Overview

overview

10

Static

static

10

svchost.exe

windows7-x64

10

svchost.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    svchost.bin.zip

  • Size

    121KB

  • Sample

    231013-dapazsbd3s

  • MD5

    29c4b46f59c38e81caa4e89fb075dff5

  • SHA1

    5b1c24a1ba27a2cec31b0696db2db3591325acfb

  • SHA256

    3f2198870df4c4d85119f93bbc803d4abc24925e336462168384f285b5855187

  • SHA512

    5b4bf75691fb5022b14683343d33f923d18ec5d546d3743df526c18189c76fcd5195dc8010d5aa7d14affbdb22ee11a41387bb50b41b369b220b24a0e92fe6c2

  • SSDEEP

    3072:k+0Te+E9seHB6yWm0XOW+l1gLkFqQnKTi9yrAG+3k00xyVf:UelHB69rGSJwAigWhpV

Score
10/10
sodinokibi$2a$10$qgemryna0vyy4iip7dvcveoo8xnimvn5p6jf9fcirgcxxz4ufy2wi3908persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$QgeMRYnA0vYY4iIP7dvCVeoO8XNiMVn5P6JF9FCirGcxXz4UfY2wi

Campaign

3908

Decoy

nicoleaeschbachorg.wordpress.com

evergreen-fishing.com

punchbaby.com

platformier.com

stemplusacademy.com

stoeferlehalle.de

lightair.com

evologic-technologies.com

femxarxa.cat

winrace.no

xtptrack.com

norovirus-ratgeber.de

centrospgolega.com

kindersitze-vergleich.de

sweering.fr

rafaut.com

rerekatu.com

finde-deine-marke.de

vetapharma.fr

siliconbeach-realestate.com
Attributes
  • net

    true

  • pid

    $2a$10$QgeMRYnA0vYY4iIP7dvCVeoO8XNiMVn5P6JF9FCirGcxXz4UfY2wi

  • prc

    onenote

    dbsnmp

    sqbcoreservice

    oracle

    excel

    msaccess

    dbeng50

    infopath

    winword

    wordpad

    sql

    mydesktopservice

    thunderbird

    mspub

    xfssvccon

    outlook

    visio

    isqlplussvc

    firefox

    ocomm

    agntsvc

    steam

    ocautoupds

    powerpnt

    synctime

    tbirdconfig

    encsvc

    mydesktopqos

    ocssd

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3908

  • svc

    veeam

    sql

    svc$

    mepocs

    memtas

    vss

    backup

    sophos

Extracted

Path

C:\Users\459cz5g750-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 459cz5g750. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FC4123773DEB86BF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FC4123773DEB86BF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 21XddKsGKo2MEpqgaLCO4gB1IIMbWZh5C4G945DMGcFW8WozdPivhAZF34RCQkKg cvPi5QTytv7ru9vCdHC5IVsFxdHbSfr5VA5DLF40YcRrpZJy8qujN/U6Gt1uMyTG Q6clHF2oSfZpx6ekXHDqAWxLJEd9fU4rIfJKL/z3+x1ZMokc0KKb1WKuUGBJL9Fo Kz5W00OV5pbbxWO6/rGqEZtj8lZSvK4x7KOrnRRSOzJzXA2/XJPnmVBtSgFFkLTC ztzDO0dAOoeh4gTLbNm1xYrwYRljhBnvXv94pEfZQF0I8RPe7ajJdzgZL+n1m420 RRnPF02rpaMJVDsEX9DD8lEBUlujk9kLlMnaMdJxk2WaYODlUFwAaJ9hfCGxMiZ2 FLkbvYeXcAXgZ7mSrHeuzdozX2OMm5e07atA76nIzuhxb+odvS2SKkSXwnVeH275 IqpdNsl5ay9I5EEa+Bn/rrHC6sLuCRkhnLj6pxsMM40SJQ86BA3eAYPeQRXfzs/x we59wY9ZtwinDmW4roBtrVpVIV3g8CrIdHZuM1qzKSTjYr7O1px5GZsuOSeIZCdO II7V5ee6O7yWW6x1DxsdOOesohAemplmcbpQXk1rMEDk+X/WBN3lMAu2DWuCOgdv GKDVkmHNAYs0EoqLKW+C9dRyP93gdCVsIJey19qzRkasN3FkcAN0KRyeP0a2lzSZ L3WJFmE9QKzodr3YJPhWZSGSWiyrR12W/UuNLNuc4hKJBFiIiu77Vt+Y6qR3C9kn 1OB5iCO4qxL56G/b5z6l8iFtea+C1PcuXP2FzbG5AArbjWeTKRgO6J5qE06Cmow8 WjwX+doqST8niwaoxozurPynekchmV4kZZi4LEhi1xz/t/b8ChGntggdsOISS5S7 yd1Fle3HY/QnWeM5M4QAClA71LjkxuG9kHxdEMJbqyKIjUMNITBbb5eQ0ewIfpuN iGuU75ZDAyH7q2e77e72f/0oXOlFATTYxAGddXw3MewNz89R69dPS1IZj84onL+G L8+VgdHex4B93bjJBSlnMdLvWDKVHIuNvPIJf3jOtcK8QHm8iREjJk7oKd6fRdKX U0eqzYi0CqipPSYUqicw9aW1kmejOlQXUsMkuOPwdCCRneomdBecYFGVmkXU9P30 wxbIS0GnQmGhW2DSN1Wl1FLuu+UVsJJ/SwqGBbWnIo2gq8Fz6krmv6qVr6lGcwbL /Te/6vmFRjLqEGS+ZYeI615QmU/U4uI4Vwg0UJetinHvibtDR4xONvFjhPBX5pTo CWtKMU1luf2QiGA56cxK0UCpeCIWzbv6/4ONoFTSSDaP5JyCPZRMlCglvcZmGng6 3ViX32rirePcrBcI1VokqhE3eCqORnO8iHysrAkfPQt9UFcKW4iNuw== Extension name: 459cz5g750 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FC4123773DEB86BF

http://decryptor.cc/FC4123773DEB86BF

Extracted

Path

C:\Recovery\68yy5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 68yy5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/934C656C3C09B918 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/934C656C3C09B918 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FUE4iiYePeKWVWkR/gSnOfENnfgUoPOTh2+63llCzVqXRM/USPko+bxYMxRtYhCl 0ehUKPETubyoFOuchpoerb8yrbl/JfdbpvEsH9FWapJ0deWT101Q8UFdmtrxLWzc +zUZOAhm/9hU2OznXpJgALncstkL/jEEuDuJD1k0NGg8yoZs1mlzeSOlbeW834Xb FGgotKUJsmyghfo1S/Km2YrnfS+KewWOqomlHzj2GnMfzy9U61p4oa+VmMICXi15 KC1WRFLuLy3gsrtMunIGr4WAVxYmaFFnzShI+Pj8Lhe3IoBzYfz9uPLp8b48gQxT Zzt1RVHCfChVqXddh/5jgXIN3upXPvW+G1bEsbQu2NdCsj34KZosFvAYZ7pU5bvD hyXxH2HcWaj9jcxPTU8h0g0bqLJZqWdAwXCZt9IKKsFZKj5520X23RuuGsdWYUNE UxIqxR270kmVCl+P3sIV7S0z91++yJ/BmwkrLvf4KIeajQPkJpvg03ZAxkYI1P93 vdds+kcuKHTE/gBiIgaBkYnN3LA2t7t3YbkTQU9DjJ9WJrLs4FuggRtPaKwQ3wKY w8/u0gSbDPGO+htCb364sfnl0jXSGy7SvY+c84Oa5+cTPEQ0lf9DokHLRQoV63V/ OBW1rr9Fo7V8GhRecVTjCiTAhfP55fBpyyEPmwVjQoDcrivNSsu3Yyo+5TUxkE20 EMPTXQ0wTH5NP9VgKVrd3AB3RsEHZFdn7aCg3IrzL2hMmt6n0Tk2lFndvIZIwQ1W b+jfqiCQX7ELxyfOLVxkXhUPrizW2b0x/6kgIUtm5KDBrwn6ajAULpAP+mn9geeJ 7gINokctvE0owNmcfr3SFM+ejMXXcLQjFesb7XJr/lSm8m45QZgA8q1PAV/Eou6P B6gnTpkQyaaf5gEAJKPrFWvYmgKktjOPdMo4Zwkt2EQtCoTNI1HKkVwfeq1wZi6u kEeTxchXvX+qfov/4aeF10eVDY64OqVw/+8J5gfBfnICBmbUvyreHHzf5qel5i52 ylTa9UXV95tr4g0+68Xk2ajnPM0FxbC1mif4LklcFpmQdU/1s1AQw+0SInA9OuaF O9HErmua0B/AVKX+QUCCHaLqYRlKGcRgnXnBcQfH5pth2qgU28sdTQjdr1bxm7y+ zNbocwIudP8mwTTG2kGEWrhpWgHN50FqbW5XlxakPqO2uX78wLh8VN+6VX6eb1Lf krjRsogd8inA2U8/pkTM8F0HeT3Xto4Cn0su+aAV1FP/x5L0SnyzwUygpluVAmDf Y0Frw6gapuKzWpjKNYWdtualFl9Ri3XJfdlZBvWNgBn9ZkZutgJgEIZ0Lh0thQ/I TvGAfSsa604BIEg9JBwbfPgT+GRgbAapKQrKEKHKxgJzdr/e Extension name: 68yy5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/934C656C3C09B918

http://decryptor.cc/934C656C3C09B918

Targets

    • Target

      svchost.bin

    • Size

      166KB

    • MD5

      5bab7e6528a56bd5d3a76d01ec3ab45f

    • SHA1

      4b9495fc06c67e4419a0cf3d70b6285e9808afc4

    • SHA256

      1dc818f51827d89a545493921f8648299f3eb367c1e0354969ccaa9df7ce77b5

    • SHA512

      7c59fca6ffa7d1fd55f7c2268c22193d48c4082277f95c882b1e7df93f011a86c036f569c5bb8dc0a83aebe9bf44df9e7f11aac99ea0c33f917e63e80c2b07c4

    • SSDEEP

      3072:EJMawtnGqtWoKeZC62aoNUSncs0whq2aWc54aF:+w9vteQJYUocfWLK

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks