General

  • Target

    aa10d34cd25ef3f00f049ed7d02fbd8b7461d847a0763426e63fc85336482f2d

  • Size

    206KB

  • Sample

    220124-bq5a2ahdej

  • MD5

    c5fbdd3c69a5e7e499952dbb1343799b

  • SHA1

    a4940b3abdbd80b05872b735bf97ec14e7fc6047

  • SHA256

    aa10d34cd25ef3f00f049ed7d02fbd8b7461d847a0763426e63fc85336482f2d

  • SHA512

    2ed14db992b4c7300b6c50a2ce0ac002282b5702120feabada9177a2558f163fc8b7f2a26eb0b9ca31fc6c1a8ff91ee26005e983b10b9c1107610ed42e3a7ae6

Malware Config

Extracted

Path

C:\2lc014-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2lc014. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/459DFFCC649C0432 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/459DFFCC649C0432 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Rw13KDwkCo0dFZ/GovTQZ5oW56jyutFzxo3h7uJKxCD1pRNsFEVRBEuFI2sKZBke 9AJOYRhw8DmJhIxB4xUufh73RuoRQRO9Hgb39OE4YU05JSmFne7xWR4ASgd+Ar9f 324aE+z42aCIGZ0Plwa02DNJ2NFWT4ap754nCA/4sf/O1FI3veVKuP2XA01MDqrh zWkoScs7XyIkWrU9vYEjincB9rADzaO0uiEfCwvPnKaswkztAt3xZZBldNcrlzV3 6hSDqWhXUOQMAqydVjvffK3GqQdAHRLUKy8QpgbYMSll4R4AqSn+VkX8OKKBnbpN yh/CrokGvwSjH3P/PaCL6ZTXAADFZhAgIGcK4zZRYB0GBRHj2q9t7A9x5UtOwmzK FRFheZYK/EhSFJ4Lkxb7OvRcxhmcP7Fku/a6B2qZN5JvHoV4UM3tQFizMDOyvP9J J1Gm2Dx57oS0ktX+6L3POArYHEKO36D8uRTX/+I8ICz5VRtFxONU6MUiRfqVoh5+ b9fy6gmcb9EqaanBc2Pc4T9c9Qpz/rQpADUO6p6TkagRwi3tGLbYGHN3RBVdghNx brFK2yGxVKjjOBT0x5LM1O2U7Cbr+qgaF5moIlq+qTG+gw3lFAHIJGlaIJMfSQ4I 17+Hv6eBSyrp7FOLZm0gWkFqFTuIv1Kiz26uGsK2bWVr7rR3R8u4ydDhcCandQPu xushCAuga1CWmvjz3MnZwt7EjlIN6le1PeNzvR4bVnnwGnzlzh17033nMYRTaflD gKhm7Ag++NC3onl1jtgj+921KmG6tT3ii66SkcZqgkoOTGpudwtv2Di7oWO1QwBr QZanq2fSwT31f8heUDxwYU7VUgrvMVCFM2vR3kSDRllA/7EoPk9ytrwU/OV1C9Fm MAiBEVyzbGC0CdmeBnL4YTHukBqoolJCGeU7WqO3Azpq4/IWlFOewDYdd7NqB8vO umUqCnVeMnRB20yA34V+17oRh4YynIpuydieH5cgtkDnxopeHUdQNkr92UVPFONL 9BO6kmC8Oef7oINyv6CBUAUoNONn4/pZiJTX8vxgWRqSyf4QN75WHzmUOd2f39Wa AruFGjgjnEXohBTQNeT0gHks9fkBYT0+CQimoe++pDD67HhprSqnOl46yXFXxnwR Do7u2A== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/459DFFCC649C0432

http://decryptor.cc/459DFFCC649C0432

Extracted

Family

sodinokibi

Botnet

19

Campaign

2970

C2

precisetemp.com

pvandambv.nl

kryddersnapsen.dk

jag.me

aidanpublishing.co.uk

fi-institutionalfunds.com

haard-totaal.nl

handyman-silkeborg.dk

salonlamar.nl

broccolisoep.nl

greatofficespaces.net

kvetymichalovce.sk

brinkdoepke.eu

pedmanson.com

noda.com.ua

ciga-france.fr

babysitting-hk.helpergo.co

publicompserver.de

jobkiwi.com.ng

photographycreativity.co.uk

Attributes
  • net

    true

  • pid

    19

  • prc

    tbirdconfig

    agntsvc

    oracle

    mydesktopservice

    firefox

    dbeng50

    msaccess

    mspub

    winword

    infopath

    synctime

    encsvc

    steam

    onenote

    dbsnmp

    outlook

    powerpnt

    thebat

    thunderbird

    isqlplussvc

    xfssvccon

    sql

    excel

    ocomm

    mydesktopqos

    visio

    wordpad

    ocautoupds

    sqbcoreservice

    ocssd

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2970

  • svc

    sql

    veeam

    sophos

    mepocs

    vss

    backup

    memtas

    svc$

Extracted

Path

C:\rc55b8e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension rc55b8e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D45BB03998EA6DAB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D45BB03998EA6DAB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KN6jRyvOsvDePoS7AgBg5hYNWAm6eHW9hGe8MGDtUWopUUDTTYXWwd0Th2lbxDIA TKwaetVcqaTz3L3wuWoM9Jfy9yz64M3x0ujXJi5FXdHTCbaIgdbiP3yzv/qF4j1J iZBIaXCR5FaHrtb8ZqpFCrpRcEU2gEcoUN+JJ0SkZcWVLsQI4MuvjiWYuj/9ojAN j9iBaq4GkE0zpwbGQHQjv1wwOsp75Bv+kvdv/u9jeZ7KuGIgpZ9zhUBY8IiJ+Mf/ jvDkkUvboiSPr1yviuZkTj1vLqNLVi53L/NsidFCnpISTPU3AIMA5FOfOXp4cN3T gNCFu5/qcCyz5i7Cf3OFKplEsQ7+u4bXk85zU/m6kURVSOn2d1NXwckP6VnyiYhW 8y2n0VQJJhIHwGGlDXd+rZts6iBmQxso2cnpicaf7n+zFeMKMUNCF5D78hWn5lBF KChNskgKV7D/DRJMcmTSiu+TQoqLAnP5381FPyII24J22I+QUMxZwBM2G/eQgjTU JSQUUV2BO6+lHOF1hGDert8WT36yoEK7zNyv5zPXgNkHCnoKTMc4narUtvwm8pLb qU+f/Jd3feFVepyQw0IGSdy3YbONNZfHoeS6ter0C6rR7DIfBCH+sBrwFnJIzXa5 PUiPA8KQBFP1hp2QklOsOQufqtWrhMdPdYGtq16KhAPtqH9i5/tfch0j3U2r6pgK HO1ovt88tc3/50KpdS6kCkivOXItBnZqRQTAWO+AMmM459PcDELZrRlGFmZGCcDs hfFtSc18uUOg++UFCmr+OpSgJsql6WKZImPxY0SGAZBd1HLl4CIqT/uzxyIHBJBY FwBnyb/0iwAuIojKSzOtOATUlca/XAy004hnsX3ig06L9vZ1ILP/PdCfa6boqQEN w6ARSsWsCLuKx+37JRV9R5lrb+zT34GZR6Y7gM4B81h5b8UZHzFAx1dDC5qUH4cQ cQehtb1dg8Cqt0zVbaY+FkoTK3OHdW7wpH6NFEXNoJ2fGN2JqCgQoefnlKuG7GOV ICZI2R/Ad3yEJfN81Mk0/U/yMnYnY3FSi4yUecEuhqU9T05pILJB3CILO4xF/GrN GmYNcw0mzM6mlVVIomk5TDsUZAvFGCLkJHcHiOwu6WnUDdxlqL0qUOeMKVE50A== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D45BB03998EA6DAB

http://decryptor.cc/D45BB03998EA6DAB

Targets

    • Target

      aa10d34cd25ef3f00f049ed7d02fbd8b7461d847a0763426e63fc85336482f2d

    • Size

      206KB

    • MD5

      c5fbdd3c69a5e7e499952dbb1343799b

    • SHA1

      a4940b3abdbd80b05872b735bf97ec14e7fc6047

    • SHA256

      aa10d34cd25ef3f00f049ed7d02fbd8b7461d847a0763426e63fc85336482f2d

    • SHA512

      2ed14db992b4c7300b6c50a2ce0ac002282b5702120feabada9177a2558f163fc8b7f2a26eb0b9ca31fc6c1a8ff91ee26005e983b10b9c1107610ed42e3a7ae6

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks