Overview

overview

10

Static

static

10

42c28feb23...0d.exe

windows7-x64

10

42c28feb23...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69de11ed75d212a04e1f03206929f339d8a3f20dec5b8047adf5bb4d9e1b27c3

  • Size

    123KB

  • Sample

    240417-p6e8qsgb47

  • MD5

    8474c41d0f20477974c9bcec65b0727c

  • SHA1

    9ce171a6680d7abc07f87397a41de2091f2e0d4a

  • SHA256

    69de11ed75d212a04e1f03206929f339d8a3f20dec5b8047adf5bb4d9e1b27c3

  • SHA512

    0a467e191f083bcb9c93df5cfae0d7f652983a534244e2fa38391eb0abfee5da97effc8b6184757ecc19d6431b2ca772d764c7071bbf804d63157e1ba9e1a82b

  • SSDEEP

    3072:kWnBhS4cV2HZGyJ2IzkHULlZxRTlUIXBO48L:9IfIzkHIZxRTlUIxOjL

Score
10/10
sodinokibi193134persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

3134

Decoy

mank.de

work2live.de

triggi.de

innote.fi

iwelt.de

mdacares.com

celularity.com

wychowanieprzedszkolne.pl

bildungsunderlebnis.haus

urmasiimariiuniri.ro

devlaur.com

philippedebroca.com

kaminscy.com

boompinoy.com

webcodingstudio.com

onlybacklink.com

victoriousfestival.co.uk

levdittliv.se

rosavalamedahr.com

DupontSellsHomes.com
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    ocautoupds

    synctime

    dbeng50

    infopath

    tbirdconfig

    oracle

    winword

    firefox

    dbsnmp

    mydesktopservice

    msaccess

    xfssvccon

    sqbcoreservice

    mydesktopqos

    sql

    onenote

    outlook

    ocomm

    steam

    excel

    ocssd

    thebat

    agntsvc

    powerpnt

    thunderbird

    mspub

    isqlplussvc

    encsvc

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3134

  • svc

    vss

    sophos

    mepocs

    veeam

    sql

    backup

    svc$

    memtas

Extracted

Path

C:\Users\r4q0uh0xs-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension r4q0uh0xs. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF30FD8927E801DA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DF30FD8927E801DA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FY2FV6f2pGeRM5L3xTLkz7lnx7SaMj1Wopwr75JMH6fErzwzTpqDb/YiFCa7Wfow xqG/81+WXycwv7UT4zwsXGgN0mnSfa6/XvK3huV+qQuUHj6ksVPSqZIp5JmRN1ks 1A65nlsR/iEpNDPt57vDc+iPeJrhyK1V/4VqsRuDvODsnCm/cVn5axIItQhCLaQZ vGgfaHS1uUrGjhP0ZZG3xWUGiq8yRaDwo7SJMlDRAEHFO5VjE9wok1nIp8wdA8IZ AVRswr7G5O0VAD7kVnuZB96N44TJCzEQsiGNzduGNbNp73/AtdPJAZMkTlWIi6LX y1ESSHI1LJqeA/6/nlchtf1QCdw994GS9v74nOEsFgvYqhAJO73yGY9Rr/sUbj2K kEOeKwi2ahsV67pioWQ2CYD9TEikRN9wPPssm0nnwLlRpi1Xh4+yqlaxFz4tPl5J wsvmRK9x3Pgv+qYoPn6LsPfUgTGwiztaYfdjVxywt+O2XNC4u+VKam45AtueIfl+ qAyNiW9RlZGKk/XT34h7HSw27khvuurRVIeYlbMjNq5QjTxY1dsYk+oV2o6pWJdF dUpHFG9+bRu59gML/H+hGU6JX8oEzlAegh4l4nwgVZkEVhxQjAjQgxJ8CPSma5jt 0W7LlahOpm/CfWWzfPdbHQG9ozYZMsD9ej3r8mMfjaEpeu69NS3mXabZnK3vXMj4 5uFj1hXMs92c1FmaGip20lRnDdvyB++PyhWuE5P+4SWkL+LIf9UgPeV+4YMBQxkD PCGkVznjmqZNlJnKVb/w3FvEs+CINcdIk13oKVbSUlT8Mr7gAu4IGNedvhD9EvNQ 1frykxQqYy1bw2KRz8lCJqMoPAtn6zIV1cBlbBrbtG2nrm9tocqoOygC6QGZCAVB jh15ScNbWXVT6VaWbZN/CMmIBD/jgsh8FWUkoDP1eU8We4EsLQMzGiEy20nEFTG1 o5KYwdsRs0SyxtUUm/0Qvjerb2eXfMpQLHiDLecPwcGgj30XaP+1r33/bPFyU0g8 AdncfNcDKI8xiH11fNoyoYGZZaX8zRJe4ADEcrUt1S8gyeqnrhpIcDPYabooPu2N D9jb2q58PYWVid8SPlqapOnxMVesLVJs0nUL9ByHHHsf0XSAaOnhhEiqj7htnmSr R+rXyz7veH+Vk3YP6TY1/FSsTEmcIL0m/DOXTfZIocnbL1jN84czOY/z5PiYNjr9 Mv3RKiafcijK+XT0YON4etMT ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF30FD8927E801DA

http://decryptor.cc/DF30FD8927E801DA

Extracted

Path

C:\Users\bm02qgl-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension bm02qgl. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0422D02648DD265F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0422D02648DD265F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Mep/TV8VjPH2oKt5kJfYOO4pTtw95cmC/v8tI9rcxshPFLNG8HlTLhHuvhIIs0vL Gh+xZLSfhNVMzT1OPQgWLsDpPWhJf5KrY9XugdKJpmSv0c5BkCo4e/3DaoGAYR5M KRTp3uI87qnWoOg9ccbyCKd8cTA288zOk58KMPsAnk6lCvXJYuXigx7scR418CTi tpaPPoq/RBkd9MiOLFyz1I3d3LRzyqRvLs78WWT9indOJxAFXIXhTBoeTOxpBwAD VcaZR9ecsoCjXsLWVJW8IMAIF6VJk6o3jke+bkwSCwNOpzPxQm/chfuQSIUDMfwu leXQazTicH/YEe5c7DXJQBXECpN/f5OHw9sawp5WZ4zw2XWnchxVxLsrm/d5AlRa NuXh2dDfPR5/mwfYQsZMfSjYXSAOKsXEMvTTPLE69buvbCh5ufO24IJklwkf1zQZ ydXdBbcHbeMWMH1yvJT4RhuGrtLwAOlR9DItpCrD2HZk+y/FObLmZMvnhy0ja7qX Wv4YVHOztU+La2cBm3Cw0Botr+8ulYkLLK5CrGYEFZ83cMmG4u7Wf8wVGVNlDHlx BVfjG+R1Y4mJhPvj+7YAuA9chMKVlenQVkPlPGfxs+Z/hP1d4UvGhfyshV21CGzV Q23WirAOWGU75V0rE9Hqkm2HboayjtPcMpQEEFUhY6FNoMA/jV9R0SROtub5J3zq nU6Se3J6bKo/cguAFYrFsLvlRv8GKOHGOhc/Q+iZ8R9BZhFjC2Rb0DkuCz7zHIrl W1i8zDz8uu4zie2sI1XtSUB5ZWmXUH0wIc/F0EefQd57azbo1RV8TK7IPMMdegiL 9GVYHxLNDs9ZdBpQW4UXypc7b+mgX+fTLoffNLPf4FCkhutcrYT98ERaYvoqjATI FaEof7AX1tZ9jUj6OggTD5haIXrPT8wNlO4scVMZItEZQlSjwMqPbepDDYY5k42R MzwadeAKNeqXeWANkt3S2anGPrebigmRxIGT/3n7rr6alcLIlx5f+od7+knq/17e fuIef5S5kYUh2JQVaahT0V32VRW+SPTmqwln1kEbXcY55UU2e0+xax6b+px89yfO IZhMRVNJM8vBu4z4XC/wjuM3B1zA0vsnkRcY4fkAWit9MfpK5S1l00HxgTlzfEpL tmQjm31xadXzR8cStHDqzBJNoSDsIIUGzmaCB2mFPfVTBrRJ5rPuO0DDvgZtAMYA YjtD4KEyj2mfTEgwdxeKAd8kof0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0422D02648DD265F

http://decryptor.cc/0422D02648DD265F

Targets

    • Target

      42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

    • Size

      166KB

    • MD5

      43e9093ffc8dd69985a9ae65b26f5551

    • SHA1

      7b268ff84e824ddcd8b7df3cf9993be012489d01

    • SHA256

      42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d

    • SHA512

      118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks