Overview

overview

10

Static

static

10

3cff33197e...57.exe

windows7-x64

10

3cff33197e...57.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b19fd633560e41d7a7a302e16d1648acf499764d037a512f82246d43bd0c067

  • Size

    123KB

  • Sample

    240417-p6qdpsgb64

  • MD5

    6c029ece836e7ae20d1fb555e930adfc

  • SHA1

    b495b65f2b44c8650eb68fd38262cfa02096d880

  • SHA256

    4b19fd633560e41d7a7a302e16d1648acf499764d037a512f82246d43bd0c067

  • SHA512

    4f531b7d5e9ba946d6f26eb031ecf74319bdb3b64f85760f25d78239e03f746999372c3f49738642563e889838350d5417145fb08ea3b6d553da3b0abe293e4a

  • SSDEEP

    1536:fmUuwmavTqgEs75maMEi5cfhIRuUyOl/q+G/B/0kFctMmtzg1SMClmpi3r9qi2Xv:fmUVzOibZUyj+4uM4zoSwQci2hkKz

Score
10/10
sodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

Decoy

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr
Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Extracted

Path

C:\Users\tx0estfw9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension tx0estfw9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66DCD5832B410684 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/66DCD5832B410684 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jft1tPalR9Z5oZAVZyK0+pr5nT8Hik1bVeeWnutJow8tVhQ/ZLpK0h2yBIWX+w2g iLCBdysvtkBW18SLktOvi55eqKly6Vcvz23n5qKPTtyiG8Zbjdp0rOpjZ4Cr5YD+ 3qq/eQbKsO9uwPjWLWmcGB6P0Au/yBpmzfqwhWAt9V5ZzY+9ZW9Gljf2tAewrMou wW6W8FswXkb2fGrzwI1cPH8P3m66tORve3/Bdp/ewxcPxsv8Adn/3UFeCZYr3O9C IcUnMEQUHAzJAxEn22GmiWpimDiA8/Zgf6JjAjB+K8ixWnnleNrIf/tHJZUIU8I8 i5YG/5cL4fDwe3bN8nRkYGrs0OpROJMBrdZAedsL6m7jc2Eb1mw+qWbfdfsV6Coe l49zToEIEFc8+6iv9kuiLWGPMl5Cpc7djLV+O2P08Zqo9/oc4vk8eyj40K7xKIIz xgN+a8qIk/cPMd25hVVxFLdSZecf+3Ae3lbhiz+yRN+Lq1te1bXsdyLmcC0rwEj0 ys3mZhPGKPagEdbNit2MYVkQCQD19aNtCzm5qFhSzQ2aeAHOhTx79ImgUVem7cls AxPlz/jE2xQbjyNBHu6SaVcOOvc6YvFBZSGXLbZ2drMUHPo38Q1lCIcPaiyKPg7c rRQpUnrfwTcRXdmffwRJRWD2Zqd9yudysYS5oedDMzsXDK4z35EFtPezPsb/q+h5 epOW2j+haaO3DbXxcjfPJzRXiJ5ScjmT+wk+pNEfS867BKEZULgNyzMuMQDwKWO5 R2ZDKHZD2ge8iSLDSbD+1y8/fo5pjgTdmwXClev75LeqUgq76HLVkHz1u6T06sVE RSDVo+fvn1ozIFIHkAgdL1inkTp7PMUrItSHiiutNi3ttHsirP9GO3K2YdvRSGKR ihm8btxy5bW/C8In/HVdfTwe/mKPUGNZW1Kg+6WvG73gmEe0ri6sWeo8aLq9WIea EgFtX5cjfm+U5asoHlgZEg23vnRgaWO12za3BgZB2vwBUAlGNp6fSFpns7548WkG JFR/5HIwCvt+u9T1xG2d0ZWRKXJd4SgeVqLXdNck74U0k1rIGWcj+6dq0dUnBszN Hn2Syt3byZ3Il1sFizjClbwEoMITUezUiJMh1jOidCuYnOGskIFyvtI9ma7dfHp0 gCoBwVpDY9BYT6EAOYbi3X/f3ak00t1GEP67dgCu/CAKANPVVT3rHPuRhob2OJfd ytt3OohJQmCx3b52tGanBKvBRhvJUUd7IBvBhjdDzcInjxRrgKfeftod6T8o0TAL pyYROE2CwKo3ijJb5NsqC0KMJWJo99EimEZ6d+XTJ61tnFRRfU1qygnmaUPVvTMb Ro48snPpuAphZ4OVq0wLaxp3BQBmBeASDrgza1yWTTIyqH8YkZo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66DCD5832B410684

http://decryptor.cc/66DCD5832B410684

Extracted

Path

C:\Users\1eou15g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1eou15g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DAB72FA0C5017668 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DAB72FA0C5017668 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6z6EHIMOn5d9HdN6STJHJlpHXcV5o6chP357rLmQYzUML0UAdQuVbsc8iozZ6k44 kb3IgD1VOtce+68/LK2/3gDSsjsZ4q6jBRMf0KPPjSfkNWb+cOwtebMa4/y122AS URpGabIjWv5ozsVYwks8z2aRxnNVQaEnBtyz3QyIqPWrddJTjLg7ZM53XhMhe/ol zrre5V9gi2FBkPypK9eh1LOPrJsJL34DpUPZ55h18nOR0qvnDmA7OZMSducejg7m Puv80LxqoDQ4ByuFdZfFWa58GWYktJl02D5KFZxSFHPbWweHUJXXYJIAj3Ot/OtA EJgTM7PmGIZsl941QL4v8P4wXIIm783iBXQHZ+HP+mh0eetQI8h1OPKou1k3W6l4 HKKUKvgth/GjWxthtzk+UcL3gqFMyOCCyaOr7GQDzRGJd37bqPNLjwjnoshLAC6S JPPxEI32/CThSwJQ9fiS5Sxk8VpbWra/3YizelnA6+7OFH/aDDVRFK4aRSynL/1V 7Rg2k0mawcWgLMju1FirMxM2xzu7fPh9s96dT1cpGa05qa7Ie9sJe3ZyDzziPTzp PsA7aWCWA3bgjwyHbELGFD5DtgCgHK3Z/imHKW4boetn+o4/sh03mOjtErQWm/OG Nnj9i5/f3i4CkgOJrM/Jfb6+de1roKgzVlgaoVmK2CwwCqW+jJQRWGugsSPuaUcB WXEd/0FmSnzcYkOp8ybWg5lbD3piNaCfjNvw+E64uweiE9QYCR4HlB0QR9KpMrH/ UtwaruO9jbCLJHKFWbi/ZoFRVER2y8pc+2bHoHfY1dYpzCdzFPhI/mXnY9vKWHmY TX9+lZDtS4K+sj3AQgKPQFxtyYKx6ng7TaakdfrESrG+tM+oUVNOomvhKihiK87N qVeSLCrZ0GBhv4OxsTfeQjK7uXt8llPGHM4vgkyjiyed1ItiPmNKck8yyJi7hsIa wriNpG+bkYfhoA9f55m2ezc9xmWMOj9ZGUmyJY/R1qNa2fxMfdsITDunQkPMiZjO sqzsFMGoZ67qaYlWDRQ9vZLQbzBfDN65TARWm8XjojIp4o17enWdlCdq6R+RmMS5 Jm12sshl+QzDN9dsiXDERoqaz4djyO4RBiOM4m5fsVCYSR4daAVgJxyjCgbGVyZE B48oJap9P8oPjFo1uSZ6OKss4bFLYD5UYCMoOPomIdwiYFMikdXwWo6MhTXXghR9 YtEmomNUJx224Bhc28jpHGpDgTDPww85jUuJa6l7dbzi/0OtVkcuu1Yccstb2Ji8 RWC748cNqtcPr+yTYffnPXpV0YFqrb6Hvn7kwwY1pIcBbaIMjS4sMEWoeaKNeyIi HHmNap9rFwOHPd8e9lUPmtJzOQlmvOKk5L1bJOULaOMvmfE/99cUtg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DAB72FA0C5017668

http://decryptor.cc/DAB72FA0C5017668

Targets

    • Target

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57.exe

    • Size

      166KB

    • MD5

      340b6f816bfdcfcb466cfc126c976844

    • SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

    • SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

    • SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QLOoBB2W:ZJ0BXScFy2RsQJ8zgLOYB

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks