Overview

overview

10

Static

static

10

5d9b75e2cb...7c.exe

windows7-x64

10

5d9b75e2cb...7c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe

  • Size

    164KB

  • Sample

    231116-3nvglabg25

  • MD5

    17d54fde8f0dca439f4c32a02598e382

  • SHA1

    5eb54861db41b62e9fa296f703f06b8e52d1941d

  • SHA256

    5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c

  • SHA512

    09473f8ad9cd0d614d4a6fed4f7c34bba89f4a3e8cd0a350870e716b1f499d0d99f25ea436b13512094bf2f56178d5f9ffa8c74ad125c4c61e6aaba7b2a814b5

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOVFI0kmit3:ffYWAw9fcUdmwIXo+M9VQHDlZmit

Score
10/10
sodinokibi38379ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

38

Campaign

379

Decoy

noda.com.ua

ijsselbeton.nl

broccolisoep.nl

fsbforsale.com

mrkluttz.com

berdonllp.com

ox-home.com

internalresults.com

kdbrh.com

goddardleadership.org

o2o-academy.com

fbmagazine.ru

toranjtuition.org

site.markkit.com.br

tesisatonarim.com

mundo-pieces-auto.fr

egpu.fr

rossomattonecase.it

fotoeditores.com

awaisghauri.com
Attributes
  • net

    false

  • pid

    38

  • prc

    winword

    ocssd

    mydesktopservice

    sqlagent

    sqlwriter

    ocomm

    thebat64

    dbsnmp

    msftesql

    mysqld_nt

    sqbcoreservice

    visio

    encsvc

    steam

    sqlbrowser

    tbirdconfig

    mysqld_opt

    mspub

    sqlservr

    ocautoupds

    synctime

    outlook

    agntsvc

    mydesktopqos

    xfssvccon

    onenote

    thunderbird

    powerpnt

    mysqld

    isqlplussvc

    firefoxconfig

    infopath

    wordpad

    excel

    msaccess

    thebat

    dbeng50

    oracle

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    379

  • svc

    svc$

    veeam

    memtas

    mepocs

    backup

    sophos

    sql

    vss

Extracted

Path

C:\Users\491t4m39-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 491t4m39. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/325EDC4FB02950E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/325EDC4FB02950E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ffolu1/q89t99PEqIu7YMG9JmvPDuYzuGjKDuIYxV0i89YBD5mMymZFxUjGCABYs WfLEpPUUyaX2oEstkxTG1e+Y+6poYNhAMey1s4kgdRojwk7vQy0kLcLKUlo47C0F 0b2wT7kLAb6XRBVrpt+OLOipW3Vf78r6zeM0jpGROHHBSFGO1rm0lnkpKl3q6KsM N90JTOruT1ieBF+T2fTOfJPKgRowqk67ZHu0buOWIoJj0AyzdJjxYQ/ynIij8zhQ gDsuZB7JvNI+dhaDmyNom49pA5fr5FtxuAo836glee+c+ct28RCvl8b320tPdmCD 6d9H0Z0ADig2gJexY1AbDldxZ//zH2T26OW4/STWCSw3oiAwW6QR5FflYQFSne6K 9aJYcBDIwRg84iRMolNRdaDaAJTC/CEMEKDuUeIhEmWhQ2/JOC+uRvLwQZJ8+PIE 6PL/59QkbBOh/0MBISX2WV++DyTmBcdw80p4vTRu+DskHWtrGMk7mvWDGFq0kmT5 v93v7ZlwNLXh3gTwGjdrqQWp5apaIhHYsJlAKjU0Izcv1SeHXnI5nV8bpZD7+ETf KAWqlJKAVWxW0OPhq2muNzYK4ojNu0WRrlrBxjMaUxsNGOWxbg0KIAyGyFyvnZWq gggwIjSNmpqJOMgUuY1VUqTBjNrnv78U5JuPHsB3O3H41yMls+JW3EWTRaNZyg4F MWxXasDAL96kgMOdupbN+bhYgX7ojO34iYuSFxZmZzKI0G/QI/trXnUpp6Tomvu+ Q7eKKpewaaDO4pbliOlm4KTeb1gpEuybx//tFF88YXE4M6xYbGRXTmFgtBmEqYgL ZFz5wWmBaS+a4qXKP265ODY8fPScmMT02zLsfpj809Zq2H/F1gAU8jM2J+acnEfO 27rQhCZRAbnf7JC21fOXxn5cOMoFdoUNcrVzrkYpazwpxrChrsLctxKKm7JtzNwE E6IXpMODFV56Ql5GurBN0bapkJFrMCFQQRWn16eIMCZje2vbEljt/Xrh3VLOvcOs 8StHRAPhwJw7YmBgWhaS54hQVWakRiyeWDIsB/5VsZaiJzhyhpPIkSxoqhC2ALiw ZpnnLaM2bqVGmvTeEUOGVV9de3dftq305VvIrwEJkrgPS8WHYV6oR+YFs1n3hliq CAWW9vePEgG9LZHNIQbATZ7Dhoq2TNyyQ/DoKYeF1AjHAxl7Ei1bqZo+s8veNQoz ZKNHoNcSk+5gbDbwB9A= Extension name: 491t4m39 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/325EDC4FB02950E1

http://decryptor.top/325EDC4FB02950E1

Extracted

Path

C:\Recovery\j7npc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion j7npc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/53DCF9ED77C4CB4D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/53DCF9ED77C4CB4D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iLg3vqs4QuNnaUOc2r5t7qf5GWaIO0rBYWsINBTnnknubOV3WlToC3lJ6ww7s+yb pvVtSH7i6d1kOciHiPkZNajsQWrPLdXQp/u8XppNBiiSz+FquP9J9v28o4qRZTzU 7w0HM/yePH7CO3pwIj9OasWGjxkfp+eNcjMP+GWIW8k0sNy66NLbUagGl5IkhHcc JE6r1I7o9a5ZnskdOM96V0OvyarKog6y8QJg1qPhWiEJEolS5XM0d19xHMIhgcFa kjd4dnIS+AXSglYtO0E4W0cr93f9tKGYvk6uiOr8WtTUkp5rZM2kK+H/BWPyuu3h lVMMGOvlJWPwLY6KjvH0WJ8mpC07rqMNfnpSctFGk+UuGer9XXLCLAw1fmlm7elj e3Dl5ybgc+vj784do7jquEmMeXjuqjFCKs7ET93i3MeJjfVomIN1vLL4zOzdOBpQ dux/z3KdOlQIWQJlGnsFZRTRF9Fcc+lZiP/RJhdxpsAxhMhaFSfXGCQXc2ZiNFsS A1ZdLDzB3EZYMkOa2/bE3NdRnACn+7gm3nVOCsPSwGnXHvk8HIB71lL55SDSfucT MUL52IV/seUibhYBp9imR3jc1+Q9smZI/7/RfkVPpKjYFx53IsR/dlSPCY8QZZFI yLy1nGfSiBMmSjn+3x+gMvoiD5RazshIhx95YqGufW5g9hc8zGu/tiyV+0JqnRJ0 V5MzYaoAjAM0KT0j2EmimifLBz/2GtBHPd/5YuCJrV6upiBqHCw5iO7vPALDZZuM /3oCNiLEL82McEuFEiDOc9HgjA65oWMhxCWWbjYjw8kO9MncnXZm9UvJCthZV7cF yho7rGR8RwBj5XidGe7GxS5vhJrgt42yVdoo1gWE0qQk79fG4XudnhqqsOHBeYeX 9Beo9Jz/lR0pINtk8z6fKjei16yJD4Au0cbvp/icit0cqHIyklqCus1RwMPf7+Pn dDgLtlqjQYxNOtmqR0v8mf0Ex1nmBOh9iLcMQGuhHlwCqp5h3jtXUImATgWzqSnN zcGa5p62nnTh2yBFvNDOAw/88bUkgAMVd33ufTGvZPb0IuVlg5jRc15ISjUuPYdD S7FFn6/JhHqJwiUs2+qoQ8mprrg0b0fbIlHhoRYMaimpsYEyKqlt2QP9jOLxqiFO IBIEbmr5b1tzeiGZxbK60V2TKFFMbtDdatUVZRgK8ogP3wZ+ItgjyOZ1Fv7Vd8q6 lYotYsFT1qzCBCC5CwA= Extension name: j7npc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/53DCF9ED77C4CB4D

http://decryptor.top/53DCF9ED77C4CB4D

Targets

    • Target

      5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe

    • Size

      164KB

    • MD5

      17d54fde8f0dca439f4c32a02598e382

    • SHA1

      5eb54861db41b62e9fa296f703f06b8e52d1941d

    • SHA256

      5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c

    • SHA512

      09473f8ad9cd0d614d4a6fed4f7c34bba89f4a3e8cd0a350870e716b1f499d0d99f25ea436b13512094bf2f56178d5f9ffa8c74ad125c4c61e6aaba7b2a814b5

    • SSDEEP

      3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOVFI0kmit3:ffYWAw9fcUdmwIXo+M9VQHDlZmit

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks