Overview

overview

10

Static

static

10

3177896e5f...81.dll

windows7_x64

1

3177896e5f...81.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981

  • Size

    164KB

  • Sample

    220620-2g7ynscbdm

  • MD5

    d5e42a58e793d9b488f46d77b38f92af

  • SHA1

    433b8d938d3778b07c36b998eff618892e83236e

  • SHA256

    3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981

  • SHA512

    6de37ca575a7859051ca4db0a8691843a11a437bd0e592ca1da04ddc5380103baea1d0cdc95e3e2f3ac345f35b2479bc6aad1ac81929a45b8219f5931c870b27

Score
10/10
sodinokibi281819ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

28

Campaign

1819

C2

xrresources.com

karmeliterviertel.com

birthplacemag.com

richardmaybury.co.uk

lidkopingsnytt.nu

apmollerpension.com

ciga-france.fr

dr-vita.de

ideamode.com

bakingismyyoga.com

richardiv.com

hoteltantra.com

hawthornsretirement.co.uk

taulunkartano.fi

beandrivingschool.com.au

wordpress.idium.no

nuohous.com

bg.szczecin.pl

golfclublandgoednieuwkerk.nl

mesajjongeren.nl
Attributes
  • net

    true

  • pid

    28

  • prc

    encsvc

    infopath

    msaccess

    thunderbird

    agntsvc

    ocomm

    ocautoupds

    oracle

    sql

    xfssvccon

    outlook

    excel

    thebat

    steam

    powerpnt

    mspub

    dbeng50

    winword

    mydesktopqos

    synctime

    visio

    firefox

    onenote

    wordpa

    ocssd

    tbirdconfig

    isqlplussvc

    dbsnmp

    sqbcoreservice

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1819

  • svc

    svc$

    backup

    mepocs

    sophos

    veeam

    sql

    vss

    memtas

Extracted

Path

C:\u0o56tez4x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension u0o56tez4x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F0AC63999EFF22F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9F0AC63999EFF22F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: s60aL/PV6IBFhLjAdTMpueOd0ey818lKb/5wepMjBYi70W4aXVgM1fiZQa1hUcn8 7W2qLhC80pp4pi8PftUcTefUmSxNEhHEU7D74KUvsQLeo8Ehu4DVG7f+TxPQM0Th fn7AXljMc7wv19a3oB9XHv6TnAslIMpHK27Cn9k4L9KJ0XPtecxsQUeLybZCf0wM xerRiIMN2oqeQDU3NcRDRRkGd7ZI54Q5Q/mOerRioYvt4y+r6dAA0VlCnwC0pQ7D n8RJBA1vuKRUhtur7jqJO42jrsvcw38JO8V9TiY2Ec1sC50QPOMeuDmyv+eHIxaB IicKm0NjKEspKxCr1z5Na8kTYqRo+RzlH58ZmtYMwxgMqTGvfOdwMPgR0j1rgd6/ mEJ75n4T/eoG8PbGG7U7JDYXRwk4eXaHzPpiS2JtCCzbtvjgNiRx5PnfON6OsB2O WAJwp50Lmt96ewx93A7rbTbAEFSbWYSoWFmBfnQs0WLSYRQecMI25NQxsIx9bGA7 h8aNry9Cnfg+AeryVHJWXzUzziEztmOE0Vivw8XVzLrIs1wxqbGpD1bCXHLo2p5a OdjKBdAVAZJ34j96B8FNrdWSlu59obzHRNFVARvHdV66T5aB2gISUYGP/4QMuf2F SYwHLCB/A16TkFBFZBuSc1flw77HPdNU4rKWq1fM8HE8+gXw+dfSMWOQUvPXwLgZ l647EQ9smkNh+/YI68raltXvmxPShTGTTp/2aVJ++2Aleevvt1XaN0g1ab5dTpSK l0w1DTiA0eBXq2FAspU9oabODil4xxfYQp20U5hfOI693W83bd51so3S3nSjSbYJ /Ifi6fH6K9fzxk+XZys7gJHMH3RDR5fanMUCO6ds/0oNUggAzH5ziJlLg3+CbHXz p1priaw29sxcc4XAx3KRvwyFBCDY5OOv6f6ZV5KSoqOY2zp36LlDAKo0KfSclGej VgJKbqmFt/MmCwkw1MHp9DHnFJS/eQnU2PEPyLKsoE6Leqaghp+Z2+p+8qFc71SZ D3L02YM7wXQCOVE2Yze6ZqTdSmtVB3MOAUQ6Cq1inoz7FyPjA3BhXKXMxAw14QFb uNOn45l/OeyIEt+yhAoFewEMjAUAEneP9WnUcPdxhtFmq8mt8/eppNt7RIMpImq8 ePLPyCW+mbT8hw+M7/BUV8pM Extension name: u0o56tez4x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F0AC63999EFF22F

http://decryptor.cc/9F0AC63999EFF22F

Targets

    • Target

      3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981

    • Size

      164KB

    • MD5

      d5e42a58e793d9b488f46d77b38f92af

    • SHA1

      433b8d938d3778b07c36b998eff618892e83236e

    • SHA256

      3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981

    • SHA512

      6de37ca575a7859051ca4db0a8691843a11a437bd0e592ca1da04ddc5380103baea1d0cdc95e3e2f3ac345f35b2479bc6aad1ac81929a45b8219f5931c870b27

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks