/w0t6VD3GHsHl6jHRtZbYUFc +OZmROhrPGg+jQRboULK34p/TzGiLbACq5M= Extension name: w4yms4w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F98B1C4B943C62B4

http://decryptor.cc/F98B1C4B943C62B4

Extracted

Path

C:\18b0emv794-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 18b0emv794. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6873B39384F96572 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/6873B39384F96572 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: X7C0ssU8FGM3hr7u62Li1LO8knlPhiVnh0PPTcgmwI5LmMpu3Gq7hB5R6wF2vQ4O VwGoagQJt55905t0UejXl8Gfpyk0elJRxHdGSpTh+RI0cgEAyKNBoLRyhH0eOchs Lb5Xcl4TmxYkzCvB69WajDBdryoqkYlbHReYdGddtmoyWH+BxgvU8HJYZG/w5b9j bz2nrJvUzhLVOPEjz+DqZYNox0yx1FTMMZrkAUk9LntbxzvKK7u6llk8/PC4SZDR EEgNPEEaLjxnxF2k6itmqeZqTntYTAAxZbIBfFTKzwY9BPZ3NST4h3msBccIiH76 T4Qu8BQRfKFaANHFCNS0MZhU2h1/+u3Q8PyFiIvbo8VBK9xL3v6fe0m4sGDzUKXh tmMO3T7PwDWsMKeiumVxIGwYoNGjlMgODxACc/zwz896kaCj+KfKvWiksw291Vd9 ii6a4G5dpYQknTaf9Docv8xU+F9pNbtFep5YUkr/TmVbfb7vheSipwwENZIymuLG oxluB8x18o0Mvcdf75mLvF0FRfMNdZZEUdHhQ5NrMqXJarMs9GRhsH9MG3hoq13N xy77h/jzF1HfaQA4VvBaSEKlVriRn05POYCM0plKF6wPEgS8jnvPRRNQRGXYYC5e sJZmddPf2dleGe4nn1uT2BewgYSKjpM3xL3nWLqJ8UeCGKN0fROWwYQKvKA+TTdQ Ka7Kf+b14qXkN75ipqpKJari4YQF1y8x7uuIwCcdxHTJFnyAWmutKy4exeIzqO90 zuROHK8/qIFTckFxCvET9eB7NO+zaIre46ooCQHdh6uqJG0Eofvhf3RS6Vp3Bzbp g2g2jK9hx2GbfGnC16v+k8INvUm7RpJNlh4rdZT1UxZiNkhEBiQ2xitv7OA9jQF/ XVKEykTL8w7V1CZdWFDPmdNAnWOOf1kJWyUzw2mzKPR23Xfl55+ZoNKXgxhfhbfT bhwT7Z7+AecoS2GZuY/bCMlyIK6jIKYywVykYKU32PAzpguZr5b6DdtGcb42bO7Y QkarhM8NCJ8atMCHvRGnSD+jAKd1y43765zWBeyXj7mRMfCk2o4O1VWlWqJTiPBU bQ2KYb1Wa8beV3B14lmYbFY4UVjGoo6kOY5JsbzM8yIDHpwVNd7yjvjq4jI6HQt/ wDxnP/MVojrXvOl7WQhhUI5T8yYGa54LdBTggGCOGo9Z/ghuDMsxVGGpDdlwKrlq ms3Lt1GIFze6OdoVdDIO1GNVQJXidMIZ72zzOgmYh78NnSsgg2JN/CE3Bte6mWs4 TP4yP1adxhuVq1k9z0pZKFYCUiFhvIti Extension name: 18b0emv794 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6873B39384F96572

http://decryptor.cc/6873B39384F96572

Targets

    • Target

      10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6

    • Size

      166KB

    • MD5

      a975fcb157f5d3cb1f18931d529098c4

    • SHA1

      b33ca444868e3864144b1ac5a1b62644cbd70270

    • SHA256

      10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6

    • SHA512

      6982cc58f43e49cd50a8796bdf0cabe74b4411e010224e5a7baa63cd5080bb3b3800b6418ee7a4e0e762fd75f40ebe4e27b3af6e3e86ff5febde34310e139c86

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks