Overview

overview

10

Static

static

cc0372ab1a...d9.exe

windows7_x64

10

cc0372ab1a...d9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cc0372ab1aba3269d4aab5a6ae0f0cb25138302dc7fa36db19fe7e1a9ad2e2d9

  • Size

    285KB

  • Sample

    220524-3t87yafhgm

  • MD5

    da703b96b936c71e749debec6818ec3c

  • SHA1

    49071ee38dfc9849e5a2607843ad3c3bcf7d3533

  • SHA256

    cc0372ab1aba3269d4aab5a6ae0f0cb25138302dc7fa36db19fe7e1a9ad2e2d9

  • SHA512

    aa5b8d721792b322c1a39972fddd1f5787c57ff984df32ece18b75fc8a6a0f02866931bc4aea5c11ab40e8e372f5c786ced379e42ba2f24d5873ce5756ef3050

Score
10/10
sodinokibi$2a$10$nlaw1qm0d9fa/5fx95agvo6ltotgerlpct/4.b77ikngwkxbybjta4233ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$nlAW1Qm0d9Fa/5fx95aGVO6ltOtgERLpct/4.B77IKNgWKXbYBJTa

Campaign

4233

C2

campusoutreach.org

mariposapropaneaz.com

mepavex.nl

waywithwords.net

zimmerei-fl.de

iwr.nl

reddysbakery.com

danubecloud.com

alvinschwartz.wordpress.com

zenderthelender.com

completeweddingkansas.com

faroairporttransfers.net

stallbyggen.se

myhostcloud.com

mooglee.com

tstaffing.nl

maasreusel.nl

synlab.lt

fax-payday-loans.com

syndikat-asphaltfieber.de
Attributes
  • net

    true

  • pid

    $2a$10$nlAW1Qm0d9Fa/5fx95aGVO6ltOtgERLpct/4.B77IKNgWKXbYBJTa

  • prc

    encsvc

    wordpad

    excel

    outlook

    onenote

    winword

    mydesktopservice

    isqlplussvc

    sql

    oracle

    thebat

    synctime

    mydesktopqos

    msaccess

    powerpnt

    ocssd

    xfssvccon

    dbsnmp

    agntsvc

    visio

    sqbcoreservice

    dbeng50

    ocomm

    infopath

    steam

    tbirdconfig

    mspub

    firefox

    thunderbird

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4233

  • svc

    memtas

    sophos

    sql

    mepocs

    vss

    backup

    veeam

    svc$

Extracted

Path

C:\2lg6m4g8dv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2lg6m4g8dv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4A45228D0D4E5D51 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/4A45228D0D4E5D51 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NRzo6mJ1gLeJ0rI27MGv/tyrOVj7IiY6IxYEx6HDfec8AQGYVcvOOkfbxBKOom7x Wq1WxGBFbXHSP5PSJBhL/T3m05eOoja3Iux82nnfF9usnq6M6OUxBWifQHFbP9hA vw0QYBlNnYgl/EwxIrIxrZM8TgSRfjJFqh0LM2vv1VxpPBnvnbSssYh6TjmP1v8+ VLAS0CSzF3t0oKIPLYeMY+OuUyrymBBqLP7j0eBOmf/Fb4ZPXiFD/Wf4X/UBz/rv SXZESeTjpneZ3UhZNLb09VXaVZ5HvxEetKBEi5lkpMpHGeI4U2P5J3+r29j7yDot oqu87jdmtvObzC2mZ8MzgvMWry4MIKf8SVImXy2pB9W53LHAi7T2yg1ZnMTYZFiD mDact5Vx9jpgTJ+E8K1/B1VWlBzNapQltntX3fXjN1uexUim6Qzrhx+GeV+jtA9x 4gYSrkar9jvTk6TD7DxYsnvNF8LuDZv3kNnaAIN/zNZCc+YNWrIISnuLmISFmgBD u156SP+xad75GStcf9ziyOVpbnavH9egarF2iWBaM0UNjaWoOdbeQfV6dEhnFBg+ M6MGNWXgHdq7VSBYthDFAw0nSggdZ9l2+MavZW1onAYC7whNM/9g4+z7+8WUy6kS SWXmtykQSgG4Mo51LkMEuh7zm6s8p4KdLAzG0p4wBE6tuu9fKUaschR+rCSN8KgF HA+8xCba3E3r+D4AtVeoemc+R89RCrJL81BleuvAc2xRJ6umjsXoJPq1fP6ovnkD 6X0U0mQeSnwl2WmVAFQZ2k1ll4ZRk+HZaO0euEd+6ZbUT5FeW6zyfFVOJc73eQaC +FaoOootFAe6cX8w0Tj79bt5zU+VjY3/NYZkSbDaiIJGKZs0EX6qs3sJoQIo5K9m cOk5Sp63hIHzTnUSviy8fFsrrjNO5cphQoL4KsYYtuCpwV1w3o0/nmdHUcIVYD8H zyaWhAlskdJHcp9DQgxhefnG+bJQExCtKOzF2qfgdO59qZbVDhUNevAXDQ42isA3 K3F47X1/Qd/DxQCSsVOTMqYXCeDeyIkpN9CdeM4UYZvBks4g+T6lqyAod3J0P8wk 7jEhJKO2zYjjgexGFvB2kH0Pd3KO5BUfhrLCZ6F8Ipw1hr9QgJ8RGr/cCbg/mrHM e9FOX+0D2+lWMprLySrM7YBx8JjpAAX9hTvLpEyxt/YL/SEH6CDCvtgUVORO6uD5 Il5GCiSjpNgU5iQ5Ly5/oLRY+2sFLa87qntaAcBegRCXrIJtXdWguhWTJDfahHDi PtPXsEumKidip0isqXSuMqQevJW4FJJpetAdNmNeeetVQy1ZocE= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4A45228D0D4E5D51

http://decryptor.cc/4A45228D0D4E5D51

Targets

    • Target

      cc0372ab1aba3269d4aab5a6ae0f0cb25138302dc7fa36db19fe7e1a9ad2e2d9

    • Size

      285KB

    • MD5

      da703b96b936c71e749debec6818ec3c

    • SHA1

      49071ee38dfc9849e5a2607843ad3c3bcf7d3533

    • SHA256

      cc0372ab1aba3269d4aab5a6ae0f0cb25138302dc7fa36db19fe7e1a9ad2e2d9

    • SHA512

      aa5b8d721792b322c1a39972fddd1f5787c57ff984df32ece18b75fc8a6a0f02866931bc4aea5c11ab40e8e372f5c786ced379e42ba2f24d5873ce5756ef3050

    Score
    10/10
    sodinokibi$2a$10$nlaw1qm0d9fa/5fx95agvo6ltotgerlpct/4.b77ikngwkxbybjta4233ransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks