Overview

overview

10

Static

static

10

02eb081ad7...6e.dll

windows7_x64

1

02eb081ad7...6e.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02eb081ad7f6fc0026701a3ff81ff75e45b9a9d094ea5cb779e62525e4b20c6e

  • Size

    164KB

  • Sample

    220528-cq6pjahbfk

  • MD5

    523fff481929310d1e00a6a3d5ece4e5

  • SHA1

    938cecf83fb00723f05ee5f828f85a82d7369daf

  • SHA256

    02eb081ad7f6fc0026701a3ff81ff75e45b9a9d094ea5cb779e62525e4b20c6e

  • SHA512

    6f8b702aeb04341aeb7a5a27170ac3fdafb0275dc2dbe81ea798555b485baada65d72db05dd09da3f2d0b28dc22c1177b53ae380425163842074c646f483df2d

Score
10/10
sodinokibi251300ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

25

Campaign

1300

C2

lapponiasafaris.com

epicjapanart.com

linearete.com

elitkeramika-shop.com.ua

kafkacare.com

animalfood-online.de

nvisionsigns.com

rhino-turf.com

internestdigital.com

innovationgames-brabant.nl

smartworkplaza.com

oscommunity.de

matthieupetel.fr

n-newmedia.de

haard-totaal.nl

sbit.ag

stagefxinc.com

jeanmonti.com

trivselsguide.dk

zwemofficial.nl
Attributes
  • net

    true

  • pid

    25

  • prc

    sqbcoreservice

    mspub

    firefox

    ocssd

    mydesktopservice

    outlook

    winword

    encsvc

    powerpnt

    onenote

    steam

    thebat

    thunderbird

    oracle

    sql

    agntsvc

    xfssvccon

    synctime

    mydesktopqos

    excel

    dbeng50

    msaccess

    visio

    wordpa

    ocautoupds

    tbirdconfig

    ocomm

    isqlplussvc

    dbsnmp

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1300

  • svc

    sophos

    backup

    vss

    veeam

    svc$

    memtas

    sql

    mepocs

Extracted

Path

C:\90kj2rp1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 90kj2rp1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0540B2583A3108FA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0540B2583A3108FA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZRrVN+imEjXN3LE1YaQIusuDy5sFNuNM1Uk541MRupJeQk1wHo2TpAVGNpVzVJBn DvD1+i103De2PktO+/sTSTUHAf6sLFGIQd71Nf33gUISEjr176KqcSXtQCrrONvd kEUuyfAldBu/9xssBnNvKSeLfmwUul5QeY14OnslJsbYrb2NB+sQwmxwevn0wh3a aZh9o87XaE/lWTNaG0RcT9S2bj12EaSJhAZP+7C0feMP7QiqORn7aWw30GIEb5mK MC6wre9TNtJCXMIMNvlk+dZyNqWS+jq8qUOrKCGHftCp0FOqiCmFpjIrMzonC3v8 97T3Sm5Z29OIcuMI5Zacx/hcc4TqWCZsFaw8yVSayQxWPpTbE2s4pxkIKt0bblKW yOWu7GdILPBjqSGu4jyfOrnQX5NPIQgrVSTQlZHfWEMWzbGA3cfUJtPM/teyRTnU aw4ES0hLgfaem+JQPAYvHdjoI5jxQEeTjH5QcmOQ8wu7z1NdOdYxIsRhHjQkx4PZ 9NO0FJKhK7PpP/XMGGRHjchpbGmx4BStUnRXPvEZp/D2MQjlWSqDH3ARScVV3kkM l7TEAnIMbn9esEv2u8+UwdHyzuYpKjUVgFv0Fe6+s9daFfcBhOQGgHexXYjU065o 5c2Lm37MiclCkgknjaiHRHoKN/WaFxNXE7k3VEURb4ym6LcJ35+6JGfxP9bXHIDM Xsk15MwvnYGFYJPJ+vdlSwm1MeELVnrA0fljHWcRMUz5JT3IIC+7Es1FbHnB3ENY Vv2wAgtB3manlKew1vPBK0DXs0mou/tin2a0N83n4XaThRNFmig5X+wtxSzeJhPi 0eS85DsnUHtCcl1a5mvvRQnff2ApjcP094wjStCynWuzSx5Trm/uJkgQvJrNXq+s vHclQSghTGTuvR6qg0G8kmd+m0EKPnLSBxeXfIa0qmoPEss5Qz7NQLsVX43N8fGs ecWx4KPu/3WeiIdUX2voBcpOgkzZbB137vCCCHDT6Nk63IaXBu/VDfnGDLkHubUJ dgaiuBB/OIEH5JbK/GpTqJUKxC8y0tNT9iRb0/ETwJGfKIU7zyFrEJlRx3DhCQV1 zl371xOWN8vxSTJTSOnNdqn/qvKe6rGUu8mq2/KHGnsHXFqUMwP04dgg0p0eBHRF Hx8mrV7hYRcOn7CYfK8= Extension name: 90kj2rp1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0540B2583A3108FA

http://decryptor.top/0540B2583A3108FA

Targets

    • Target

      02eb081ad7f6fc0026701a3ff81ff75e45b9a9d094ea5cb779e62525e4b20c6e

    • Size

      164KB

    • MD5

      523fff481929310d1e00a6a3d5ece4e5

    • SHA1

      938cecf83fb00723f05ee5f828f85a82d7369daf

    • SHA256

      02eb081ad7f6fc0026701a3ff81ff75e45b9a9d094ea5cb779e62525e4b20c6e

    • SHA512

      6f8b702aeb04341aeb7a5a27170ac3fdafb0275dc2dbe81ea798555b485baada65d72db05dd09da3f2d0b28dc22c1177b53ae380425163842074c646f483df2d

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks