Analysis

  • max time kernel
    44s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 18:20

General

  • Target

    353fb7a00f04bf34de0f9b9cb590900503fe491eb00e236e8201160d709b9eb3.exe

  • Size

    427KB

  • MD5

    5bd321ec41ca42647d6fbd40f73f72d6

  • SHA1

    797d0ae3a36d31e858ab55466ec3095708ff4fb8

  • SHA256

    353fb7a00f04bf34de0f9b9cb590900503fe491eb00e236e8201160d709b9eb3

  • SHA512

    453360625675ab2d1eaf577025e5c03f27bbb64ab2132e1287dec43c0becb0af3292e0746e4158d912e2abf8c8b436b2aed155508275a000a303969ad2e8f8f0

Malware Config

Extracted

Family

sodinokibi

Botnet

21

Campaign

707

C2

framemyballs.com

eatyoveges.com

animalfood-online.de

geoweb.software

dentallabor-luenen.de

goodboyscustom.com

pedmanson.com

selected-minds.de

blavait.fr

nginx.com

iexpert99.com

bruut.online

lattalvor.com

legundschiess.de

transifer.fr

dieetuniversiteit.nl

nicksrock.com

sppdstats.com

ludoil.it

otpusk.zp.ua

Attributes
  • net

    true

  • pid

    21

  • prc

    onenote

    msaccess

    agntsvc

    encsvc

    thunderbird

    wordpa

    winword

    ocautoupds

    powerpnt

    sql

    oracle

    ocssd

    sqbcoreservice

    firefox

    mydesktopqos

    thebat

    ocomm

    tbirdconfig

    synctime

    mspub

    dbeng50

    visio

    mydesktopservice

    excel

    steam

    outlook

    xfssvccon

    dbsnmp

    isqlplussvc

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    707

  • svc

    svc$

    sql

    memtas

    mepocs

    veeam

    backup

    sophos

    vss

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

Processes

  • C:\Users\Admin\AppData\Local\Temp\353fb7a00f04bf34de0f9b9cb590900503fe491eb00e236e8201160d709b9eb3.exe
    "C:\Users\Admin\AppData\Local\Temp\353fb7a00f04bf34de0f9b9cb590900503fe491eb00e236e8201160d709b9eb3.exe"
    1⤵
      PID:548

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/548-54-0x0000000000645000-0x0000000000667000-memory.dmp

      Filesize

      136KB

    • memory/548-55-0x0000000076181000-0x0000000076183000-memory.dmp

      Filesize

      8KB

    • memory/548-56-0x0000000000645000-0x0000000000667000-memory.dmp

      Filesize

      136KB

    • memory/548-57-0x0000000000400000-0x0000000000517000-memory.dmp

      Filesize

      1.1MB