General
-
Target
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2
-
Size
119KB
-
Sample
220305-zr49eshcb8
-
MD5
53665ee039f02304c7c3d74b75feb9cc
-
SHA1
1762e80d5e968fd75f66936fcc1037ab47daa3b1
-
SHA256
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2
-
SHA512
76987b1367051047009b371374052a6f313aa7eca0861bf4335d2523d22322bb342197f429d5b3f6906d93521f7bd8a3f6e98c3d4221172bc36a9939594b497d
Static task
static1
Behavioral task
behavioral1
Sample
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
C:\q3j199dp-README.txt
http://2xultdmexzfolaylojzgucu53aynvs6d7igkgeky3diw5rml3w6plpid.onion/post/51b8300fae856b17786a1ca7aa7a7654b6ca2e74941d8f5369b54147fed32000
http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion
Extracted
sodinokibi
$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6
67
-
net
false
-
pid
$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6
-
prc
vsnapvss
EnterpriseClient
firefox
infopath
cvd
tv_x64.exe
VeeamTransportSvc
steam
encsvc
mydesktopservice
outlook
synctime
ocssd
SAP
cvfwd
bengien
vxmon
bedbh
ocomm
ocautoupds
raw_agent_svc
oracle
disk+work
powerpnt
saposcol
sqbcoreservice
sapstartsrv
beserver
saphostexec
dbeng50
isqlplussvc
CVODS
DellSystemDetect
CVMountd
TeamViewer.exe
dbsnmp
thunderbird
mspub
wordpad
visio
benetns
QBCFMonitorService
TeamViewer_Service.exe
tv_w32.exe
QBIDPService
winword
thebat
VeeamDeploymentSvc
avagent
QBDBMgrN
mydesktopqos
xfssvccon
sql
tbirdconfig
CagService
pvlsvr
avscc
VeeamNFSSvc
onenote
excel
msaccess
agntsvc
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-README.txt and follow instuctions
-
ransom_template
Hello, Grenergy! [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. If you decline to pay, your files will be published in our blog http://2xultdmexzfolaylojzgucu53aynvs6d7igkgeky3diw5rml3w6plpid.onion/post/51b8300fae856b17786a1ca7aa7a7654b6ca2e74941d8f5369b54147fed32000 [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
-
sub
67
-
svc
QBCFMonitorService
thebat
dbeng50
winword
dbsnmp
VeeamTransportSvc
disk+work
TeamViewer_Service.exe
firefox
QBIDPService
steam
onenote
CVMountd
cvd
VeeamDeploymentSvc
VeeamNFSSvc
bedbh
mydesktopqos
avscc
infopath
cvfwd
excel
beserver
powerpnt
mspub
synctime
QBDBMgrN
tv_w32.exe
EnterpriseClient
msaccess
ocssd
mydesktopservice
sqbcoreservice
CVODS
DellSystemDetect
oracle
ocautoupds
wordpad
visio
SAP
bengien
TeamViewer.exe
agntsvc
CagService
avagent
ocomm
outlook
saposcol
xfssvccon
isqlplussvc
pvlsvr
sql
tbirdconfig
vxmon
benetns
tv_x64.exe
encsvc
sapstartsrv
vsnapvss
raw_agent_svc
thunderbird
saphostexec
Extracted
C:\s5mrh81-README.txt
http://2xultdmexzfolaylojzgucu53aynvs6d7igkgeky3diw5rml3w6plpid.onion/post/51b8300fae856b17786a1ca7aa7a7654b6ca2e74941d8f5369b54147fed32000
http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion
Targets
-
-
Target
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2
-
Size
119KB
-
MD5
53665ee039f02304c7c3d74b75feb9cc
-
SHA1
1762e80d5e968fd75f66936fcc1037ab47daa3b1
-
SHA256
e8cf5d5825e19d3a92a8d81cc86eb03d2eebb18d333dcec743b04769257071a2
-
SHA512
76987b1367051047009b371374052a6f313aa7eca0861bf4335d2523d22322bb342197f429d5b3f6906d93521f7bd8a3f6e98c3d4221172bc36a9939594b497d
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-