Overview

overview

10

Static

static

10

6628de7ffb...01.exe

windows7-x64

10

6628de7ffb...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1940a078ab222070848746aca53e44ed65d453551831fa1243912f6d9098c72a

  • Size

    123KB

  • Sample

    240417-p6g3bshf5s

  • MD5

    f98f88105972ce58c3a37f0893e5504d

  • SHA1

    11d064fe11bf4de9ae6ef58ad2d54bf5ebb6f212

  • SHA256

    1940a078ab222070848746aca53e44ed65d453551831fa1243912f6d9098c72a

  • SHA512

    348d10a4c7b7ea11560423cb8075e95b8a22262862f7c39a2db6e329fb981dd74d76263b82c849c58631b6e4454ac27d97a4af11f8405edef1967b4e62f66b7f

  • SSDEEP

    3072:z+8c2fF12nl7y+yz7SGBe0uIiC5DzVMPHPJEbkZB+GEy2w:Hdclu+gn7iMDzC/xEbMxP

Score
10/10
sodinokibi$2a$10$fva76xkux4modjonimpz/otszkdwov42ssorvcpbhhubkm1qg6s0i467ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$fva76xkUX4MoDJONImPZ/OtsZkdWOv42SsOrVCPbhHubkM1Qg6S0i

Campaign

467

Decoy

hoteledenpadova.it

thedad.com

creamery201.com

songunceliptv.com

icpcnj.org

ogdenvision.com

craigvalentineacademy.com

bockamp.com

naswrrg.org

pelorus.group

fotoideaymedia.es

wurmpower.at

gaiam.nl

wasmachtmeinfonds.at

pasvenska.se

jeanlouissibomana.com

kaotikkustomz.com

id-et-d.fr

kevinjodea.com

bestbet.com
Attributes
  • net

    false

  • pid

    $2a$10$fva76xkUX4MoDJONImPZ/OtsZkdWOv42SsOrVCPbhHubkM1Qg6S0i

  • prc

    isqlplussvc

    msftesql

    firefoxconfig

    mysqld

    sqlbrowser

    ocomm

    thunderbird

    infopath

    mspub

    outlook

    sqbcoreservice

    encsvc

    tbirdconfig

    onenote

    mydesktopservice

    oracle

    xfssvccon

    ocautoupds

    sqlservr

    powerpnt

    wordpad

    agntsvc

    steam

    thebat

    dbeng50

    mydesktopqos

    synctime

    mysqld_opt

    thebat64

    sqlwriter

    mysqld_nt

    dbsnmp

    winword

    excel

    msaccess

    ocssd

    visio

    sqlagent

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    467

  • svc

    backup

    sql

    mepocs

    veeam

    memtas

    sophos

    svc$

    vss

Extracted

Path

C:\Users\elkl8r-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion elkl8r. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4502784476E21C0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B4502784476E21C0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pjPn/MmzlxCI6TLT5m4Q6GBoI3A98lcrII1VEcAnmj3f185he7t0KHgIlmMK3VpU W87Mr5GWmBH6fGlvf286flCi0Kh7eg586mCza12n1osJh9Qy6yNp3GiHlnai1XkW 3Br14pVVzoJ0a+5u2Mpa+YIqM/+CKiiU/9mo5aFrP5kyOrAdyZLcWx5xfACZhzeN mm4xuMB61SnnP2bKglnCKILO2kz978kL4FJqUmR5GtQa5ehpgkgBKHXTQGt3bUvO DYjX/uzEu4Fm2+aIPyz/xmVGOUZ3hv8U6Ki0yxP6fAW1+xKyvb46ASSCiCLu73i6 LAxrvOb6B5GD6AHIJBL5vl6PsolRHqdDWLi+uBpTfeUhzmXnVJzpfPMLAil/9JKe e3Z2vIzHWyBNXLiz8N3rlERk4GL76yYhQidq59H7J368YV80w0TLyK0JsuFT1g/O lijk4Aw7gBo1Sq2mWZ5y0IB/+nuv5YZc70n5aQgRPKR7kUB+829MO0WA5Bfy1Q5S O+RdSn3GnmwLwg19NaNG4MvZ9WsKglBKz+1NSyKqQpfMx1XQcE0Xzlb1Xwf+r8BA 7OACR/R07r8hCN+StMO6meVeRw9RStnUUGFOpVaxjGxCngXETsQhSkHWxsTLn1Rr 9DlGm7scOwKVZ6z15tVnWe811//XYVdXKcYmYLT6Xa2yHwkHfuW8qpXnxaglLf4z cnBmEZB2VMSl5A8ayi+pDFh8UCNsQc1qvgS8IoeEBwyIjiRA9knRmf4Ql/XHUglD 7s32sETWJNjkV0KFSOw9a01Qk1KWQQjwNEnS9lUKkiV/3RBU3LdZojtkVmYVM75w G0fgKzDE1Ua2nXY0BhuCCGLJ+cC0BKrD0yZc1v9wbzrlRy3wdpku8SdIJsoLQcmE HCOXMOWVMz909v6TG4uVIP8tbHEawmDZcqmS+Rz1Yt42kzkOCQIKhpDjZGqAui0T PaMb+5qQ4Dh3fWRj8SR+szkigMpnU2f7y4wXbBSktaqrr/nUDK+z6KdINQmwMkJJ dfNtghzseVJWvbD98wqiQt6s0HIp6JbhPG5vI6Z/b6tlpVdLSQGD0qiC0Tlwo6+F NRVL05ml06leR4EtvjiV9BWetTlQIkYsKomGn6g9YCJ/CDKmGXQazbuz6MqjOWVx G6deCwHx7s2VbEgEBTfCW71BttTcgqHyDCOiIU5EuGmyVGy1qayFEhWkLk8QZt1h VEeeSIWHXK4e3fPpjb/65HRZl0rdcPCOWdpmX0rwroKTHG4LCh3J35Y5x6Gj7nfe u1ajLC87ySARtT7ptbeCvJb9Ie4SpS0xRp28gwEdYyTjL6J2BR4EptlyFXxW1Vln vOwftW9qzwjpEVpOwzwzeVZO2qVGvYdwOm9fBTOx Extension name: elkl8r ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4502784476E21C0

http://decryptor.cc/B4502784476E21C0

Extracted

Path

C:\Recovery\1uz5e1y6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1uz5e1y6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB40CAC4FE8B2D80 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CB40CAC4FE8B2D80 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VPH2U0QbA/htCQjYHzm/LK3LbSHO2G0KVR9q4MeDpZd7UH/xlS//po1u7D6M3yF6 xoqntP+Kv9fr11O5r+78T0TjkhrUiFnmuJLZUO5970jpObTClUzHOqjsbOedbQ1S re0si82n61OFRfZYreioamaWpyY10zGxIyTmb0uo8qsUHIbEX6McGhik9h9pRIZU dI/l+fhYUXX/OcstYEhMwtgAkqEaOIEdsNBzIld6McJ1Ut8bpaQsb0KQWUUC48S2 A8iiuRBcfQ51J1GOzPPFTQIVHYY0WZMocRai3Yz7fiCQn0QOEldXF6Hsc6ya7oqd acBYgF/mx6rL8/oE3APpSm0hd/78IXPYHoI4UDdUHRinMIsnR7LLVLzo+aEOHFgl S5plaHJD8Z2ocbEuVWYgzC7fGTlcGioVVb4NPYtZNGpArukZycr7U04NV6nZ4fR5 gPl0Qn8t+3+kjfE/aS5f//EHJa41lcrSGx2zaY6xGcuZrCwT1nsQrEUODpgmNQXs ML3QkS1MwPXJPWWGx/+8YCWia84jhgzZzZUY+l9uM/fP3VwQSFuyQrcNAF45yvdy j7ZkDiadMG8dcMxf/UkypFO5y46Rdi94brgwzKL+eE6MjlxMy9WSr4Xp0fP02+Ur xcTNBoae3Ud4pA6JmVQlWc4oGRLyhjw78nfm+Aroehhyt9Wi7b+zH+0z67kBqMob KTOr6qCeRdqgMZxIYDaWS4h1RvZ8QlSh8uj8eX9v49kxZXEaG9oWOnpcN/DwWVLg w+Xe9zldbMS4aiLz8zN1LNZKHg/GUGY5vh6r2tyK6Nc6Zht9w6AyMfwA/nMICsUY mf7m+t4OiBOGInt5JEa6l4nswHgET6ScKIwzBTNLYv57yeSk4iHORedMjOMB+3Rl erbmhhsxUomStklV+5kpuRUqfZtnDI/9I6kE9tO/hFgjJJsn1MRQGj45iICu9k7d mDvRRCdAuyzQjtSNUOhzH80I3nRBY4l933U01EmX4zJ316KRg1Dc49vnjollqHyO 3vPVji2Rswwq4tSZcKR+I36VNLA503YoUFK1n28s7dGwt+p6wXimWSyp4NTp2Rly UtqGujDCjyeUFB8oRlOa74L3AZ636Jj9u5XKyFIoTMAsjXCGkAeWdfCs9Uq2mtUL Chjy1vAF2DA1raX/FlqxHrPbvpT9ilg0eukrhLU7Xx2ivSfqqUk5cGuZh4ekeOJm yY3nkOHBt0jTfJBHKL+daOjS3OLBDtREp9A/xS8ao41Ic/auOsAybtz0H7AzP04U 1Bm0TtU0bIiELlS6FbsFQiTESHc04aYdUYhgx8eVsn7zp97ysVOb189ob6YQ73kG x1UtsWTAa2BIBpQBjwIDLXKcHCt6y6TW8xnAMpgYLtMCOyitywE+Mw== Extension name: 1uz5e1y6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB40CAC4FE8B2D80

http://decryptor.cc/CB40CAC4FE8B2D80

Targets

    • Target

      6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01.exe

    • Size

      166KB

    • MD5

      44c753ed1faec948b0d98bc9ba047469

    • SHA1

      1aa2d575752dcfa73ea8bd2fa666e18588be353c

    • SHA256

      6628de7ffbbe168a4fa9ff0a1a29b54e88a32e5963db0dd1aea4b80102c8ce01

    • SHA512

      f7d4c3988f82839264e83c1a17024c695bd8ff31a224eba3cfc9e3712758be5450521c1e52c246b02dad0849bdf381ad40d77e9b5bab6f8135f07219c13047e0

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QoIeXt5KCn16:ZJ0BXScFy2RsQJ8zg9edTn1

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks