General

  • Target

    06c46067d0d0ea71dd5f8d6f2d4d050393db4d58c79dfcddfb1fbe2c51dabffa

  • Size

    330KB

  • Sample

    210504-hfaktxmzy2

  • MD5

    9339f5c37e23424fe4bc216b7eafe558

  • SHA1

    8215b514515f02c9355fea9062817fc95a641ff1

  • SHA256

    06c46067d0d0ea71dd5f8d6f2d4d050393db4d58c79dfcddfb1fbe2c51dabffa

  • SHA512

    73438c5e73920969b13b0a152da05fc936d6bd432b1ce9b8d7f211aedb8ae981f9dc25e68096fce7486daf6b106dc351379778592f134b841ea306d11320b024

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$t3DhTruaNQkuwj0ZThetBO76elGNsuZ6qHEDd9eLbWXl1fJiNkEUq

Campaign

3612

C2

all-turtles.com

smogathon.com

mediaacademy-iraq.org

nhadatcanho247.com

milsing.hr

cursoporcelanatoliquido.online

broseller.com

ftlc.es

compliancesolutionsstrategies.com

ampisolabergeggi.it

cheminpsy.fr

planchaavapor.net

vibethink.net

rosavalamedahr.com

lionware.de

liliesandbeauties.org

smart-light.co.uk

gadgetedges.com

psa-sec.de

ledmes.ru

Attributes
  • net

    true

  • pid

    $2a$10$t3DhTruaNQkuwj0ZThetBO76elGNsuZ6qHEDd9eLbWXl1fJiNkEUq

  • prc

    infopath

    sql

    mydesktopqos

    excel

    powerpnt

    xfssvccon

    msaccess

    encsvc

    wordpad

    firefox

    ocssd

    dbsnmp

    steam

    ocautoupds

    synctime

    dbeng50

    winword

    agntsvc

    oracle

    tbirdconfig

    thebat

    mspub

    ocomm

    sqbcoreservice

    outlook

    mydesktopservice

    onenote

    visio

    isqlplussvc

    thunderbird

  • ransom_oneliner

    ...ALL YOUR FILES ARE BLOCKED AND CAN BE LOST SOON... Urgently find: {EXT}-README.txt in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!

  • ransom_template

    Sorry, but your files are locked due to a critical error in your system. The extension of your files is now "{EXT}". If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the TOR browser (https://torproject.org/). If you can’t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}

  • sub

    3612

  • svc

    sql

    sophos

    mepocs

    memtas

    backup

    vss

    veeam

    svc$

Extracted

Path

C:\561z7j9o-README.txt

Ransom Note
Sorry, but your files are locked due to a critical error in your system. The extension of your files is now "561z7j9o". If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://decryptor.cc/F42768E394EB214D If your site does not open, then download the TOR browser (https://torproject.org/). If you can’t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F42768E394EB214D After going to the site, enter the following code: i6353wXUOXaPO/CkkH4tu9bM+OFAaNnt1tdRto7p2pCyKiYIN6+D+AeXYyL828GB ZuRbX4UzA2PWchSEYtLCIm9SZZKdtvz23kqgLNNvVBvMbm7K2XFDq9OWPaoM27BZ 0ks/yajEwYwFyWcfunmPyHDaf1EgS26fVIsw2sCYf05uOmWJAb8FUlcxLcETRa9e lxVESvV4/yHNy+t+uysTKsU/NXkpxUdxhDvcUpiK1a6ymCIv+fVtUFto+1dvh6Er CfRoLcOYo9CZDTn3uxfz+BKUyNLEikpGzHI5U+lNbKQLAqcDEVjULYGSzY3/0M8w whFJItdCe2UIE533wMZfepeWGjr5IwNhJ3N39rYSfmwgif50+InQ90Hcf6/jmSVi YA28O9K/YRc35AdFRpsL3ByRLWdzclkmxR9o7vwc57WesOu4U7TuFqARSpsmeUWJ qlywqmexIXQot3nI1SJSoWAwjpCoZL291gZJE0IlUI4T9booGEI8tbkvPWApk4A0 zZY5oHa7lVJb432UtlxT8y8+pO7TB4mZMfi0mb2UeQ0BE0EVgBj/ARdDmBcU4cSO kSpGLKjuXVT9CmQgwdnK1J6W1UTc0K9QexRK5z3JXBjw1U6kF0/cstG0uj+JNWdw YnJd/koofR76p04ZuOxuC6rbZX2+9faFwcmVX3c0XCuK5EVSZlRC/7NB0C8vI4hQ qXNI+4GYgt+xVVwHOuX6K+kRjdv6N/MeZG0ZatGhSfghX3iy/posBeAOvch+v4To ATKdZ3gdZLTZzIF4FGNL9+P8xtMWJgIuEWq0ILIfF82f7xsj9vvzovkW4nEMr0u1 Bwuk6UKw8qi2ZBxMTAX36QKerho6GqbOKl9sJxT7vy1PF/7JVaUDE+OTEA6Z03tO NguPb87uVtgRJGU+jALB6atqqeTskm2XEhwgFFx1x/eDc+aFitWBjHzlorbYC1mQ DCEJY2mNYrr+rPW94u6XfJVKn3KVfw52+0SFFstqsjpf8tCC4pFXyMVN44qSEILE jkhqQ13h6yKowOSmxww49vnUnJOt1j+6hDp2TA5fg1Cg0W5AO0xjZoAaSLCTYa28 XTuV9fZy0bSlgiypbsWFsi3pMD9N0A7tqobqy1iMN80/LOxT53PXfmTk2BlTwVEG byB8lay7VxWBWTgLo7fzffWwpHNmaGJAIgkADqQjaoHD3P9zzzLIHdzFO9M2qhlv AboYEEHVEMq4Vuty34l4kgAynmDl+Q5emI0o9ehvCWw36la3ytzq1dcBI2Hd5Zxv AzM8sSm/UTWaJpp6JHXSmbzuCog=
URLs

http://decryptor.cc/F42768E394EB214D

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F42768E394EB214D

Targets

    • Target

      06c46067d0d0ea71dd5f8d6f2d4d050393db4d58c79dfcddfb1fbe2c51dabffa

    • Size

      330KB

    • MD5

      9339f5c37e23424fe4bc216b7eafe558

    • SHA1

      8215b514515f02c9355fea9062817fc95a641ff1

    • SHA256

      06c46067d0d0ea71dd5f8d6f2d4d050393db4d58c79dfcddfb1fbe2c51dabffa

    • SHA512

      73438c5e73920969b13b0a152da05fc936d6bd432b1ce9b8d7f211aedb8ae981f9dc25e68096fce7486daf6b106dc351379778592f134b841ea306d11320b024

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks