Overview

overview

10

Static

static

9b7cc74fcb...40.dll

windows7-x64

10

9b7cc74fcb...40.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b7cc74fcbfffd50a080590723e27f086d9a23e4c3d0c2292ac60bd2cc792440

  • Size

    223KB

  • Sample

    230129-v3yhssha3t

  • MD5

    9b018a9440a9334aeda9213fa4371e64

  • SHA1

    ffc9fc56d82635b6e670486d83a5d226a61fab97

  • SHA256

    9b7cc74fcbfffd50a080590723e27f086d9a23e4c3d0c2292ac60bd2cc792440

  • SHA512

    95f84391098e7815390d7ef6f885fd5fe056930a6c7cdc78dd98a84113f517a2c4c6ab9bd8b1e1e9ce27f47079261da251930b540651f082cc008a12533ccbfe

  • SSDEEP

    3072:P4Rcps1J/uBWxQ3aZKK3zeQYi83baZa+07APyzj/fuKvYsAM:P4RcpEm4JKK6Q/5DHA/fln

Score
10/10
sodinokibi$2a$10$bqxuxhq/klnbsjwnllagn.9hwa2bun7ie9kyxyva7n6dm66qoybqm6772ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$BqxuXHQ/KLnbsjWnllagN.9hwa2Bun7ie9KYXYVa7n6dm66QOYBqm

Campaign

6772

Decoy

sachnendoc.com

adultgamezone.com

rumahminangberdaya.com

gratispresent.se

schoellhammer.com

ctrler.cn

exenberger.at

fatfreezingmachines.com

admos-gleitlager.de

fiscalsort.com

acomprarseguidores.com

urclan.net

streamerzradio1.site

oncarrot.com

plantag.de

bouncingbonanza.com

eglectonk.online

cleliaekiko.online

renergysolution.com

kaminscy.com
Attributes
  • net

    false

  • pid

    $2a$10$BqxuXHQ/KLnbsjWnllagN.9hwa2Bun7ie9KYXYVa7n6dm66QOYBqm

  • prc

    NSCTOP

    dlomaintsvcu

    Smc

    encsvc

    powerpnt

    kavfsscs

    kavfswp

    AmitiAvSrv

    lmibackupvssservice

    outlook

    oracle

    Microsoft.exchange.store.worker.exe

    avgadmsv

    dbeng50

    Rtvscan

    thunderbird

    wordpad

    mspub

    synctime

    sqbcoreservice

    xfssvccon

    BackupUpdater

    kavfs

    steam

    Sage.NA.AT_AU.SysTray

    ccSetMgr

    ccSvcHst

    onenote

    thebat

    SPBBCSvc

    dbsnmp

    ocssd

    tbirdconfig

    ocomm

    sql

    ShadowProtectSvc

    mydesktopqos

    msaccess

    visio

    mydesktopservice

    agntsvc

    LogmeInBackupService

    firefox

    isqlplussvc

    ocautoupds

    BackupExtender

    BackupMaint

    TSSchBkpService

    klnagent

    infopath

    BackupAgent

    DLOAdminSvcu

    CarboniteUI

    winword

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6772

  • svc

    msseces

    DsSvc

    sppsvc

    macmnsvc

    ViprePPLSvc

    TMBMServer

    Microsoft.exchange.store.worker.exe

    VeeamMountSvc

    "Sage 100c Advanced 2017 (9917)"

    "Sophos Endpoint Defense Service"

    Altaro.SubAgent.N2.exe

    "Sophos System Protection Service"

    "Sophos Clean Service"

    ds_notifier

    AzureADConnectAuthenticationAgent

    VeeamTransportSvc

    AzureADConnectHealthSyncMonitor

    masvc

    "StorageCraft Raw Agent"

    MSSQLFDLauncher$TESTBACKUP02DEV

    AltiBack

    svcGenericHost

    ADSync

    "ofcservice"

    HuntressAgent

    AltiPhoneServ

    "SQLServer Reporting Services (MSSQLSERVER)"

    mfemms

    psqlWGE

    AzureADConnectHealthSyncInsights

    ReportServer

    MSSQLFDLauncher

    "Sophos Web Control Service"

    Code42Service

    "Sophos Safestore Service"

    "TeamViewer"

    ThreadLocker

    "Sophos File Scanner Service"

    "SQLServer Integration Services 12.0"

    SQLTELEMETRY$MSGPMR

    SQLSERVERAGENT

    "ds_notifier"

    MsDtsServer120

    Telemetryserver

    sqlservr

    KaseyaAgent

    Amsp

    MSSQLFDLauncher$SQLEXPRESS

    SQLTELEMETRY

    KaseyaAgentEndpoint

    AltiCTProxy

    ds_agent

    LTSvcMon

    SQLWriter

    AUService

    MSSQLSERVER

    ofcservice

    Altaro.UI.Service.exe

    "Amsp"

    SQLTELEMETRY$SQLEXPRESS

    MSSQLServerADHelper100

    klnagent

    SSISTELEMETRY130

    KAENDCHIPS906995744173948

    VeeamNFSSvc

    MSSQLLaunchpad$SQLEXPRESS

    HuntressUpdater

    LTService

    "ds_agent"

    Altaro.Agent.exe

    "ProtectedStorage"

    KACHIPS906995744173948

    MySQL

    VeeamHvIntegrationSvc

    "StorageCraft Shadow Copy Provider"

    MSSQLServerOLAPService

    SBAMSvc

    "SophosFIM"

    MSSQL$QM

    "Sophos AutoUpdate Service"

    "SAVService"

    McAfeeFramework

    SQLBrowser

    MSSQL$SQLEXPRESS

    BackupExecAgentAccelerator

    "swi_service"

    SQLEXPRESSADV

    "Sophos MCS Client"

    MSSQL$HPWJA

    MSSQL$MSGPMR

    AltiFTPUploader

    AzureADConnectAgentUpdater

    "SAVAdminService"

    mfevtp

    VeeamDeploySvc

    MBAMService

    ProtectedStorage

    "SntpService"

    SSASTELEMETRY

    Altaro.OffsiteServer.UI.Service.exe

    VeeamDeploymentService

    MsDtsServer130

    sophossps

    tmlisten

    mfewc

    KAVFS

    Altaro.SubAgent.exe

    mysqld

    "Sophos MCS Agent"

    "Sophos Health Service"

    VipreAAPSvc

    SQLAgent$MSGPMR

    "Sage.NA.AT_AU.Service"

    "Sage 100cloud Advanced 2020 (9920)"

    VSS

    Altaro.OffsiteServer.Service.exe

    TeamViewer

    TmCCSF

    "ThreadLocker"

    bedbg

    ALTIVRM

    ntrtscan

    VeeamEndpointBackupSvc

    Altaro.DedupService.exe

    "SQLServer Analysis Services (MSSQLSERVER)"

    "StorageCraft ImageReady"

    ds_monitor

    "ds_monitor"

    kavfsscs

    Altaro.HyperV.WAN.RemoteService.exe

    MsDtsServer110

    "swi_filter"

    MSSQLTESTBACKUP02DEV

    MSSQL$SQLEXPRESSADV

    "Sophos Device Control Service"

    SQLAgent$SQLEXPRESS

Extracted

Path

C:\xm1mobm1s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension xm1mobm1s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A15C929A93F59510 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/A15C929A93F59510 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Vycu1yteiK23ayojTTFn8Ofjitq/QPMOO2k1Ik9k1fLMuNtoHPjEqdcc4Apc2Esg E7dof+Xah7n+m7lddzApZmSt+l7Har/kwim70aM6PCECTnEabQ3IenDb5Nt+Mn+2 tHD2UxaNSWQLdGaorBIj0nGFldV4AqMILaCDriZqywkycQdp2XD/srFl15tSfghe YuCR26zGG1Xu6GLCZ6YONMztV+ZBz4ZPnmbab5mn+ODcCpCQ3yGdrdTQ+gRxhSsz pZfX6Rmvb8GTrzWBlZ29jtxBtkIzYyfm4w7lPEgDf5EEYY3SdtGWnX1wz2RnQU00 gWlanp7eazuCVJ0ls1Stc8DOdNiisP5a/Yf7/HivhznFRIy42SvOLClxXSxsxApl KK11/IAhyN356XrYYRqiLB76eDXqS9lz6rM9bfZ+2p4lr7++gS3peNadi0WnJc3B zTqqUjaAvib+RNnAh0kwtta+wsG7lmoBWyGP81eN6oUgMEn4QiNUmW7sUXf8sovh GU3a36P39M4eRq9EPVMWhXaBe3NPQeKSRdZiYEXYuTlhoJmNJWENYtx+unLqzVx9 ammpmBxcuvuVqwFWNCADLPKOSJJ3Zp8Tf5xpOsBLfrZJ2QA+PDAfWg+MLbXGlbbt AVT2CXMIKkNP87FlfSQhMZkZq9Fig6Q3MSVGFRI7Tyt0nPu2aRUTRZB/FJDfTrvU zKfxh7g9cIkAKuiNoz/6s+QPvOisOTQ4+m68laNLrAVpIHdu8fS0A7lQ3uzjN6Rn h9nBFhWzNkv1dSzUROTkdPWX92LQ1LU6idCuqF5/i6qvDFpd395e5Bkrh+Enxx8P znwsVoSCfHlG8N/Pr/Gbg+glP/GQySGCASjKHZZaclsv2l9ksg4jVHn3YMTP+m/I KX5scDRLv+Z9m8krueh43vhjlD+ITgYVqAHUq/+sBQ95MWRrjF3fwpKbgVk/0ohf WbbcKpUpF50g32+QjaOqx3WT70SELRwnFQuQoAkgO9yKWk1yANADTu5UcEDicFaM kf/tEkY7IUlP/XEbLBfbI4HVGerc79j2IqAM8QFjl1sBCLvcHKKbew4tn+MzKIG1 ANRJduLYGG+RBNlhBPsy6TOJgLnn92C8gZtKxfUK2PJVo2hS1dGlX2icy2ChXH+O qMZA0brf7HdZQNjIYYBa1W8TXEY3qmz2vmIZey6sjgTehp8lyUb7oUYDABW1duT0 YCeQRPWwBDINtUPZK8fm64BmcYvQ1rvKZ+1BBm2FOSwmu4s1DUc17wKmpmK2vurx kYOkgYcVvUp+o7eRLSRjb/iZBR0ncFML6ZOZaq1mz04GL4oU =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A15C929A93F59510

http://decoder.re/A15C929A93F59510

Targets

    • Target

      9b7cc74fcbfffd50a080590723e27f086d9a23e4c3d0c2292ac60bd2cc792440

    • Size

      223KB

    • MD5

      9b018a9440a9334aeda9213fa4371e64

    • SHA1

      ffc9fc56d82635b6e670486d83a5d226a61fab97

    • SHA256

      9b7cc74fcbfffd50a080590723e27f086d9a23e4c3d0c2292ac60bd2cc792440

    • SHA512

      95f84391098e7815390d7ef6f885fd5fe056930a6c7cdc78dd98a84113f517a2c4c6ab9bd8b1e1e9ce27f47079261da251930b540651f082cc008a12533ccbfe

    • SSDEEP

      3072:P4Rcps1J/uBWxQ3aZKK3zeQYi83baZa+07APyzj/fuKvYsAM:P4RcpEm4JKK6Q/5DHA/fln

    Score
    10/10
    sodinokibi$2a$10$bqxuxhq/klnbsjwnllagn.9hwa2bun7ie9kyxyva7n6dm66qoybqm6772ransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks