Overview

overview

10

Static

static

10

692b0db3de...3a.exe

windows7_x64

10

692b0db3de...3a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    692b0db3de579b4dc20697a949a4c6e8e930720ce48cea62042c0522442a403a

  • Size

    116KB

  • Sample

    220305-y8ffyshbf9

  • MD5

    dd3150ad746520d50ce61aa146b0fd4e

  • SHA1

    a90c355f8f751d1575e9be13ad12fddf009f71c6

  • SHA256

    692b0db3de579b4dc20697a949a4c6e8e930720ce48cea62042c0522442a403a

  • SHA512

    baf3507d71247d3c169dcafa0fd180c5f6abc2e753c34c19cea1684156cdab6e01b45e2defdbde567e527a47a73a21725e8283137a8b77236ceafa1dd2d77e0d

Score
10/10
sodinokibi$2a$10$jrcq3crqbd9ihxpdcsx0yu14qcxhjvb1iqxedmfe/lb.t5q2kfn9g4461persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$jrCq3cRqbd9IhxpDCsx0Yu14qCXhjvb1iQXeDmfE/Lb.t5q2kfN9G

Campaign

4461

C2

transliminaltribe.wordpress.com

sportiomsportfondsen.nl

ontrailsandboulevards.com

triactis.com

hairstylesnow.site

geoffreymeuli.com

love30-chanko.com

deprobatehelp.com

linnankellari.fi

wychowanieprzedszkolne.pl

antiaginghealthbenefits.com

mountsoul.de

hardinggroup.com

phantastyk.com

xn--fnsterputssollentuna-39b.se

aniblinova.wordpress.com

tampaallen.com

wien-mitte.co.at

miraclediet.fun

twohourswithlena.wordpress.com
Attributes
  • net

    true

  • pid

    $2a$10$jrCq3cRqbd9IhxpDCsx0Yu14qCXhjvb1iQXeDmfE/Lb.t5q2kfN9G

  • prc

    visio

    outlook

    sql

    dbsnmp

    excel

    ocautoupds

    synctime

    msaccess

    steam

    thunderbird

    tbirdconfig

    isqlplussvc

    sqbcoreservice

    mydesktopservice

    agntsvc

    firefox

    winword

    mspub

    dbeng50

    thebat

    oracle

    ocssd

    encsvc

    wordpad

    onenote

    infopath

    powerpnt

    xfssvccon

    mydesktopqos

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4461

  • svc

    veeam

    backup

    vss

    sql

    sophos

    memtas

    svc$

    mepocs

Extracted

Path

C:\jabwv5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion jabwv5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/495E77D584F0E6EB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/495E77D584F0E6EB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KNPCjDTXaUYCDhm6N/xayl39lDXqjQe2PNPof2djWRW1aVcqrUdFXuBwobKX18OD /z5Bna2oYYuqFqKGTVvr4nScbjaQieX4bohUfdCxbvdiI7yu/OTAmt68wVyjGM/x gUEZBkFP5z2C1NwEa/Wq+6bRE/C/GTuKPhGxwMUp1PGeSkoOmHj2HhV94o/DEL+U QVUDRxJ1G2oAkSKva9v2s4/mRlZVgJshhGLyPBWh1zAMaH7W10A00Mh+i7Cf/5QY 5lhPnT1jBQvi/90hKsDTbfpu1tP5eSfGEb8J4vOnvuj5KRo/OxHNVQbDZjjM4E3K 2lf//XAZ4r1TDTzibumCAIlKs9VG9tH+RG6xfZwftpoi6Q8YI4snYjdu1CwBcmhe ggz1rIgOjQRVJ2CVbAqu16n4XdHGabtocntesa9T72BaQ5chVRKzsO7sb0Kq+9mt lxYTta6XaLf/1JlK10+m8+slgb4mOZSMpTdLSRoTCsILlgTrGG5zevWZLmlYMCTR azEGhL0/A75eOSPgvPHWePJVJBRrD+hwUfhLCqj31W9py7DZEjABDvdf7pBtceAZ JPzsv0cEed92Uv82Dx/z78ZPzBJyeCVrDJMo1NqStiX2od3/Rm2wwKM7QfYYf+1l CGu8kgnQhShk9g8ZmuNjaDSAE3TK7BoDbuIPbZu4xWNUxGr0TG2eFohLYf1vyUWq vxcpOkkgVemKw0DF6J4KxvVAaMLNFLKGYa2nj4mX9uiAb5JK+H1kvYpVV8ZoaUAX dqtHhRKDQljUCTIHnmdCLfGn2FIDeRxZobIDYSARiwMxlixeM1/P3YD+k3HsB51m ox4sAHmvOIwqhHkfHgjkSYI3i5M/NHFtCn4vD+DZfesNYOAfLeReHnZ9/TwxcfU6 Xn25mTNXYm3Y841y1tMS8ymg3YN1kaVtnUtv3X7+PJD46dmQM3R3mpdZ4p7MQpOw VUW3VlfAAqzNRrXKWlu1ySF8ik1Bw4Fy+WKb1aoKDz50Z6UHgSOfMafSzdYHbu6v bApMg7/xzoViaNgM9TwkjkW+5kuwHsR7vM7iYyD+3mh4EpfFhMdJXcmq+j+9Qk5d J+BX55Fhq4bbyWSIs0LK01jzsZ0Gdp9ABR4OPfPOb8rGJH6FaBe0Imb9AiE1FB5t sjvTVPnP7FsZMm6CtfY5Nk5RnV1G0Siq0Z5o4iH68eyydZlEtUzSdM1DceKEXxXN w+k6GaNJg8Mgd/vL/sPQBAV3TUTCxXuPgJG0BHOOrWckHyqTY0G+f9w+SlPCoeWT +Ya+aWzUf8o5ohznjc9TOVO6/j5jkjOk Extension name: jabwv5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/495E77D584F0E6EB

http://decryptor.cc/495E77D584F0E6EB

Extracted

Path

C:\777xi64w7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 777xi64w7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D937E6E5D89D41C4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D937E6E5D89D41C4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SyebsTrtuJl0aWOTrB/LAR4Gh0ypxCxwRb0FP5Q/BlvRoA4EhB3YZ1RkeJh10AJL 4jWGH47JG/2XbWkUSYfW9fRcfrlXfcIbhKEFEtxG9fwEgJJxK1CCOFy2WVvzmZ8T KTyVEPKiu6Oxuj9JP6iztqMU38cT6vzqJ24j8T0MoAoIhyI/WsahLG8cswmln5xl EK7vweTsSgqrFmBiJ6z6pM1eMHs0tdP2u0geXM0voxaP8wgMck5ZQdgnTIPR5e0G mqqX67lHCuVRSD9Pg1cNpReGWLSlPABYjqXgbQpZwQWYkGwudwSSeI6FLPAkD/T1 3nwCO7KbMnZdswhkZHof9LH4Yqj54e72hwt2z9eJwb9jf/Pmn7D4OAaJK2L2JldX RNgbNJzQgHdzrec/yrIeSv1HcZ4oU/i3J1yMebNvLHiCfTTd8TqrL2pg1yEpCL2m eIMjRv/JXjIzxJO3XV5WiXhuRbcvy/mUuzx7Ea1YqCIyk6EGunyFHEfP1njOeCkN ZgamL/98NTFgdwk/LYOHEIRuiZgCH/UxVCVXSrAjZ0wk2DdHe52DY+qi8mgUJNsi jNc29zizZaapB64DXH42BW6sbw1NNY3uW+1AeM+mv/Fl0IzmO71dsoEYxOGMrEsA yscnYvZt8kYRlvg+/gxrOwBFHnno93EMZp2iAgWL/utUjA6hRrzMFFO1mPc1K2tl Gnj+yIut9+Dmo5HhNwvQItmk4Y3cR2YpvpLewlMoQ8E4Qp49UfU1/b6C+jp3P30I vi+hCuKg0Y9JIXoAlOcY2FvwOQCiLTV/qJWD6efk7CtC2xUruvfYlzNDSIXlL5S1 FFnmvFnfOJwRAlNBWgCT2dlRAXiGTE8f7sxx8hQ1rJUPH653ptaeCUy3MdKeEdeS NtGO1XObLM5cvsVpgSmpYMhMsOBXQAwnV9TPGbdV8WuGT4ckrUyRyF74qDl3xWSz xAX4SqMToiIYwvB/3vZgzREth1r4bxEh5Z4GvOVjGI6rySu+BAtAK9xZE95Y9CNy spxOWVUprm2EgKvRx17bXeCI9fLG66WSzvMy4I3Xg5rFV+A5c1FPsU1kwnsN/AdS pMcSMi3XBtGMUCDSGiUdFNNY3ZmWkutW7zNXSj2KcRrgdd22KaSte3gun9NeqCHQ QxfuhTtuQ3ntBuwTai2a5rnN4Y9bgvsTstauqhSs8w26xzK75n2DTXYGJ458CJPO UxuXO4bIZRRGjY1nAOkLjqXwvWU6fr7i5h5gl37m89EeH3ZjpY5gtumN1fnoGcZ/ uxUoXdfCQpYVFX0XFyhvRwUwvhuzhl8PF9EZHEeANv/p7MJt Extension name: 777xi64w7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D937E6E5D89D41C4

http://decryptor.cc/D937E6E5D89D41C4

Targets

    • Target

      692b0db3de579b4dc20697a949a4c6e8e930720ce48cea62042c0522442a403a

    • Size

      116KB

    • MD5

      dd3150ad746520d50ce61aa146b0fd4e

    • SHA1

      a90c355f8f751d1575e9be13ad12fddf009f71c6

    • SHA256

      692b0db3de579b4dc20697a949a4c6e8e930720ce48cea62042c0522442a403a

    • SHA512

      baf3507d71247d3c169dcafa0fd180c5f6abc2e753c34c19cea1684156cdab6e01b45e2defdbde567e527a47a73a21725e8283137a8b77236ceafa1dd2d77e0d

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks