Overview

overview

10

Static

static

10

2024-04-22...il.exe

windows7-x64

10

2024-04-22...il.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-22_440a6103023ba31583001b05b883769d_revil

  • Size

    123KB

  • Sample

    240422-pxaxnabe81

  • MD5

    440a6103023ba31583001b05b883769d

  • SHA1

    433668dfa874077d807f16a2fd344b08dfeac102

  • SHA256

    69d549207931f4451e78c40db31e61a62ac547db28b297108da450d2506f6c3a

  • SHA512

    b92f1d51806aa06e59b223690dae78c9e85942204f458a0dd62c049c3b067c2740bab3946c839c4c3d6d5b8c8764d23a80a1a26f56d58e50b0da867620198b53

  • SSDEEP

    1536:7DvcP3LThpshwVs5OE81NcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxr:y4SVhtNcYM8gnBR5uiV1UvQFOxr

Score
10/10
sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

Campaign

4085

Decoy

sandd.nl

digivod.de

southeasternacademyofprosthodontics.org

resortmtn.com

mdk-mediadesign.de

tetinfo.in

fayrecreations.com

ecpmedia.vn

physiofischer.de

highlinesouthasc.com

antenanavi.com

blog.solutionsarchitect.guru

deepsouthclothingcompany.com

coursio.com

quickyfunds.com

atmos-show.com

pawsuppetlovers.com

hokagestore.com

midmohandyman.com

mmgdouai.fr
Attributes
  • net

    true

  • pid

    $2a$10$CtL6MpBCOZZcR.aRU3GXp.pcFtg0joF6uPmmrKY0hC0o.x.alLtZ.

  • prc

    sqbcoreservice

    dbsnmp

    mydesktopservice

    outlook

    ocomm

    excel

    mydesktopqos

    isqlplussvc

    onenote

    tbirdconfig

    msaccess

    encsvc

    infopath

    steam

    thebat

    agntsvc

    sql

    visio

    wordpad

    winword

    dbeng50

    powerpnt

    firefox

    xfssvccon

    mspub

    oracle

    thunderbird

    ocssd

    synctime

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4085

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    veeam

    vss

Extracted

Path

C:\Users\b27ns-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b27ns. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA8B44942BB1C484 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DA8B44942BB1C484 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ybHIly5+e4z++7VphxA7E/Zq41AD1m36Bx+3WhpzFEOCYsyXpB7OU/GUEVB3oZy7 nJFVNEmkYkgn3bJhQiwYCGCI+dmxwq3xLUqxpk0raSKLvP13yLP3F+CgjeOhOWic 2XrH3HqYbON+2lkYwdUtJHM/dLeCKMEdlQZGof+mqdFpUQGFZ24+9te0wDtdxJ3q 5JV9iTf0zrI4roT2H9+INe1+GAuxgAsqiftie/PUYgXavlR4g7RRntRuFLO7MVG/ nP86RCFQN6rmw1GPAgxVKegyejJNb0u4tXUBBAf1aP32N7241A4YZPRxXHApzunz MqkR4Ru65LCldNuAtJW1zw6NWLYtpSGK1fQ5YSvMu5zbtxeU/oZEK2/guB6/Flgf ySWAmcN489vN1PD3HlHdiAKFN/6Gxhke5wuwpa78Pa41g6Qd4SI62nAVqpgaRbQv NfMCQKKVcUd+h8FyrHZ9uKgTMrv4sz7vD/6g1yXwBmbj+BiWc3Xh5amr25ZeANv2 scq+ydzyH00BcIPRfQEo+f+YU9RjsRQzpsx+zqaKXODq36iHDEJC2Ai5/XV4y1Gc uDX6CcI9rlQWLctQbY73TM2WhUCV2fOyZXAHNbpUf2TTaxjm/bA4XckZpnAB0Olf 6gsmGgqI3h+kx5OdhVOTyxRVbzWsR6VhaCHC/QN0OFwvHl71yoo2s1piTu/Het4X wW3kGZD6pqZJ8ZMHvejleEaLv+u0s4n3MyYp+hYWQHNVGx6/UUL7yTFNRP4txz09 2O9Q2lvMGF0tPhjzZ4MpC/j9d3i9XXkRo88euDIoSQ3RjViU83qXQefMaSSz0F3X if5yCbC9ufAHadiTkdtLEgP4VEq6dyh3I1sudKm9Sv6o/uhHr580yuaR+94s9NY2 FaqmUqWxo+Q3n0Hc/Jrrbeurt/G/YgofrBywmBL8aZdI9SOGbEXILwm81ZabGN3W HpO/bj5S5mndEjxCraE8UtCegoFJIhiDm8I5qDk+LFbUF8EbJk0fB6sbkv5Wm5Z9 xDdpyaKZspIDbPXsmYASnJLT3Ya72/wruSnjcTkiwqDFV8fGdQ7Ar7gqjMVXuoWi x3Kxz5Pa6eFvLRmIDUknaTRLxq4/ShN+A+vddl+LnV8M0zl8eRf5rEPhLf0zcI5n yZQgrf8kp4oQDgYLObEu4aRcGXP5fSvP1VZMTOzUKYEyn+nZk+fWYGg0Do9rXzlw 2E6U0DpYpe4ALsmsDf5hzgjcyDyC+qRvrgkYJj661d7GV8d21W/pbqvsQhPx3j36 1dQpUi6k/6aUmyLhzE6R+yay/3sgffTJkGlWjTemBVWoQEyhQJB+qQxtWLATbpsT +uhr9CRWZLBnelaNxlXeYbNXsIdHFHLb9cbcPjtt ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA8B44942BB1C484

http://decryptor.cc/DA8B44942BB1C484

Extracted

Path

C:\Users\hlwp6or0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension hlwp6or0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F1D45334BAF872B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5F1D45334BAF872B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CMCAaY/cJ0clwmJTJAyuufaJf9laBBqGpSCK36n9wupuCX8ifJDhQKx7qVpmagXP LPbRY57TZZaawUWmFem5FfDDO6/pUOMR3Bn/bErv+CUPbrk2QuDA/ikNsIzv9Wec K0QNxkSCfG3l7XRP6kMB+dMNQ/Bp2UZ1faUGG1YULx9wTDdBFj7RG2DNdn8F3R4x tKIA6rpZaCbDyIMsBy4s/srljyat1I1N0ZM+MpNw/5rgoohD/G4sVZkK7A1EUflu BYbHkbmQRpf8kbZsBs54OCYYPxRKEDq5wB3+RaO06iv27MqSOntZQyrirXVK7ZUp AwJkx2yZcKdZ/hodwwHQDnOqXLnkipeVGqYOvGs/StbZM1YZ5IAP43j8bgcTRW5u 9SiIvJrqvQNSk7pUWWVhvhtNCgHrfXgZ/vNKBvDGetn1exyptaJwW5a646PnIcuH Bt9wgmEmH4QYYghofK3Gj7v+jjLn/mSXbZZBsmoA0FjXVW2KEyTS9gLJbr2EuSdM AOnvIiw04qsv5BXnSqqTj0ful04gg1D+3IOQVnGylQDBEcHdsywiTOpiGe9UhB4m KveeSg/h36fBzOCrV1Thbfk42kqnnk1C7bzZ1HdD+Kyt9yxlIqgOWw17e+U6bjrp k1HOPu2FBNEAZHFOmyMr8+YpWDZBT0KSvnv13O6P2DhtQQkkWn/ufr0AzQkKZmJG MT3keHtT8DC0KK52edSiM0mnFTi/Zn2eA28fW9jEV08QBsZ8Lbt3iKNRWRAIBw79 m1Mfrv1/5U58okSTXyeg3woEfBxtJf1McU73OC3jfaoeNF9YnVOBJCnpcqwybmiE MjolJfOpDZvDVMOEmxCstiJmQXaEAMll8Uf6cCzmvSNXJOHfBjEbG1+rY8D41CN6 jVUpQMlCiKVHPLAY8v18urelce+TuE8PJYTjT9JGKlNu4fdtH1i4Hb6FoT6FRG/W FyodNnY1JdwbL3Mu+5AkGbJ2avhapROLUYxce8HS5cOUxPEiN4q6oayBswr1HdPq nc55+09RNQ+v1bwpMoUq9kucuW3CWOWe7gfI63p39ZkGBsQCqWcVHjISP6Ygb4qg JpOUlIOMMpjMsURvdd7Ua7LsdhlMc1wyKlF529hBCx4rDY//WgXOuraueI3kinRE frCFzSJGq168rdEjQYL0EB5CfriRtmnRjZCyp6PWyjPyH9KMpdhsx7hZhFu3Woc9 EzfauheXQMP3LbPTYWAItd9te+d5POMsdTgn3fVHUCX9eB8+W6WPaNUnbzPdNDJx K9gLzz//DDU6svD9exQviHWEIHh7HhjqS4HWWIqPd9fgVnRDcoMcyQS+9v6W1iCy DPP1WqKoBy2JENy98HSHEcGpqHojckmCqSlwNjFhBc1JnLdXRtyhfaJy ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F1D45334BAF872B

http://decryptor.cc/5F1D45334BAF872B

Targets

    • Target

      2024-04-22_440a6103023ba31583001b05b883769d_revil

    • Size

      123KB

    • MD5

      440a6103023ba31583001b05b883769d

    • SHA1

      433668dfa874077d807f16a2fd344b08dfeac102

    • SHA256

      69d549207931f4451e78c40db31e61a62ac547db28b297108da450d2506f6c3a

    • SHA512

      b92f1d51806aa06e59b223690dae78c9e85942204f458a0dd62c049c3b067c2740bab3946c839c4c3d6d5b8c8764d23a80a1a26f56d58e50b0da867620198b53

    • SSDEEP

      1536:7DvcP3LThpshwVs5OE81NcYQp+2ZZICS4AIjnBR561lQVMr3IgmffEbjQFOxr:y4SVhtNcYM8gnBR5uiV1UvQFOxr

    Score
    10/10
    sodinokibi$2a$10$ctl6mpbcozzcr.aru3gxp.pcftg0jof6upmmrky0hc0o.x.alltz.4085persistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks