Overview

overview

10

Static

static

10

81689f1be9...ed.exe

windows7-x64

10

81689f1be9...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

  • Size

    115KB

  • Sample

    231120-21nn5sbd6v

  • MD5

    7e18b037a068c56417fb8e56aa7e49e8

  • SHA1

    f6739569a24358c8c060d7131be70712f70f36e0

  • SHA256

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

  • SHA512

    d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

  • SSDEEP

    1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

Score
10/10
sodinokibi$2a$10$prlicdjvilpwha0dxt26coefg3s.lfjg/h9fqsy0uepzhao43cc363665ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

Campaign

3665

Decoy

1kbk.com.ua

kalkulator-oszczednosci.pl

creative-waves.co.uk

mirkoreisser.de

fotoideaymedia.es

abogados-en-alicante.es

liikelataamo.fi

klusbeter.nl

jameskibbie.com

marathonerpaolo.com

milestoneshows.com

live-con-arte.de

tinyagency.com

beautychance.se

slwgs.org

midmohandyman.com

herbayupro.com

panelsandwichmadrid.es

baronloan.org

izzi360.com
Attributes
  • net

    false

  • pid

    $2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

  • prc

    visio

    CagService

    VeeamTransportSvc

    dbsnmp

    msaccess

    bedbh

    DellSystemDetect

    encsvc

    VeeamDeploymentSvc

    steam

    mydesktopqos

    sqbcoreservice

    dbeng50

    mydesktopservice

    firefox

    outlook

    tbirdconfig

    raw_agent_svc

    ocomm

    pvlsvr

    isqlplussvc

    sql

    ocautoupds

    thunderbird

    excel

    synctime

    EnterpriseClient

    wordpad

    bengien

    vsnapvss

    benetns

    vxmon

    oracle

    VeeamNFSSvc

    onenote

    xfssvccon

    winword

    beserver

    ocssd

    mspub

    infopath

    thebat

    powerpnt

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3665

  • svc

    MSSQL

    VeeamTransportSvc

    CAARCUpdateSvc

    AcrSch2Svc

    bedbg

    stc_raw_agent

    sophos

    BackupExecDiveciMediaService

    BackupExecVSSProvider

    VeeamNFSSvc

    CASAD2DWebSvc

    BackupExecAgentAccelerator

    veeam

    vss

    MSSQL$

    MSExchange

    sql

    PDVFSService

    VSNAPVSS

    MVarmor64

    AcronisAgent

    ARSM

    BackupExecRPCService

    VeeamDeploymentService

    svc$

    BackupExecAgentBrowser

    MVArmor

    MSExchange$

    BackupExecJobEngine

    mepocs

    BackupExecManagementService

    memtas

    backup

    WSBExchange

Extracted

Path

C:\Users\bgopoa-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension bgopoa. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F000715E99199B02 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F000715E99199B02 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: W/6WiI6yPdP02WEQ/ze948tlU+/HDBh7ACOeDPbro98r4wUfaUEhYIlunvNJkbTN bdwvnG/IU7hIAfDvy65MceY6hhlKqC5zlAPlbXVSqJYW1d3zxUQAG5qtUgwsd7HI MrVvBHP3zsPFb3kCo5nmFDuWEyPFKqPHoyvUZWUiILny1TUFicREMD6Zkp2lzCzR 26m/P4j6tWkmLngONcweHM00UlpLUINrk9d24nHLL+iCIJ9JKkE+aqNeEXu401fE 8R1ltTBNMe/a2dW8qvMg0rGTtbDd4/oTQqA1F2LC3hLMrI7XnkX2dDB85F0KrtnC TGiBjf56NPbwBPiMe1ZxpwW1MunxfydnmpZjeZYqfroBCSHzOq39Est0TZk+GMip cq1h3BLQ2iHXziDMLl2bHJsbGUYhIBRpMJNxV6ADtcIa4330hT+6+PTeafHdnK9q Yx0I9xF1jtS0WbU7j5nhJa+rGX2PIKT+bL6IXqCYpzqkHxKjSqQeY0Wi7z6xBiZ/ F+L6c8THpffjosgmcKkEoSyerQtjWPFdx9r6RiwaHS62+Pg0Z7rcZgXYixdR1Xbg 1pIGqz/lk6FN1nigQbR2iQK874KporW2iCGnCwwRNHXXWNnMj7r08ro+AsGTBO0d jUcKAWN6gbzMB7Hfl9rc2WEhjqdifZOTu2QaOu+RrFYddW8V/UABY8UdsCJZjODC UJ0SPeabmHUSK0ute1qNsOEolWU4v1pS3eRWGXDAcJcDB6SVx/6rcWJFI8Fht4mH 3aflB/SU7GVxl/vMxY7HNcfudoUGu471XLwr68agODfEQhklY5OZW/yiai8rpdsA ZPJlagwEVXVVh3uywpBmOnljDbEDpf8BZ39lqCHSHYRYkMfPtjeM9jWvrOw9HSl8 VKv+S9a8RgXHQ1ZSJtg25t6A8k8NxISW5YxIB4QwkW4u8s1T76l0j8/X99aleWot OG1dg7Kiv9c1rpy2a82n7cHl5L3CdQ/hO7Phh0v4+Cz16xRd78duPpEJ+7W4ZPpK DnV7x48NRnx2WuVJmXzqV8kIcj5BN6sPUfeq2vKFKphGs8uA71p6XE5408cLkH6P bH69y29LgRr6x5VC2CbaZq1FgOjY0Tl2CzPzFN9RExsI+CoSvJQfbF10lT4LbRyp mzKEwZLTQvKCk3+T1u+w9ktWvSOcLA7mYaaM0COePKsYtpaJbBs+aVyQZTSc6xVj td/VolQNGm7hl1gMFmCm+ifqGa2sqAvZRagsWWYNDfLmkB/kRvQA5yKdmQLEIRr9 nFeyN5LNiRGfMTV+LnBJOkXdGXp9ltN7cZiSdHQHu+Kzcoxx7npD6h9npYjgTi4Y GT5TiisutAUnqVBuyUn15AovTTfGP+LZ0j3Zttz+/P8= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F000715E99199B02

http://decryptor.cc/F000715E99199B02

Extracted

Path

C:\Recovery\1793ouh-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1793ouh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B249DB43754DE2CA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B249DB43754DE2CA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ECgNd2nc3jlyE+x8NWvoTFAkZAVTKSrSHyyQYXpVBn8Oubg2/Honftn3wJPEccLW 4yHqnIUMEpKkVZrfHlQD39rR5P5QA4vIqQtMlF0NesXCWf0p9xfl/9yFGjlECaUb iq103IObTXg9bTT0B9yRiF/ED9oHLreZhUvG0ZdzC3AEROli6eAu3CxChsv8/OF5 bxTv3GQgWmt/7VpFTYAA0mrG0D76WtUTOacmMEluv4j11ZaTva3lUKMJamUPDJss n/mH5MwLCy8o+AYM74ya6XKDTXjLOfC52Zitp6RHLLmeTsXm/PWpMCQGhb7oQ70W Rhk9OEP76O94N0fiZK6OiPJSQWHBkwVzVH3fv3blbUhHGby4DYV26dhhJgvc9YHz qS1opWLz1LWS/Tql3b/MiVA7SHngKEd/w4XIN1P23ffJZGzZHwsqC8lmxajYf9UE 8OIlKrXiHsqFhWJRQq3J2CrL8w2u2zqKIbXz9lW9ymg6qhWIHNyPXNUdjTZwPiSA 2p8GemvI7+cHJYZwVPlPJSwFis9GsbmxVbVyS5hhslKMQzQbFqdHAqLhczYXJ0/M szD8IV8iWQYn7+1Z1JHtN8WU3mS3saCFyHSU0//nmJs0+EvQOjc/qiKAJp//VkzB 0TeYj64YHGWZEvt9GGghxJQMXEiN7wJ9XjpO1+teAWszP1ChBi06qrs71VYQgNcN qkyy7WOfnfgIxlPZRlePGsxPn35L//ziEWmgFQzpfDUpCXHzzDT14rDuaaOzBOUA I2VYxQkBiOoxHi1A1GmcorvzeUear0CRCrkeJ7uaFpwPlNamFoN9BIzRYqqo75Vi m7K+PJiiIlZXM1Z+1hi9AByFbDWPOfjG2FUOOluWyA5amOUz6acmJppUIUwAmIrv lzTDsqgUEqfZA2OMVk0JONiEAZc/bNINGBJW5vVE2cyqGO5SSkT6Vxo2B0L2Hmyq m2mAt/iEvmjAuq+7kp2ClGOFhGf9wcMv85TIiQ81Db5zxBw3VAMXBvJ/Tv9kXtVw Ddx8pGey0BdhzAUEkOWxxUU75TuSJV9vw+iJeay7WAPDYcZETytVqWHUGmLuCuHz /OpkZXTcib3onPv4uCobikZf8uf8Ir88RCJVWiPCoEN3O7fc6H/vt8i3PazmCStd sUlMmx/i3NrVd3Hm/cqHE750NGsI/TjdfXuPidl9ZPgxeXh3qRT23HOtLZ4j3tj8 SJIL8a21VkZHBSR2An5DC7GsTPpJQ/ugtAuzlbzK+OBxfBuyqzImEA1xiB1V7TLl Bp6CjJ6CGAtFRi6lmySs6G8kum34RAH7SrtjU06AfD4FpGs3aNBK65Oqmurguw8C 3ntXaQ6DRxL7MC6TIoYGuw5yv3US48ybbbjq3iN7jkLt5AksaQ0ZUA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B249DB43754DE2CA

http://decryptor.cc/B249DB43754DE2CA

Targets

    • Target

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

    • Size

      115KB

    • MD5

      7e18b037a068c56417fb8e56aa7e49e8

    • SHA1

      f6739569a24358c8c060d7131be70712f70f36e0

    • SHA256

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

    • SHA512

      d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

    • SSDEEP

      1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks