Overview

overview

10

Static

static

10

6628de7ffb...01.exe

windows7-x64

10

6628de7ffb...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.zip

  • Size

    123KB

  • Sample

    240402-q7g96acd83

  • MD5

    f98f88105972ce58c3a37f0893e5504d

  • SHA1

    11d064fe11bf4de9ae6ef58ad2d54bf5ebb6f212

  • SHA256

    1940a078ab222070848746aca53e44ed65d453551831fa1243912f6d9098c72a

  • SHA512

    348d10a4c7b7ea11560423cb8075e95b8a22262862f7c39a2db6e329fb981dd74d76263b82c849c58631b6e4454ac27d97a4af11f8405edef1967b4e62f66b7f

  • SSDEEP

    3072:z+8c2fF12nl7y+yz7SGBe0uIiC5DzVMPHPJEbkZB+GEy2w:Hdclu+gn7iMDzC/xEbMxP

Score
10/10
sodinokibi$2a$10$fva76xkux4modjonimpz/otszkdwov42ssorvcpbhhubkm1qg6s0i467ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$fva76xkUX4MoDJONImPZ/OtsZkdWOv42SsOrVCPbhHubkM1Qg6S0i

Campaign

467

Decoy

hoteledenpadova.it

thedad.com

creamery201.com

songunceliptv.com

icpcnj.org

ogdenvision.com

craigvalentineacademy.com

bockamp.com

naswrrg.org

pelorus.group

fotoideaymedia.es

wurmpower.at

gaiam.nl

wasmachtmeinfonds.at

pasvenska.se

jeanlouissibomana.com

kaotikkustomz.com

id-et-d.fr

kevinjodea.com

bestbet.com
Attributes
  • net

    false

  • pid

    $2a$10$fva76xkUX4MoDJONImPZ/OtsZkdWOv42SsOrVCPbhHubkM1Qg6S0i

  • prc

    isqlplussvc

    msftesql

    firefoxconfig

    mysqld

    sqlbrowser

    ocomm

    thunderbird

    infopath

    mspub

    outlook

    sqbcoreservice

    encsvc

    tbirdconfig

    onenote

    mydesktopservice

    oracle

    xfssvccon

    ocautoupds

    sqlservr

    powerpnt

    wordpad

    agntsvc

    steam

    thebat

    dbeng50

    mydesktopqos

    synctime

    mysqld_opt

    thebat64

    sqlwriter

    mysqld_nt

    dbsnmp

    winword

    excel

    msaccess

    ocssd

    visio

    sqlagent

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    467

  • svc

    backup

    sql

    mepocs

    veeam

    memtas

    sophos

    svc$

    vss

Extracted

Path

C:\Users\t54je3m-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion t54je3m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FF33C9C38B668BDC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FF33C9C38B668BDC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: usfaHcTTWdT+/AfXPHfTEi78/ojTYD0peq43LZO6pgyO+fjvfpXmhZlhhg1mayO1 kf3o67fV7KjGqaLb8weYY9lVMvkzUU32vcgxuVuAy50Jt+2QKvSTdNR4EiLVHpw3 coOcgdOtMEyaNiifQJRTPi+jVANIRSEr1ag/RXfFd8AyzsudioXqpeIeDCVa56dN 4feBAs2KjR7a7Z0UvOVM/oIYJKxarNcxuKlDcINCFmrJA7WEaOcxXTfEKgMj+xQI VLQltSiQd2ZEBq815nSDLJ2OKhBJLcLl/JH3QLKSVTCqkk2IgdMBMh3IAFirOb/M rAnVTnoQ1gMNgFzYwqA204S1HtDLj9EQVeyaTEAcCFlyju74UDS4qp7VPtTtEw8B GqlJsrW4aYer4o3ja+4UTYzJ13BAwKdW6UrpoPwsPpirBN4vSW4s/fDyKuWPFv3o MHndZLiuT/80t8x2+kvX29y/Qc32sOHY1GXNikxj54NQxQ8CkS5gj2r1Hc3T7Bgl 1vKkzUTMJK8sxakzxg6M67hjJWubE46B9xZJRnCBZedlCgTDXx71UqqI+Uk30md1 VkUxzrV8GbJiqK62fmoUrwhva5DlKNIBNDRlWQKHpfOdbBCENY+b3Pdtdfm3R5Oo SRlWcyEMCxfyKSaObhLm1iqqXkVtmHLm1Sg02dujqJjayQ4eWG3AeqpfHpHRmynW j6bKtBuBAG8XtIaoHt60XwAmsYVN8uOVG/PLGX0oGbWRcZiwtbyBvrTZRVqu64Sr TTlKbwMfkll5N1dw3tQQ5jRaqmD+reDKWbRwYwstphvXh6mxbdjt9Ra8X8cRVDBo ZaEKG6eflYqVAL2y2UHf35QJJ7bBQ0e1tK1PN8IMK8N1cMqoOCTsAL1g/bsjUDEA 1AVNEtu7+0Thwi9ZHxElZadRkFyF9RVek/1bxj3apuVbLy8zWpEXBZ/rZFU9PAH/ 3oi/98r9QIBnAKy7ljQUraF4DY+IXMCPdRSL4GGUmkuJwX6SE3JCV1OurmPCTv6Z EnYZveFml4UsXABcv5S2Dy/c2X2NzTSq7uMvXhKRk0CN22YSHLOYvYKhtxorgF1K XF6V7ZlBemjqOhklUFmbUvvowyqAemtQPB7okj4AvadHeha0d8a/KI2KNeUGmXaf fQdc0jgfTCYo4xqrUYbc5GxvGlAwBl+21x6aozInhOBGyo5EuhsXv5mjD3a8YdEr GtSvaWGDbLtysGKcNaMP3qEKsQ56Mrw1Y0PSm0rbBvuXGSZ9J2CUUUckv4W07pWk uyCe1DSfT576y5rprbtw28c8zLMo0/GQacTIhAe3pwX3H+xTFhI7MNuQUVwGI/cq YmKbScSjMrY6+sYUM04HPQFwP9h9Yp81xoSC4WbuTW0= Extension name: t54je3m ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FF33C9C38B668BDC

http://decryptor.cc/FF33C9C38B668BDC

Extracted

Path

C:\Recovery\8uw4u5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8uw4u5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C8FC38AE12BE9790 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C8FC38AE12BE9790 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RPR/7SX0x9kJOAW8sbZ0sqeWKep67sQ20xaaXfkcDpZNEE/oerABZIDTqYGZZxMy pmnvlc0y4EZJQyibD8mf2FxfJV9odKnV+HDdmF03KC+OjdQ3dGqj8F8QZ4sm1UJ+ WXKGOT57MUoF5++eblCdNCV+DXXQilqGX5y9484YEi2MsZ6dIuAVsjo8p3Uuna/8 uKTMwXmqUTssOjlXkYMpYfD7BpJgFPOaYjAUwscy7V9/1h29Rbo8ioqVgLjRa3Re HLmzOPSN4ykzSUq0muCALgudiC6FhvzGm/XsJabwkZZ9cNyH/IZo2Y+JA3lAlwAF ZzFEK+MP//uPJyHJeFTzw8pIEw98W9dPWRs+NvThS3pQHfx5mhNphjFaaIqD3DJB 31scBkHnYNixRQbnUg4F0vgu9sMVHY9LJcaUhZGipieptgptIOjzUfmf7CzeSwUo DHE5GFlWTXDEz1cTrrGHdVKhFRQ4LAd8xEFLShqp8KMc/PWagMKPg2Ag4eipcImP Q6VMQWPTCE02xkg55321GRSJ+bb57/xaUj+U04RlMPTc4/lNAGJn8oaoqsXc63Ax uFlw6ROp1q8S6R/hpBV6btVfH5iTrh0K9xy+Hg/fV7lpZWQ3t42aRCH82t34SdZb All1MjcRcty4uPPJUDlVBnxUS8Ga92s73hdxxEdPNqzPjyH7eMevXMMXHd1rut9+ rCIG3TQ+X1fya8GkIW6E/Cqs1pn/m7Eg5hX9qK7R1dTCWD+UiAJHydqcLtE92J+s R+qcyPH3qFLcqFQIvgiCWpV+3dorsf9/RIH4f3nc7g8uZfAlPigJeQK+sD7AMPER 3U/zLJ+IELgF/tal7JEQYG9GbOHcuKhhV3iAs7h9vnOdJxG7xNdiqCv8d/s6aeEq sFmBSsq/Fgy2XuwXg0R/epzX73ExHVKiRXOHkJ9lBMu2YP89yBb8eB7Bew/UacOj 1udL5sJVkdvWJVI87AEqg7LErg8y1uQnKXlGmnwgzXPXDSyiFLJeM0GU5uHc3GFS nmwgyYk7Yn2tq1QpKDGxSPTKfbjOMhBmt2sWDbR0JNUATCzIu/IocqCBFIIvBpLK zdzv38hdnkgjmhOKbU6amYXim9zG/x/g3eviKjYQ7EHdr9gj0ELqTsVwcaeWaH1+ XGCOj3kM5+5enRrpWL3AOlI0zsWhGEzFhlDbpUL25SmpuD3OFQUW1oW7JGtPgAC7 0Vd3H3J/MnW4nwmPyZJEWJnyyISUBaY0rQcoVvo5o27+Hk00rODphhKv5veIu33A aZ0AI6StM0J5VyH/bS9Xzo3bll3FYzeEyvD+AK2agw541KAWB0aysxh3h6yLOMRa ObgrgG647pxUWX8ApjMqfGT3g3L86e9RPblp++8ebq79sMTv Extension name: 8uw4u5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C8FC38AE12BE9790

http://decryptor.cc/C8FC38AE12BE9790

Targets

    • Target

      6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe

    • Size

      166KB

    • MD5

      44c753ed1faec948b0d98bc9ba047469

    • SHA1

      1aa2d575752dcfa73ea8bd2fa666e18588be353c

    • SHA256

      6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01

    • SHA512

      f7d4c3988f82839264e83c1a17024c695bd8ff31a224eba3cfc9e3712758be5450521c1e52c246b02dad0849bdf381ad40d77e9b5bab6f8135f07219c13047e0

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QoIeXt5KCn16:ZJ0BXScFy2RsQJ8zg9edTn1

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks