Overview

overview

10

Static

static

10

2024-03-08...il.exe

windows7-x64

10

2024-03-08...il.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-03-08_4e1af0891819929521ae3d70afcbddbf_revil

  • Size

    123KB

  • Sample

    240308-qsf4jsgb48

  • MD5

    4e1af0891819929521ae3d70afcbddbf

  • SHA1

    db49af0ef9a6e05c4cbe2c9edfaec3026ab26c8f

  • SHA256

    7c8055ed9d597c2abbfbb17e070e63fa3c8e337e9ea2169d0aaeb91b1fbd3bdc

  • SHA512

    3cb5f1c8923b2895d2df351eb566d778d952871d297e949108bed0aa82960b979093e419b1f0c3818e10c0a3ad57380b662284d85b6d582aab0ca3da3f9dce8a

  • SSDEEP

    1536:7DvcPmLThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxZ:r4SVhaNcYM8gnBR5uiV1UvQFOxZ

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\t51o6cu44p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t51o6cu44p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30324C849872A42C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/30324C849872A42C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: skKhDaCYUjD/YXeXL3HQ990yGY5bq0Qhzxi5ZpT+fpunKSwAPelhuPtD4N6utoRi X6DWsrS7SIAXbNofJxTIl06MC1FBPrdLSYcVoUb96YZmjQkQmnvFrS+PZhT8K8AI NFfbHvbUvztvNI72E8+mgevhZqRlIDLgVS/KRneBWAslxtjmwef/8LDWSnYzFlC2 gWOCUP039NqrdOfJ7v25fOU+01bEU3BZE85djpJSfx5ooTXNOVKt2SLSOeWRPnbE rN25jAzrDxf0XLCkh/ny69SQYhDnh/jddr/ZnqOTQheVSFt13+X6LLrj9Qa911JG dakfgw3i2cAsVIT/E9VDV4QWSwOzvD0UArWoxcjoSoGLBxpElJ9EuXoAXIcZ+TAs b39LzSoaNltZAP+z71g9PI5awFnaihcF/j8WByJcQApYGM0aYrtZ5dnXMm483GQR pwiapSt8DiOWcefBM4lUZVB6MZCzkBNZT7hmBuJNurGvqnGTcTIbY0OTfFvffD9z mvM6UYXzc9mgJZf7PWkJryzgiiXSbJJK+S+Qtt6U4xK5v9IdLkqDlOh7Fwn1F7aE TUrLdT64OBuRjjfgsJBOOA7L2JGc0U6DndzlkkvA2Zw1a2PO+yNhpuPaqcFa7FNN yFgNLx/w16qyV6Y1OePPlq61PPKv0A7m+JVT0adDJ/zghhB/sFZx4qJaWrc67n00 dZI8RfeKMPm9f2XBp8J8FEFLK3fjvP+NW5qKAOGfbt1qk5QN1n9hHB0sMdaus50k Z9s0760r/REewKqj7pUgJWfGxArr9fp59apmMw0QCcanioPCKRKnRspsDFq5i6FY bM3B7W8AJB6QkjH9Py9uy+fRc6G2D0hlI0aBNmavjoYrywalDmG0WJcBF1O4oj4s c+X7gCq6g8YDLqvgPud6JFfWM5L3bg7LZyIBbrqFswCYzkY8ATql74qCKPVdSrKu Ts7Nv5H6YyobEsavW9BIEryX3yBeTgcF3LeKAIhRXA+p/V1qRWX3UcEeAMRUs52z UQVg8ACSxHigPUy1jtYWMty3eKPJ3jPxt44nsVK1cpkqeAjHlmKNtUgjZFoFgTti /coflujKOQGWrgnQQKGssAeu8S7EnM50Id5UnOboiqyYdrm5B29FLvl8FUHC+dDK BWyy09tsFahaqUfxmcHRbGPnemKwKa27QcmDByNwg4Teyk8bdBNVmlGMfkUymjeG dPxUTNUqRB0B4oPnZB9T5SttUXZyiMeFwuczSysbiH5pV126Ewh4YRpP2qxrGLdB HggfkiDydPJRi2tn+VIIwmcbB0vl9oAzMeCD9lU/VbgZrv0NSKYCv3N8rHAZvi0r KegxXmQltaxfohlqCQ0AwxlkCn6u7oT0V8AbjBP3qjGg4XoLpp/f6w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30324C849872A42C

http://decryptor.cc/30324C849872A42C

Extracted

Path

C:\Recovery\0901nzlih-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0901nzlih. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D7E51D6BE68EFF13 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D7E51D6BE68EFF13 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mCpU5ulL/u61DeYExtxS7XmuvazvvKU44Kx2orE5e2xJ/5ng6XMtD+mK3E4p3gEd Uz73QUX6dbgreD+40kSREemmSiqX453loz9Wd/MrXyx6MKpLXpBlD9p5X7UiIPRX vfzGBxaN+8RPT3la+W160CwsNufnuqrIYG9qVaBasixxVbCuFRX2wc0nFaSZs2s4 k2jPwrU1Qcob2/d19NQ2xgmDRtzw7HIS614xREyr7qWf1IYq4yaMCvdJv2hAuPE/ 6xiNG2doAhmvgir+Sd7szuC84kv6ofWPsMJMdo93Tj2hjbzkGtbXEpDTtKbLZUJP DcIvSuvHC9C4Wf6xXIPvgdkFz04Oxo5mCty/txeadERN2E4BgGQtZ+NhiooW6F54 91eu9iwwslkkT9xTXn2TSbCMNvAueM3Bc6hz5ir5OAvPct7i17s4V7SnL8nUTMMd 9q9Pyv7E1kwxricgMCoXMxNvGHw7PF7P2RFHdNmh4LKv8INb+o40+8EswalJeBPU 2uKsDJ4IdVoAX4WpDnSn/PkeerwDV3ndWluZDIAL8zIVAZibNGcmFhpOk4NuLwQD Cfq9KfcUzn47YfAUONVf9dOERb+4qBVQmHKyu8m9egbx0rcCCNcq69VH1lVzAMvm WjockMuo8yaywXjvdz1eIkd0Ln484R1YgXhIUFtUKw0ZYCiQ+ZNuwAhZ0YRlcKLF nfVYvdzwA5DxH6uxIGNyKM1yfTr25Bl0KN/YaPG3+KeUvyKkCmsRtXDWQwE91/S5 UOlsgcvyMgL8TPTBaf0/2IEJBbEw9627fRA7kdlcz0As328tjtfRWXIYo6zAUqIm 1EtaiAiP57vkPB4JNL9kbaYcDIYsxSGhjtWI2I4+XWy56o4k2VjCBm0senRfq+Ta +U7IChuaa9dNsKQ+x3TNuEDs2YPgl4XuiYw23CJAftpiWdtIdPRFas9mBdFeemuN hLOOAWknUb9imfC8S8uCBYOIo7cVqdUnzOB433pwSADgkZgBYISRHQEbHMTMvmTo +96zWdCgb4OuUsqvy/TyTiFkcr3G4mQzpWJkQfiBCj8a6CUeocw/3TVgqUaasb1T ZkAm68+pAcH9gKKF2/p0rlT/G7M98PK6QFTV2WILJz4UNNXfJuQbWE5QvgEfu0d8 ZbaWPO+eiUpAuvAOEJEDchBpdqoZRwM9x07xcnE047dVYdrTIl0jfpM9I2Sjhecg hIYl5Ok91GUzpMYxqu/x+clqTX9Jp1vtvkZFO65ypCzS8jsObUHoAHYPsohnOW+y RXzTLClrRg64YFBIvAWdzzfG0Cum5o7L3U9cjwku/eYkaQerxROkCzSBt/LSL7Lg LdQJPIeica3xog1pZLnSC54PutXyMDMg8PADReOZMHMJ2yu0Of24I1BTRIY= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D7E51D6BE68EFF13

http://decryptor.cc/D7E51D6BE68EFF13

Targets

    • Target

      2024-03-08_4e1af0891819929521ae3d70afcbddbf_revil

    • Size

      123KB

    • MD5

      4e1af0891819929521ae3d70afcbddbf

    • SHA1

      db49af0ef9a6e05c4cbe2c9edfaec3026ab26c8f

    • SHA256

      7c8055ed9d597c2abbfbb17e070e63fa3c8e337e9ea2169d0aaeb91b1fbd3bdc

    • SHA512

      3cb5f1c8923b2895d2df351eb566d778d952871d297e949108bed0aa82960b979093e419b1f0c3818e10c0a3ad57380b662284d85b6d582aab0ca3da3f9dce8a

    • SSDEEP

      1536:7DvcPmLThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxZ:r4SVhaNcYM8gnBR5uiV1UvQFOxZ

    Score
    10/10
    sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks