Overview

overview

10

Static

static

10

2024-06-13...bi.exe

windows7-x64

2024-06-13...bi.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi

  • Size

    156KB

  • Sample

    240613-lx4yysxfqm

  • MD5

    ade8979d58960b5214d80e5a723e2779

  • SHA1

    b49e6fa430d3fcc559236a440abbb99b6efd003f

  • SHA256

    388d21a5e711ac53519656a0fce9cbd8d381300c0877b4978bc0792d233bec7f

  • SHA512

    3e76e9fc2048d7d835746d4452f72602c852018fb5db7eb271a74cabf391c3fdfcef3ed8c6ee377c040f1de0ab05021163888598d3a18ecb3832fed3fef55537

  • SSDEEP

    3072:Ui8Iy8EytSLbi4eTMlwDCnuZ3O8VN96b:d8IUykbnWJZ3O8V+b

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\jdpr3.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got jdpr3 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7257CF149BCE8973 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/7257CF149BCE8973 Page will ask you for the key, here it is: 0u2UQz7V0h7SEDRW7IYBgSxRiS+9/onhiqMjokGDZo8LKD9G1E+PIuepR+NJ3IHw JVZfWnMb9gi61UqRm02AXny/6pDTYqefOoLeAx9+w/NTpr91IBPGNohqamqUVVlq UUj/Rx/8IxjfxlKeYHqS33pIVLpZMUKndHzvq+VrbF9bFQY2JiJM4nNEjwdTg69I ZRPaV2HBoV0o9LgFpegGh/W37ulbP/LeRxnZxsxDOGbg+PIcJMl2SWv0cyq3IDmg FpLNjTWEJ+yvYmLVdrVzJhJxrBu98lDcE+tKsVEp9TY1P0XOLTYeo0EKJq2mD3ev jsUl9LmOv+i5Aexecaqj2ZLiUfEGXKvrz8giP66aYkMscfPgq0WOG4bHFyZQkaFs e2MbU+P2uAnO/EReMCnx9DunQRTRJGIMmBn5qCu9gtA/aO72eHMIkuLen59bV8kL 08pOf4kuPvsOhytRK0Ce/bxtmbjQVRYmLokwyTScWnew+uIJ7plAhHjWk1ubCG28 44NUgdj7YedEswPb+d7jCAkB8R/UFUO33TRHxI6MfuElBkoyI80pv1JSLTn9xzqA WeD1XSmyxKqANA0vmkpBkXHo/TFITaKb4jWH/DS8R8E66X5ESvL+TSUUZqW/EjkM t9H9WtZVcfAqhztuPzOKjivbU7OezchUvEfUMlQZihp+NEBXJzcrCL+B/cpopSJc Ljuut6elorO8kr9gBd9MO+jmt+GeVAXJzKHRDAzn8ROy+TAnfwNi8zO3n1R04SyT WzL07wi5fWyzlJ2Rt8sJTylOZII8D7kuQ0ZUrTYaiCBzEYCIkSRXxFYI69yv+aP+ QI6IlDtF1kfr9E/JZnHLmpsraM3P7jZq1lC49nYOfE7u/4byPJeax/R3on3B5D1K fkXIefAO8Ye89+s1cfcDZDVMMUDkts7u7zhG+B8Lf02qMWvEVnLWm3llvHU7UA3z Dp/ZBU9anOSNJU5cibdGwZo6CN7APDfavM31TfADEli7+DenHBGatmEM0MSbx3kN 8ng8VgukboWe3mLTOBpEj+9vmLS5HuPZ1Z4V++7ST1KVQotULp8D1vMM0BWZO2Hx KPVD+z/ncmjb1eLRI4UrzUMHVX8UmnJnB/6+RDoN5G/lPsM+nefnL1I4CXqS1veK jJaQixmyTdHlOoUTStLkS/85egUy5qMrGqBWqli+
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7257CF149BCE8973

http://decryptor.top/7257CF149BCE8973

Targets

    • Target

      2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi

    • Size

      156KB

    • MD5

      ade8979d58960b5214d80e5a723e2779

    • SHA1

      b49e6fa430d3fcc559236a440abbb99b6efd003f

    • SHA256

      388d21a5e711ac53519656a0fce9cbd8d381300c0877b4978bc0792d233bec7f

    • SHA512

      3e76e9fc2048d7d835746d4452f72602c852018fb5db7eb271a74cabf391c3fdfcef3ed8c6ee377c040f1de0ab05021163888598d3a18ecb3832fed3fef55537

    • SSDEEP

      3072:Ui8Iy8EytSLbi4eTMlwDCnuZ3O8VN96b:d8IUykbnWJZ3O8V+b

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Renames multiple (148) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks