Overview

overview

10

Static

static

3

36ee6c2c60...d4.exe

windows7-x64

10

36ee6c2c60...d4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    36ee6c2c60a8b2027b12b173ed0f7af4e3bc36fee76147bab3dd9f8d7d0057d4

  • Size

    323KB

  • Sample

    240531-jjyhxabe8x

  • MD5

    6e2770b0d48c1aa2e840e4a53ff608be

  • SHA1

    6157fef4b433dcd4fe1763ef3db6496db4c0d6e5

  • SHA256

    36ee6c2c60a8b2027b12b173ed0f7af4e3bc36fee76147bab3dd9f8d7d0057d4

  • SHA512

    18dcd40e8a3a93e7cd414d8f6778e4334eed9ba8f5bfe52505e5a7647568c0bc5c2ac75bd2a5e4e434bfd6d60bc1f47b532e0fc8ce038d914d6dbbdafc7a7278

  • SSDEEP

    6144:k8NJ26tkKqJQSXDG43m4GIdR0WpEKMJHDfP74PPupgMmHfhQ3UVmDjJr:k8/tG+SXDIIdR0lRpbkupLK63UVm

Score
10/10
sodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

Campaign

7114

Decoy

withahmed.com

scenepublique.net

aglend.com.au

jyzdesign.com

nsec.se

cirugiauretra.es

gopackapp.com

tinyagency.com

crediacces.com

xn--rumung-bua.online

bowengroup.com.au

mastertechengineering.com

kmbshipping.co.uk

homng.net

fitnessingbyjessica.com

oldschoolfun.net

roygolden.com

sotsioloogia.ee

real-estate-experts.com

mir-na-iznanku.com
Attributes
  • net

    false

  • pid

    $2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

  • prc

    oracle

    klnagent

    mydesktopqos

    infopath

    BackupExtender

    powerpnt

    outlook

    BackupAgent

    Smc

    sql

    ccSvcHst

    BackupUpdater

    Rtvscan

    winword

    kavfsscs

    ocssd

    isqlplussvc

    visio

    ShadowProtectSvc

    tbirdconfig

    TSSchBkpService

    dbeng50

    ccSetMgr

    agntsvc

    Sage.NA.AT_AU.SysTray

    dbsnmp

    thebat

    onenote

    AmitiAvSrv

    wordpad

    msaccess

    avgadmsv

    thunderbird

    BackupMaint

    Microsoft.exchange.store.worker.exe

    CarboniteUI

    excel

    SPBBCSvc

    LogmeInBackupService

    encsvc

    ocomm

    sqbcoreservice

    NSCTOP

    mydesktopservice

    kavfs

    kavfswp

    ocautoupds

    mspub

    xfssvccon

    DLOAdminSvcu

    synctime

    lmibackupvssservice

    firefox

    steam

    dlomaintsvcu

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7114

  • svc

    Telemetryserver

    "Sophos AutoUpdate Service"

    sophos

    Altaro.Agent.exe

    mysqld

    MSSQL$MSGPMR

    "SophosFIM"

    "Sophos Web Control Service"

    SQLWriter

    svcGenericHost

    AltiBack

    "SQLServer Analysis Services (MSSQLSERVER)"

    BackupExecAgentAccelerator

    "StorageCraft ImageReady"

    SQLTELEMETRY

    AzureADConnectAuthenticationAgent

    ntrtscan

    ds_notifier

    TeamViewer

    "StorageCraft Raw Agent"

    "StorageCraft Shadow Copy Provider"

    SQLTELEMETRY$SQLEXPRESS

    VeeamHvIntegrationSvc

    AltiCTProxy

    MsDtsServer130

    ViprePPLSvc

    McAfeeFramework

    MSSQL$QM

    "swi_service"

    "ThreadLocker"

    ofcservice

    AUService

    sophossps

    AzureADConnectHealthSyncMonitor

    Altaro.OffsiteServer.UI.Service.exe

    "SAVAdminService"

    ds_monitor

    ALTIVRM

    SSASTELEMETRY

    TmCCSF

    MsDtsServer110

    "Sophos MCS Client"

    TMBMServer

    SBAMSvc

    mfewc

    "Sophos System Protection Service"

    MSSQLFDLauncher$TESTBACKUP02DEV

    VeeamDeploymentService

    masvc

    backup

    MSSQL$SQLEXPRESS

    AltiPhoneServ

    MSSQLServerOLAPService

    SSISTELEMETRY130

    VeeamEndpointBackupSvc

    mepocs

    Altaro.UI.Service.exe

    "ds_agent"

    HuntressUpdater

    MSSQLFDLauncher

    "Sophos File Scanner Service"

    SQLAgent$MSGPMR

    ADSync

    KaseyaAgent

    ReportServer

    MSSQLFDLauncher$SQLEXPRESS

    MSSQL$HPWJA

    KaseyaAgentEndpoint

    VeeamTransportSvc

    "ds_monitor"

    mfevtp

    MSSQLTESTBACKUP02DEV

    SQLTELEMETRY$MSGPMR

    ThreadLocker

    MSSQLServerADHelper100

    veeam

    tmlisten

    AzureADConnectHealthSyncInsights

    "swi_filter"

    MsDtsServer120

    ProtectedStorage

    VeeamDeploySvc

    memtas

    ds_agent

    VeeamMountSvc

    HuntressAgent

    SQLAgent$SQLEXPRESS

    bedbg

    MSSQLSERVER

    "ofcservice"

    VipreAAPSvc

    "Sophos Endpoint Defense Service"

    KACHIPS906995744173948

    DsSvc

    MSSQLLaunchpad$SQLEXPRESS

    msseces

    macmnsvc

    LTService

    Code42Service

    Altaro.HyperV.WAN.RemoteService.exe

    LTSvcMon

    MSSQL$SQLEXPRESSADV

    "SAVService"

    Altaro.OffsiteServer.Service.exe

    "Sage 100cloud Advanced 2020 (9920)"

    Altaro.SubAgent.exe

    mfemms

    "TeamViewer"

    "SQLServer Reporting Services (MSSQLSERVER)"

    VSS

    sql

    Altaro.SubAgent.N2.exe

    "SQLServer Integration Services 12.0"

    SQLSERVERAGENT

    vss

    "Sophos Safestore Service"

    klnagent

    "Sage.NA.AT_AU.Service"

    MBAMService

    "Sophos Health Service"

    SQLBrowser

    MySQL

    "ProtectedStorage"

    "Sophos Clean Service"

    "Sage 100c Advanced 2017 (9917)"

    "SntpService"

    VeeamNFSSvc

    KAVFS

    SQLEXPRESSADV

    KAENDCHIPS906995744173948

    sppsvc

    Amsp

    psqlWGE

    Microsoft.exchange.store.worker.exe

    kavfsscs

    "Amsp"

    sqlservr

    Altaro.DedupService.exe

    svc$

    "ds_notifier"

    "Sophos Device Control Service"

    AzureADConnectAgentUpdater

    AltiFTPUploader

    "Sophos MCS Agent"

Extracted

Path

C:\Users\a9f2d8a54u-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension a9f2d8a54u. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D9D50C834EE04FEA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D9D50C834EE04FEA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fJgT/31RMrfE5nHySBiqH9mynllzE0mB+rHzXFu7OH4OdpYqEj8D8D5P0TK4LXJD VGxnbaybfgHjmvjUBQ/OBtCbI+bcdDzmiOm6AQyxgTZ/AhDjPBZrCRDVVO+SxJNo j4WZkY+JFui4P5H/JhBMhI60CtFkGAFwiMLMkizdZQwe52Z6wk3oV3WtkKkhUZ8t uiBx3GS/9t0x0JYiwY0i1M37Si0ScZdkCPhFIXZKEPGQBR2XlHh9uoARFx+lDQw7 6ARlxVtAn1HYGxkWHAij/mx14jqlWI7DY1Txpra0pBt8A5QZ06s+suF5z2FljKuC k+cSLRsllB9dxqrXYpgZq+GIzJEqtqhts8HIYhAcUBNmy4TO5rXuXpFozBM7ruru HvmaLr804ssKST/jCAWRdWwd9uwOGUV5JMSGj3lwnadqpf6ejqLVr6+VytfdzdzO qbU19NW0KEoa2PxQqKraCWkQ8KBqETFZdDQ6TwmxWvvWZHCb8kKcZY7vdZ3cqvQ4 WGEBkuQ74l3jSC+fKsFyCpmvWHtD0H/rbSdV46I/9beiMx3391F6mUOU/1tMUaZu HMI61CiNQkVAVG/lKz55GftFgKbK24LFdM997ZEHUMrXJJceob1dLPVB8jWYXRdr jVOY07mugis2CNVT/GCikYstmfE1JNIBgvmJH1XlMmKUJwADXpRfU0h9wKqTQK4O mTMk+27ENLqW3LrPkffHr9EyGNKtzezHwcnEmqkfnE9RYn6KHe4B7BOV6cVj3vZ1 iWpFeYjiokkEeyrIqfrk5DPqlAB4J1sHRJdWdlrj/MrMDbg5WT021hrpXFxvmRPv e+zx/k/tQUg2ZF4wYMSu0TXr5xQdRCFNHflHhmkVLmzSG69f2ZxttrKkesud1iCG olodOyYtVMRWIIwKEAZqBgmLcip4HDZgMl16N1doW+VMzLBU2t4D9dQNTUyQDqbY ME5/LOIwJdrjKrK8jQMEiilOkM9pK91YeD9XUBCszmIO1VWuTInJW3j/tiOCUO5P lPWdy4V1aKNV0K5Rf7QQulpz0UK7WOHkOI0ZfhdW5Bst4R7EcZFDZSSvOPGxE0AB fdUQR0lil2JziT1NV80KChLj6wC1TI1VP6DEaNj14oBr5tvLm0YMGk9hphOdqwQE ghuJbXcgKz4JBhCslCQzN92yXTx/uxKwWTiLfLAuqcCr/w4hKFKU6JSJmuL56XNO S/MLB5kUhS/52rsOBrDfdnmL/4fjuBiE7h7Pj//D2SK/sUV6KcsBGaZ5YopfzBPu lEZuhry66qrIxV6jrdddSbXb+/FSilbyiJKEGxyCmy7tW0yPQB43QaGGOFtJX1Y/ VQ/hIkRj2kUkYVzf43eNidwNag46NROXI1eVxnOC ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D9D50C834EE04FEA

http://decoder.re/D9D50C834EE04FEA

Extracted

Path

C:\Users\6o101697-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6o101697. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6B0CFA941CE3468B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/6B0CFA941CE3468B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Fph+TDhYsuR85jkI2L+CGm4EHsECioYy3hfhCAYwGyN2ajyqhMZfHwsYSY3GLbB/ j0LSXSt2y8T3aUT1T0q4f1CuOgidcUaUQgdNdDVRTmHVhcgU5MCYUXLayw3hjCGq OeUsD8kPF78qJ5jQkX6utK5vfVuy4P8DwNrcLhjLIBGNyomf/iTJMlbmAEJtPQA4 ZKPtD7ME8HrHxzVWVv6MdVhEGiBYB1v/ysrv5SY5tVofyFKE/fMaqGcKLowTr1PJ Z1roRcGf9s+dYp32MloO3BrsmAE1C2rnuW7y2B0HBddQSukQWAlFamMNZkQayEIc TbSC80Ioaz3pVt4W3h86JbApZvmXZWw1S2vsXId6VFI0AES8YnQffCYR65gSLKCf r5k3dA9FGeoIh4M2VOsIVcXq1sas23i4YN3EtoSFNcngvyV4XjnlyFHOtuziIQzx f9iTm0VdFZwZsZKUo8U4WGkvIdoGBvjTU4vHj/a+F1dOR+auyTFWoA2qFlVjxtJ0 XOdcSmP+DcbDcFTREq9MCQql6KOQgHmTZir+bpsTKE6jJZ+4jz7vMbiLz2gmwgQj /8bG0jVOIqPxmqnSFuL5bJCDuKN+UZZGiCNiaIHaYa+gxFbH+UtNVRwYm1GeSdWm zWWHg8121MevRZHjb5iWEvKyVqqDtYT0gHTJdVFhpYfSDJcpbgOsjhRS8kFFO3Mo fpP5fq4NRi2hFBUgQ6c9SXyN6FUJ9LWZR1E+4cYeZr5q4fc+LaM93kzFGF5LAdXK Y74CN0DfKjXlt7kBGbpwn4cRYUdeoCwgIm/NMQKlxc6GVxfkGaOzPCBY9f0yJgRk SpXGXWPJvLv6BDFCT62cbNzgimly5zQKQYSUZfCMwcAoNmqy9WsSVyOcuOj1Unia w2tFvKvK//iAhrk9lMYdSo6YnP8vvYRMlMTZN9WeIESePgazREDEoZZjMHe2tHsU lc37mxihnCe+jNAwiP8sxFsgz2trofDwfyz8FTwHqJN9rTbW7r4uzTfIJkYSQ42A 8K6RzOB9z7LpvhbFAxylSKbXpHsm2Iu2IkC2MmUNt06+nnUqilNhu0rxkRukVxh3 rZIZuV4+P3NV6MSjAzpHJBAuM1WlRfU2GN2bz1ugNvueLSjZM5hNUPMrJgvlAEQO vIyjRKUhiX25x5eC3tdCqX0yl/At2utw+6xILAk/wukRFdHytC7XPmSdWo144A8R WtGHgOz+sYL6LXURHkUVgphvrzbiv/9ckqigMuLgw2jsUPGsQeA30Il9aIxrw8Xo /q/Zt4cuMKuqM0a6iNeFNGdSjhDlXj2YFQCr4eZfxNK2TM8nvJuuly2cIFDHR+bh JEzXByOyHeAh/B9QdZFw5fR9Iysx81pcKDjz9xSqy3I= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6B0CFA941CE3468B

http://decoder.re/6B0CFA941CE3468B

Targets

    • Target

      36ee6c2c60a8b2027b12b173ed0f7af4e3bc36fee76147bab3dd9f8d7d0057d4

    • Size

      323KB

    • MD5

      6e2770b0d48c1aa2e840e4a53ff608be

    • SHA1

      6157fef4b433dcd4fe1763ef3db6496db4c0d6e5

    • SHA256

      36ee6c2c60a8b2027b12b173ed0f7af4e3bc36fee76147bab3dd9f8d7d0057d4

    • SHA512

      18dcd40e8a3a93e7cd414d8f6778e4334eed9ba8f5bfe52505e5a7647568c0bc5c2ac75bd2a5e4e434bfd6d60bc1f47b532e0fc8ce038d914d6dbbdafc7a7278

    • SSDEEP

      6144:k8NJ26tkKqJQSXDG43m4GIdR0WpEKMJHDfP74PPupgMmHfhQ3UVmDjJr:k8/tG+SXDIIdR0lRpbkupLK63UVm

    Score
    10/10
    sodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks