General

  • Target

    2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil

  • Size

    123KB

  • Sample

    240308-qv6rzsgc29

  • MD5

    8be4b3f41ef22c97f04eeb68d490dd5b

  • SHA1

    e94debf303e6b83194e45659a7cb8f26b7ad8519

  • SHA256

    3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c

  • SHA512

    926102a46daf75c877f07870f0e0d298518f5699f453d525f946b8eaa9fed3934603cdd6e6f5e6e7c3be8825ebd3cf1a055f119bb7d862a3cfa7ff48cd436617

  • SSDEEP

    1536:7DvcP30ThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxN:yrSVhaNcYM8gnBR5uiV1UvQFOxN

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr

Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\8l8n326464-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8l8n326464. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED36E0599C455637 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/ED36E0599C455637 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: S/n4SXWLFmqXfiUwz5n48En64dqFNgLxcA0H1PIbkNf8AUbrUCgTyjqpg9TcqQVA E/OkZgyUnj9HzCB96dyZosuEtRyafLBBgU/6jRRWufJGejo+HpE8oPabIFsiArHo vg14pqqnDSfY/d1GELwcYVzvOol+ovypd1hrRPEwMIY++WL5oI/3rSn+neY0kH7B rJqkV6AU/R40ozENGd52sKiI3mYWvl71oGCTjCnMUL09X21EQEiZBbrbTNeztMM7 ctEfDecFbLytJylS/mGXO4kjUdQ15Ob789bV+hQIqmX1wZpyfvd/4laP2NQOAlzF 6skqivwGgMeGS2byBfTbgiXOfwHVMpQ7dF4sWqLkjtw39pnbqZfmnaRws+aaCd/v 2NfMSjqTF9hKBxNYNqMmiZd0YaqB+Qvk49v5qAWWG4+cBn0vY1D95YPrmGMvpdgS Pyr+/nwD10TbDzVR9hh23pADU4wEecOSGhtAOK2Ix7FVuTOzmdefYrVxIYEn1v/Z u0vY5QwZR9ZeM/li8wTxp7dvc12tR4874MjnxwZE5FB777NJJ9mC6c/cHC6A1I8B bzyvXbIxuAzFBKEqthIhmQ6+4b6ScCVEHWO/C6o8Su8f3jPm6FQuUtlQ9HM9No/x oufxSTkKNQuhTtxuBk9H7cVw1NyK0IXP15g3SXY6Cmp2x/WJfK/PIvoHR1biW+pm GGWsDyv5ttpmpweXttfeF9+t/LJR8QVBjIVtuP+VVJieq5Jhy/hMbHn38564x8PQ rmpyflWwM7ubcv8Hk9FrRf5l17QkHbk/SfNM3x/0Nm+7E/GxMwHuuUIz6pe2sIY7 Uk3bnZ57yxv0jiydzrF2asfAjH5D0XuhvVQilaCqNyRPPB2xyoQaa0JTTdljBYon kSs0fvBVuYi1K0wh5950/yZduPp6tPlHZgfnx0mmw8LYnHCxuBbilwVZoP1CghUJ LcUmU5cfFERgcRm3bPz1UGfx1A16yv+wASGsI9aUohwspNmz6USgp+Xj5WSKUlqI dDvcjPTNoBilQufz/tYfMBWSjZ4ct6sfayA05/P9W9jg2+yJkqN+rWtW3d9zypkp 90ftYai183h9qCCN9V0W4yehanY+6MvFKcSAkHrsP6vSkiYR0LC9BZqJzFdHusAA QF1A5jGGNlDEvrf98gE/fIAyZyFF/WPWgYG2Xlg5pACyg7SQLSiL5t6m1PCBPWDL wQn6hTP/mWp+luF1h8f55C7ED7eIelAVPdkQQeVxU/BPdyHhLmZ5lqveJ64eVCAQ P/HuPlqQA8V4zqIDraHsedTREyK/shriTA/VZ/PQgVQj29lGeTMs7UPIJcw2Fque xeQ0SYf2AsQUYIlomKPlt+E+1RjJXkiJRnB7/fziOw7m8+Fharj5Eg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ED36E0599C455637

http://decryptor.cc/ED36E0599C455637

Extracted

Path

C:\Recovery\b0xt169071-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b0xt169071. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0ED6789EC4EB1F5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D0ED6789EC4EB1F5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: t7wO5RB8D69S5gsbnjyucNfZXZE1XC9UHDmIetSMvZm/xkm33D8uC4iMglM+pCPX CIxKmxBmms0dRPSXKjDuznOa8hBewuYxHUU/OKmR47pRVdphjWL0ENEqWYfLAqFi cGFeTX12/JZtWJWGvBCKoQu1mamOCvD675FmiX6Pqq77oVivwfElGVIxGsSFekBo dEmf8eTjGedT/cz2U09aSTOOJRRTwbLS7aBUaPp4Dmfvk285987iDT21y42s62Us tw2VvP/xM2DjKP+SG1FZNY6Afv7JBAdscq8GhKiSkU4JNrugScJCkAXSM+n7OcGN zNAlyfbvrEk3sR7ZJ3LbiV3X5cTPt1YxCjsrzA6J1wiDoJX3c7p0z0zFbf5uN5Gh E1PSzTE6sPvGfMfTsppgAR0gyYwoH6VphMUnQgBmUDGnUPMzXoZ2tHsFtD3n+tcE r5ygnHgcZyJQl1AUB33Vjhy2Trg3u1xJg31iRazhyDlsvJY3GkgSpO3Vb6U9DJYs sDSi/TQJqRe69foltrKNb9keFG0/olMIfEZ9U5njqlmLFwvy7g5ZdcV1+DuSSJ79 jk16PcMo3vxvi7UF/iXC16hnGW5wm6PFsuspv6uvXztnTmWPMdQNdTkPzu65NnWk CYN1wCZtFsgcllJNY4oXkKvadzpS+EhwUxC3UWAeZ6fdTMvuejU4/WDUqIiiAz1O WnC2saK56w59PA2mJWmuQO76NFAmt7PLWbOY1UTElhyPNavpu1OFc1b+sr3Lft2t jiMy/gzEgrZ3aUMAAsCtwWcLDAuNmj9F5+Ky+F2kYiuoA6nxMxSLX7PBrSGzqNZ0 Unr/dFVwdzFSQkpTXiLJx1IBE1DfllKCC1teHgeFeLsrTZLHY5mmtpYbFwMxB3ov Bu43IvzaE2ifXCXVJ2rhY6NY/k9tDd63t/8HHJeF6d3hMwhb02RXoXYrVwM4LlZB wnaQhd4LKpp16DuklG+I2+0PmEz1RVoMWrF19f0fFfxJzZvO87MNKqNEhd0U8qAE rX/ZtisBipzYN0n7/Jrw5KdAJreCt73XTwAn6nThwK4h3EI5hKiSr/I8/+e4e5Fq ZEknOzzF4FbOSLI+Oxvr770m3w/lrrS/Z4EJ7W9c2N8e+iGX46EXkgI7xy24u0wY aLRxt7M6PNwsS1xGhnXBJ+MSaDFvPEfqkxFQYe5xV6qJ1RUzYOnC1hVyZDMm2uU5 m1E6HFvg/f5ecZyhIjnDl0xoe5aHMkiuVGXgZzT/rs3CexydDxRxw/7/gRbjbp6M nz+YgCw7lqIS86PzdiG2wr2gDObxWDe8ofhSa/PFCFfI9L9GCuU+XqedZrXpXyxC 3aOTl9QUQLGa7lTzoSOU5cnI32nk72YgWRZhycqo5HIMVmRndqSARqnu9edRgA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0ED6789EC4EB1F5

http://decryptor.cc/D0ED6789EC4EB1F5

Targets

    • Target

      2024-03-08_8be4b3f41ef22c97f04eeb68d490dd5b_revil

    • Size

      123KB

    • MD5

      8be4b3f41ef22c97f04eeb68d490dd5b

    • SHA1

      e94debf303e6b83194e45659a7cb8f26b7ad8519

    • SHA256

      3a592e04fc7c4991dbc972a6e742814156d1a9505b7bc83fcef8c99f96c8b22c

    • SHA512

      926102a46daf75c877f07870f0e0d298518f5699f453d525f946b8eaa9fed3934603cdd6e6f5e6e7c3be8825ebd3cf1a055f119bb7d862a3cfa7ff48cd436617

    • SSDEEP

      1536:7DvcP30ThpshwVs5OE8yNcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxN:yrSVhaNcYM8gnBR5uiV1UvQFOxN

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks