Overview

overview

10

Static

static

10

133bf8be0c...de.exe

windows7-x64

10

133bf8be0c...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

  • Size

    114KB

  • Sample

    231116-3vkkzabh58

  • MD5

    77be32b91561d1ac5e36464766b7b0a7

  • SHA1

    9c72fe9c8e24b5c0bde50c71d74fb2586c4201ce

  • SHA256

    133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de

  • SHA512

    c8d0d6d15322172631b184acf5df86851dff7d8f15fde9cee7d0b7e4919433ec5b096f4079b5acba78d27dcfc42bfc2bcd3f184cb0a54c13b71aeb40f8ea4152

  • SSDEEP

    1536:FApx/1k2jbVnO3c+FpR5Q9JzY02pTmZ0ICS4AtebOMZzqFTj5vel1KkK3I:ck2X8M+Fp4vY06A2roFTj5vYc

Score
10/10
sodinokibi$2a$10$xdrgohayigx9td2uulfvu./kzqhpe6xtxvjxji5bkv/brycnln7i63472persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$xdRGohAYigx9tD2UUlFVu./KzqHpE6XtxVJxJi5bkv/BRYCNLN7i6

Campaign

3472

Decoy

simpliza.com

quickyfunds.com

gasbarre.com

fiscalsort.com

analiticapublica.es

global-kids.info

irinaverwer.com

dw-css.de

pier40forall.org

crowd-patch.co.uk

psnacademy.in

triggi.de

narcert.com

hkr-reise.de

gastsicht.de

xn--fnsterputssollentuna-39b.se

mardenherefordshire-pc.gov.uk

bauertree.com

selfoutlet.com

antiaginghealthbenefits.com
Attributes
  • net

    true

  • pid

    $2a$10$xdRGohAYigx9tD2UUlFVu./KzqHpE6XtxVJxJi5bkv/BRYCNLN7i6

  • prc

    dbeng50

    onenote

    firefox

    tbirdconfig

    synctime

    infopath

    thebat

    sqbcoreservice

    outlook

    powerpnt

    isqlplussvc

    mydesktopservice

    msaccess

    oracle

    steam

    mspub

    winword

    ocautoupds

    ocomm

    agntsvc

    thunderbird

    excel

    dbsnmp

    ocssd

    visio

    wordpad

    mydesktopqos

    encsvc

    xfssvccon

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3472

  • svc

    backup

    sophos

    memtas

    svc$

    mepocs

    vss

    sql

    veeam

Extracted

Path

C:\Users\q430a17337-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension q430a17337. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F237A879899AA854 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F237A879899AA854 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SyAzL/b291azsu+bGIyRZbl/PJzLqItZWpVlhtq25hFTPRNVkhdDYnwPGnCrNnrg xeow1Q8Xy4CZbezDt2IzPYEg9GJrWRemso4JqOFKqAvxN7Y/ljDKwjPo+gDncj6m Q7VHi0rfJm+pXR7zk/YUiV06SxVaJLXxye16xRpu7z9Ju5NsDTAQAPF7r2lzUrwS 0QLNotvBeyl8fZSYEnxuji2pZVtM4VbtH2e/8gWdkNyS5gk+SKmu5hv7qIQtn2fQ qW3HK5fzb93GkHn08bNQl7MlCPqoKinkCoylTpgSYtaA/i/x8utHhwJ9fFv2TN7T jLcrM51TNajMcXoWyJ1QFTmgqrH8dPfkxQZ24yqAeUeL/O7p4NzRKr6UE5Dvi2vR 4QHj64gE9Fif/5Ua9udi3rU3s7Z5KzrJ8ipg14UYPZ1Rv+pBBkBoe49NpJJzTDdl 9y/mMRgb3u0mIFZS0ADFBmgRwGb/Pg9Vs19dGvwaBIsKS9FKiz2ALZmkmrI0l5Tw TyA+71qm/iSVpEhE+YtDm87nKV5rTKlwqRhKCaMyZWEPoPnQ3rUDEyYG9O59HolS tGr8ucBnxo4qV1XuViV30FV2o2tG0NiZErXUZLU0k8d0kLSeI7WQ7a17rIcdzhby A5QK9Zozlay6qG6PyOQRVDxfddMtqU8h3JjvomBoZrNP7Bok1fSzvQN1RJ7/P+n3 QdqJu40CkOgg6fYzdlqSk/6lWyQ6runLqH50C9RK/IinvxoiXOiiemubqHzNT4zs s2AxD/fTFduvpn4B3/Rv6slzvexN/MTKBIYXozZv1D2D6HjRFAaC3ewSucqgG5W9 WtTqudYN+EJb4HJt5gYDfL4eA2BBMgbLo+J9FbIRMlArvSdymsBjBKlySz5jJKAT jYaEnN4fKsX985GpMU5PxArTqgIrwp3jV1TX7xfLEPFIfotwxMAEzhe5093ugjMw UTAda+ajIm7jBaIfKEo1PqR8qFQPcOERdQtqXDxMwG6Bt1DG0djVc17wXfG6gChg mNWG0Ehs+kRJ5PHK0f8cz2WbttDqdalTumYxAQLZhKs0ENO8FlNw0pviQ/q67reZ VIGBTMXXa+A15Oct9pikFcn8Os7aUwChXCriAit6svPYY2vgXWtgfcVRJX0kVArr U8HJTkIxVNWMNTsoeP4sfNAwXqDWg9lOWfZ6jp2szFBQJIL8rGABPrZQ8aQmztUh fYUr2UGFTox5jEjwahwwmw+n1Pe3NqTgKRI1UNh5VldmSCRzDJmsTXTqUp5sbHVt VmDwSa3rBctbXNHiDDdQNAU6rYdxNhoJc5dHrdpwo+pN2UijphLsE84rIY7EB0bw FgEwztTrnGuzUPEMXjf0QchRjCoOx6g/s1sqURCAtZWzbB1yow8ORw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F237A879899AA854

http://decryptor.cc/F237A879899AA854

Extracted

Path

C:\Recovery\04umsm-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 04umsm. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6EF327E2F29499A3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/6EF327E2F29499A3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kxewLe/4IYKSkBLK/tB3J3ktfNxN/i8tdqS5pEi00dsYTdDoSVOxLAD0UmWDo2vY id0OwKSVunP+GMhHsWfKxyinHhkDkjvnV2Hnfj/5qmg3iRCKY9gBpvkEwvOKamaz yziZB+24nrEBq0FQ8AmCIkZliJEtt7RozRo2G5woF6XEYcSvkeOSBwIdLCnV8LW6 nSso3+hjRRXr7G+okZNqffZmnoxSdqaabZ1/5XqhwCWd/yTPO9eUrCpmDnOVxBBX D48R4mzqd3kgHjSydm06STPvTGDNzNhWIhuXSdZouYXA7oQxUlAYiZM+jQvFA7Yy /zbvJnCvMlJ6XOQF172c1r0YkuKtzNDxkzs8gBeGJKhlCFrQ05cWpE7YlTF1EHnJ NEs1tWH4JJ0URKsl5mq9ANtZ1qxvFocVPQcobVVP5uE9WVtwzlNGF9+GhUBMKqZx asnw2I+hEO+DSYb/cXuxcBXWcQ3QzfuEzRDpib3TglSh6hffc1QbtZZvZufa2Gq6 TUpkhUx4PvfkSEZuIFslvKlq7J5VRJSgptGpHYb9dgfEPUxDr9snXf4BZSbNsSuP qM+PbLHde0DXUQKs+w0oo8Fu0KZg6lXJYV6AaLrHQIn81RzqdXdWCxHWeyyjBh18 wOpL1yhVDiayCViS9KLqHzZP8WVtwsebm93bNBXXiAVfBu4saLzu9DahF1+qW5MW 6s/QCiJ7MCgykAeE3O5jw0RYGsDv925yp389n0qNbzu10EE+u9LfzbcUResSLMQd 6kgH7qwXTV/VsTJR34zJEwqBpK3jus5R7d473BNcCBt4eAJp1BO/qbFa3iVV+FGh 55zXSAvhImFme9/dU/pEcJxzhaGhGl+40THJg1EbZlb6eE6wy2qelonDWD8tOacL nofSr3yWnCXvPJI0cIG57kN64/EjGu1GpHjQzk7eb6v1rvybT7yWhSvM11XAKMTo 6FFU3q4X8UpG9YRpDx6k21jfBoXOctU9xSKO3CJXnMxlS+bHMzJ6+oH4iLf7t7RM W+nzVwYFlmNPb350ZnV4xzejvZ4DbNazfm0RpbioGWPcHWK9sJs+7S3q9eZI4qT9 wJVOVEhXT0LpmNoD/xAwNBcLNqdBOY+VLBPnLRmk+sn0j6yL8Ag0GBe/Atf0G/5q uBymoy3UuTPFOXSaCQB7CQ2iVg7X+jiih14pNNoLE5gLQ8H9ch8mwwqKj3ibLevL u2HyvCknIXI8pKMR+wFI1uhdfRj1TH8omd+MLNTl37CY2es+6UPRsBXvehRnVCfg Z89igzfhicLF5GstA27n5wIDiK6Osgy17YXLyVUuUzNGshANGwZzR6bfeo3ZLXhA EIvoFp3nS7pAGhKO6PsFPGVd75r1Rbfyz35ZFHDnXdzTasI2S9c= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6EF327E2F29499A3

http://decryptor.cc/6EF327E2F29499A3

Targets

    • Target

      133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

    • Size

      114KB

    • MD5

      77be32b91561d1ac5e36464766b7b0a7

    • SHA1

      9c72fe9c8e24b5c0bde50c71d74fb2586c4201ce

    • SHA256

      133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de

    • SHA512

      c8d0d6d15322172631b184acf5df86851dff7d8f15fde9cee7d0b7e4919433ec5b096f4079b5acba78d27dcfc42bfc2bcd3f184cb0a54c13b71aeb40f8ea4152

    • SSDEEP

      1536:FApx/1k2jbVnO3c+FpR5Q9JzY02pTmZ0ICS4AtebOMZzqFTj5vel1KkK3I:ck2X8M+Fp4vY06A2roFTj5vYc

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks