Overview

overview

10

Static

static

1

86f0a102ed...7b.exe

windows7-x64

10

86f0a102ed...7b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe

  • Size

    174KB

  • Sample

    230201-f9e8gaca68

  • MD5

    4b4c98ac8f04680f7c529956cfe8519b

  • SHA1

    e6dccf4b1fc5ab116b6bc1321346b35dbf42f387

  • SHA256

    86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b

  • SHA512

    59aa35ec0d7ac93c2b824a9f0dfb97dce3a042c584309af32d62ef6e767cbbd780af3f977c7d0cc32416e507b7c104cb504b582e37c2a896d3cb0de56d0443c7

  • SSDEEP

    3072:DYjClDhQlDvrcnVbOZh8gjVCMDSgpFnS+bKECYt+ei/Bx+GCokRwmpwegaZzTsfn:DDOYwhdlFbfEeOBx+GGwelWfCEoKMQ

Score
10/10
sodinokibi$2a$10$qq5kf6jmnztrqdzq4ez/rez9tdkves4amex9dq.5v6uwjq4wsyzky3537ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$qQ5kF6JmNztrQdZQ4EZ/reZ9TdKVES4AMEX9dQ.5V6UwJq4WsyZky

Campaign

3537

Decoy

parkcf.nl

live-con-arte.de

adoptioperheet.fi

denifl-consulting.at

run4study.com

highimpactoutdoors.net

pasvenska.se

kenhnoithatgo.com

psa-sec.de

rieed.de

solhaug.tk

101gowrie.com

mylovelybluesky.com

naturavetal.hr

jameskibbie.com

oneplusresource.org

brandl-blumen.de

humancondition.com

adultgamezone.com

joyeriaorindia.com
Attributes
  • net

    true

  • pid

    $2a$10$qQ5kF6JmNztrQdZQ4EZ/reZ9TdKVES4AMEX9dQ.5V6UwJq4WsyZky

  • prc

    steam

    CagService

    outlook

    MsDtsSrvr

    vxmon

    mydesktopqos

    ssms

    bengien

    isqlplussvc

    VeeamTransportSvc

    msosync

    sqlagent

    dbsnmp

    DellSystemDetect

    Slsvc

    mspub

    sqbcoreservice

    mydesktopservice

    devent

    xfssvccon

    visio

    EnterpriseClient

    bedbh

    thunderbird

    sqlservr

    ocautoupds

    vsnapvss

    pvlsvr

    sqlwriter

    VeeamDeploymentSvc

    dbeng50

    msoidsvcm

    ocssd

    powerpnt

    fdhost

    encsvc

    thebat

    msoidsvc

    infopath

    oracle

    beserver

    VeeamNFSSvc

    wordpad

    tbirdconfig

    agntsvc

    msaccess

    firefox

    sql

    bpnetd

    raw_agent_svc

    fdlauncher

    benetns

    winword

    onenote

    excel

    ocomm

    synctime

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Hello! ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We also download more then 1 TB of your data. You can see proof in our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/17?s=1548e2a273f97cb11d313e2e4176dfba Right now this post is unpublished. You can see it only with this link. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3537

  • svc

    MSSQL$

    MVArmor

    sql

    MSExchange$

    svc$

    MSSQL

    VeeamNFSSvc

    BackupExecVSSProvider

    VSNAPVSS

    BackupExecAgentAccelerator

    BackupExecAgentBrowser

    AcronisAgent

    CASAD2DWebSvc

    BackupExecDiveciMediaService

    VeeamDeploymentService

    vss

    AcrSch2Svc

    veeam

    BackupExecJobEngine

    VeeamTransportSvc

    mepocs

    CAARCUpdateSvc

    memtas

    MSExchange

    backup

    MVarmor64

    stc_raw_agent

    sophos

    BackupExecRPCService

    PDVFSService

    bedbg

    WSBExchange

    ARSM

    BackupExecManagementService

Extracted

Path

C:\df5b6-readme.txt

Ransom Note
---=== Hello! ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension df5b6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We also download more then 1 TB of your data. You can see proof in our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/17?s=1548e2a273f97cb11d313e2e4176dfba Right now this post is unpublished. You can see it only with this link. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/65EE2880226C8EF8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/65EE2880226C8EF8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cw2cTK+8cm5LEKZTWbkZgZB2tLzKQtHi1IKo+UQsjaRa0MPdVf/KTPTm4HLLFuhE AOmRDcGGf5Ay2zpg58pMuOAnh4CCMpSudcpOW0J+gn1NgShUAVWe05MCamn1tu6W 35ujttitXamu/mzm4DgMOFLPxjunWkjOFZCietNzsto8grxQB7uGicAtYaVopyup QsKomfrgz7AU4R6X3GrKjSP/K51fcOyeusoumZRtmY4Dh+SY5vqjU0JliBl7oom8 WVGgAYx1Z34ahWPXS52WQbb+yAnKJBXIitMyQdJH1H7GmJ4KYDwLurXPD7f7Ux7g /+/BsedLYrlZBQotJJGEKhExEo1p0n0sx6EJtx/8gUpUG14C28279fd6cXxz1mPq Yd6PRzwscaoVkDLCX2zUfeKvof5UsRJijGG/jGwDFgLOGhEJdFTMYltPp40ZtENm gAllp76kzw5h6sFboji28rBKQwj9kcGKyKU/4ahqC99nGqDBBZVquwi3gujWhLAN cYlSeP8PUGHU+QBXi/r+nsTdzXpSuCHUHLj79OIPDAJetQJnJlVP2eVZ7UHpPrW0 VkFtkZZ6mhK4nRhlDmAhS6vJmiXAjXfjz0Uxg6puW1r7Kr08cKqB2htB6mAdiRuy HrLzpFzqOTe6K14sa8fGWTfdFFCiwFsslTgsMAIztajUgrybw4ar9FjPxI2X2WJs HCK2P3z6ouVRpgjqTSPtx0TPI788IYsqR0UZZsaSCnStmF5efRERbidAVUB/7uN4 PLz7l2OfEujGn9WEBWC4vycUkscF0uir4XhRwTe5vIkDnmjh4BWmcuCPjvhzXa8j vg2JsHuzcIj21Kn6tfWrSiy4HAXy1+e7dQPNCcf7jWvECwRIjs3Z+9t9yJ7kBgbK so1Kz3vj/fY9lVHYynW8/Rn0oBtL6U3d6ovsp6jG1S7YVSdsWfCv5u01ytgci6vL WsC9/4Zi80S3CAMq0x7X89N7TJYZYEaETM95+KSdMaQIgXFlx4sY4c8w4kxeQ75p /NFWFCAfGUpM8CeRfarmPbab7xrq/iXgyPE21PJ6TMGYsuwvl2kzkbh5Zrl1B7OK W7H+VcfsQYkYa8EpZV4vSAhPLwCQ4IRq1SVCDMCOZkOg6fYk8e1cytlSJImv+G2G 4NyrW8qQ89UEw9/l3NAFVg6nlxnw0F9epcteZ9kMsE7iKGycjEO+TDQHmBA8qn3D klRRHQphMCsroqd5GZAPsZEw5NEfPeL2oMrBWU8fYKh/ocjfvPybuRMBLtui0shV WXn4k7XrFG7W3AM5Ro3n1yhjDwd6mRA96i/U0A== Extension name: df5b6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/17?s=1548e2a273f97cb11d313e2e4176dfba

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/65EE2880226C8EF8

http://decryptor.cc/65EE2880226C8EF8

Targets

    • Target

      86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe

    • Size

      174KB

    • MD5

      4b4c98ac8f04680f7c529956cfe8519b

    • SHA1

      e6dccf4b1fc5ab116b6bc1321346b35dbf42f387

    • SHA256

      86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b

    • SHA512

      59aa35ec0d7ac93c2b824a9f0dfb97dce3a042c584309af32d62ef6e767cbbd780af3f977c7d0cc32416e507b7c104cb504b582e37c2a896d3cb0de56d0443c7

    • SSDEEP

      3072:DYjClDhQlDvrcnVbOZh8gjVCMDSgpFnS+bKECYt+ei/Bx+GCokRwmpwegaZzTsfn:DDOYwhdlFbfEeOBx+GGwelWfCEoKMQ

    Score
    10/10
    sodinokibi$2a$10$qq5kf6jmnztrqdzq4ez/rez9tdkves4amex9dq.5v6uwjq4wsyzky3537ransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks