Overview

overview

10

Static

static

10

fee74e1a60...le.exe

windows7_x64

10

fee74e1a60...le.exe

windows10_x64

10

Resubmissions

14-09-2021 08:44

210914-knk9taadcq 10

08-09-2021 13:09

210908-qd156shfgk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample

  • Size

    122KB

  • Sample

    210914-knk9taadcq

  • MD5

    1df36997a8f9096272006b365a68a76d

  • SHA1

    2496712427d789d1bd804835e81d5a210fb5bff8

  • SHA256

    fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b

  • SHA512

    c2701d71d52854a08f1daacb0d523d12e40096c33feef161fc992a3dda2a16f58de997dfde33c66cb1128a3a61a6a8e1e5425a936bc0f2ba83b3ad6696bf9b3d

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254evasionransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

C2

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\nq7wr59-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension nq7wr59. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA46CC3BDC2A9E4E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FA46CC3BDC2A9E4E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: n8TKDlSe8V/FSpf0QCptPVbhomrY3SUITfz5nuI5ydQv4dn04n5EPMKcOpQNvMRQ js/k1NLEF33IXYquUhDnMNnN/kwLCuONrRHhF2RR5Q0tfLiqbn1Lfh8x4nrQIm+q py+WHd3iN44IPxsboH9XfVotpYC0EzReBYUYmL7vz3SoEBmrxVaut0u09M61xa0B SZZIXthqkj/O9vcRAl2xr9Kl9X8XLaIHzva5zguvU2V2l/O/wK2hcKB8gf8/8SLF fFojlC4SVqUfV0djjsrslB1fSGiXI6yeMKVLHlEK+Db5K3oOxg9dovn/ga+JuGe7 G47R9Cs8oepmQcqmKXoCN5d28xjeEPckvbqlp/ckBELU5B5sw/tz5ZTwcvWyL7zt Vc+ocaxJZ37xp4U2hPUkTMC0lj8wDUFkecy1DeitTzVukK+OkA20E6pnDN1UdiAY 3x7HCHeUwp1Q63Zh012Ev7B1ACyCw7WLdkt3fTesxiVwSaDKPfpk3zSqeRsCK4aX xBpChLbxDBtzyE/OoaOxmeGmiwCmOKMYAQsMX0YD8gi2gmleMB7qZyZV4b3R0qvA cO6QMxKUV0SO48eGftWjgH9Dwe39LDwGJHb/CiywVNp45IxQPbVswv8lcOliLUk6 xGAHU57gO6o6S6ZcYzu8IWAWZ5Fm001FOHqlKb9Z2EG4PL1PjV9QyAlvs8mfI8/y MzJQtozpJO6Jl2v5O1g/tAr37iNWw3gMSHZ+9FclszSL7wDw1ZAFDFD49rUOJg0Q lv0DJsDsnbI2IBlN6r6FsRUANXp0a6W9H7P+cyp4mfaGgcjiMBC0SN0v+WBTXkfg 0SDjRa3C/Zyix0FpRbSWloEfc0XCwJjbpnEIIEAZRszZrJ07tukVCgV6fxzLiT55 NBnbNyoEh4qXOVjPAcasQZm26ptRArvWpRlzL7ciwPJxs5oRuN4uqRSr4XUvrHBy umKzs4+qUO+l0vQ+ajDfrfHeC/B7pVd6cC0TE6dD+Vo00GnDIOigbOIwyevOysev YGh/9M8j46yDu6AnFzsszJ2UW+QgUBAY2w0c+/8xqiEe9ANcMf/NEzyYZBH72zEu cXyqmgHc+ckAHtSulAE411241H8HzbE7toThP6kBZcTrTbpKJTsYDT1jbtRJJSt1 cXq2lPSeAT4ILuL6Wl/oVClFYx7CsTZmav7B/WlGekBMJ48byIrzYmKgHp4P9wVf via+JsEUgil4HlNkE9nP/NNqo++PZOgcJOuBnvqQRUiu8LRSBGAgSSywVE22kEAT B2MiCHFPh41moa27cr5RnCf42bbchRtc ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA46CC3BDC2A9E4E

http://decoder.re/FA46CC3BDC2A9E4E

Extracted

Path

C:\vzts0-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension vzts0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75D30EC5588FDE81 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/75D30EC5588FDE81 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 64yJG0kWSyBt+geRJ+4aVm/wzSorOvuMn0QIrli5p9p50hwbW/4rRmL6VHVPJuZe tNs86fBaHKhNP53fgz/hZARJQE98/0xr4yZMkKEOkP7+5tyx71ah0pdatO2EwpHG p/vXtGvSU2oi8+3ykgl4f6MDqLhEPmPOQ97UEUW7rJVH+ZbnoqEwAAgKIJAfU1ER 3oS6VHQfgud5HOdfBQruDckeUhl2MnI+xnnieMUQ3hm/ZUs7eZJ+a20Wtw7e12Na hGsDNwYGUKjnsusdmGwYKeJxpVF6zY3WN7NtM4yUPBefMQN8eGENS2eUokIc1MGL 19Elw5bLD1aMTQPyjG1tKGSozwcDEtwNv215KZOi+dyYpt3YyrySHcjGScQygokS 3ol++lMJKrKj+UNfVeKvV7rsZPH4Pm+SfgGc60t08i7XNH8x7+EwD+GfI0OvjKI1 tPV9nReWej5U6jGzj07j6endCQYRrbO/zlhldEiiMxT3sE7+mDAi1PWIF4qP5WZ4 BTHhxc2UgpwQGAKBoli3UnN+lZW8vHTzOZblW7WxWIOFn80az4hVD386ZYSMpQeL g0v3JY8g/0J+WrcOSvVlx+FDfn3MmDevlILsO1zz9dCYTfuu3KE4dqWm+41CWr2D xxZc3QGZyBtjS0b2P+RGdxN+UCc7susuzClfP+YZiRFxIJchp1ZM2bbotSOnEjd9 wDxEqv9/KyqzjYmLL5ZyqPG8Befy+DHeBDPntrFS8vgRUYJKq+h/IS9cOQ5cx+Wz GKgtYvSuCuZc0+LdsdV+YNKpsPo/BT4fltsDqqLr+1iZUl0bsBYCRFw1cJiyyD4A n+Og3vEKz4Y0CZeHVf8SdvOnjha+cPc3TO1KNc76sqWNK8sVPqpLQ4JYYc3e+zGS Eo0uEwTv9LWmE/eFZzwvoV+FSfylVC0/iSZ3NDgefxD4pa8Oh1bs1dbRGVPmO4Oh jrBBukoXwkiHxp+sT4vr3VbOYQbU5W+RuoEQoMaMM3LSufBa+I78nezwlkVz5Mtz QVO1UMsZt1Luvrz2W3PXLB6FLta0OeVutNWZrXg7SllVSpUFuDC1mCTo8XO/81qc K86KkYgpSIU2pma/KCE6Lj4QcxPqXjuIx19ygpTDZGWLRocMPdUgmvA4XYjRsZt3 gbrAQ3aw1KffAHmExkF1T4DhCWgthtMlxpTxiS3fMsBONEFcTSKGDhHhL88MUK/Y YNcl2F74epYqwaRwpOqBnCMwJcRuJ/S9lA4LkTP3aRqexUmLZrs0SBpgsBGM4e5U LAxSuQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75D30EC5588FDE81

http://decoder.re/75D30EC5588FDE81

Targets

    • Target

      fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample

    • Size

      122KB

    • MD5

      1df36997a8f9096272006b365a68a76d

    • SHA1

      2496712427d789d1bd804835e81d5a210fb5bff8

    • SHA256

      fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b

    • SHA512

      c2701d71d52854a08f1daacb0d523d12e40096c33feef161fc992a3dda2a16f58de997dfde33c66cb1128a3a61a6a8e1e5425a936bc0f2ba83b3ad6696bf9b3d

    Score
    10/10
    evasionransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks