Resubmissions

30-09-2024 21:45

240930-1l2rsazhpg 10

15-09-2024 22:03

240915-1yl7vsvbpf 10

15-09-2024 20:03

240915-ystcwa1elr 10

20-08-2024 16:21

240820-ttt9cawalj 10

24-06-2024 04:58

240624-fmba1a1djm 10

General

  • Target

    v2.bin(1).zip

  • Size

    73KB

  • Sample

    240307-1d2rtafd3x

  • MD5

    620fd461cab821f478f7cce1bf06d1ac

  • SHA1

    a083516b5a275a2e9141f68a99ab4878632c5552

  • SHA256

    f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

  • SHA512

    9ad7d4f17e156e21885c89b242430a06652ea8bdc45b22dc64f23efe8c2f6391ac5556c5e2bd14cf46d5bd8cb8dbb89f714466eef348dcb19ad16f3175dd3117

  • SSDEEP

    1536:yJrdZ1PgFel3BJmc11f0MPxwX5o2CfFGm8SXZRObA:yJJZ1cKxJm+bZGCfFjpRObA

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$lTqvWf.cQvh9W5jZkAk9LO0hMLnifWtUFoBJ86Ge.hLZGVClg6xhW

Campaign

7563

Decoy

commercialboatbuilding.com

parkstreetauto.net

longislandelderlaw.com

lbcframingelectrical.com

assurancesalextrespaille.fr

smale-opticiens.nl

naturavetal.hr

global-kids.info

kaotikkustomz.com

klusbeter.nl

socstrp.org

stefanpasch.me

jandaonline.com

beyondmarcomdotcom.wordpress.com

nmiec.com

sabel-bf.com

edv-live.de

zewatchers.com

controldekk.com

berlin-bamboo-bikes.org

Attributes
  • net

    true

  • pid

    $2a$12$lTqvWf.cQvh9W5jZkAk9LO0hMLnifWtUFoBJ86Ge.hLZGVClg6xhW

  • prc

    oracle

    excel

    ocomm

    onenote

    mspub

    powerpnt

    synctime

    agntsvc

    dbeng50

    isqlplussvc

    firefox

    mydesktopservice

    steam

    winword

    dbsnmp

    ocautoupds

    thunderbird

    sqbcoreservice

    ocssd

    encsvc

    xfssvccon

    tbirdconfig

    wordpad

    infopath

    visio

    outlook

    msaccess

    sql

    mydesktopqos

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7563

  • svc

    veeam

    svc$

    memtas

    sophos

    sql

    vss

    backup

    mepocs

Extracted

Path

C:\Recovery\5v15b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5v15b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3EA1A4E36040776B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/3EA1A4E36040776B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gwXal7U5lDi3uQVetSkS3Y+yTlTlZcwYE15z/FUPZ3x311x8ZrV2ip3Er9+Ha+2h tMmOc+YvDpMa8i3RqUdG5VDbDZgq9gwAZ0iJMgy9L7Fd0Hb8SDvd7vuTkfui+mlR FziwUqJZy2JcoWSvwzFWUQzFiLxH8bp0CuJmhlHku9eLKuE7YNvgETJOdW/JSqhH lcHpG8sPsqu+djDIEwxb8hqBOjTsMlQUtba6NWNMBrIBVpEZKmPExzqq4S1iZWUp KbvZTDiGcM6HE50g3GZn1lTILEaOd8Dw8j7jYHtNBFwEnwfZQCf7T7LkuQudTBG5 hXBOeq4osRJEzqB4eMxHekRfyBX5bqWOWiUGziRf09LxC5G2KFhsELRbxkSXHbtW ijjX77OiUAsLMNQDS06gsu8EwNLxbkERA076RTLtNfdREyj2RfyEuAhPW7M888Vf 97Y3XlLgswhtLUULcforpj9Z4z8Bo7pS5L4HiBlv83sDvHx57nZJ8lqqScKRCUME qh6hrMz03AvPcor/TNtGYt7VbCM1rW/8C5nwnicMCFT4t4yjYvLr8vjtaSe1RO13 V99FnEn9Pmng5f3x5WfyDd2AxnuvVVHZaoZIzlv/f4xaY60d8Vj0LAD1uHyii+oW A07FevVz+RIW7rAfs2Mb19jLpuc2SYTOlJHXdDqbhMZ6SmSrQeMdvbsLjEPjC84A L/UJeb2A+m2kOjjp4P+h20NKha+ajSbvXwGwOY0U6dbWjo0qNeKgipO4R+Zn5pS+ rsVLbFyiXuVNYsAVh0CitlF3nrHi3ZZJGG3OCNOcLChhnsr99A9p3vQNcYLgX/wC DGHL9HQXywqYGSNH6WgwAXU47vNifaelc6onay1WMIHqQOvdSAI2wIftV4L41Y0G Y0Dwae0APvbezeqLUxYjl1MwcqOmYixkw/k13RPn5GJbnbWaycZ6iFIEDylOav23 vLk47lE10FOHuKm1JQpP+qyRaBul3iqIVgyBX1Xwn2VHCaCMDhOo1EWmS2fO3WSY Rn6Dd+zTGD7+ZJhwOfqu49hK+ZCIxeHBXp7gn7yrGsqpgU1ltuhDK0ccgDc4wgqQ U9CP6MJJOes1561NvuQNIM6cck1nIbYMto0FQG+AjsuK90RS/HmxQ8SSvbOtmSMu cYHTmZM6pcRqBX4ITA2CTmMNMp+FiGidFO2jToeZQ83KPdoXGq2NVXnn0NU4F7By nNr+cDILxS4LW4uPzgmO74A9KQzHRlV1xtqCUK6mbNJZj+GLZ36PjbYr4vj7IES7 7hHEiLs23tEliHUDfHET42YXsAnmQg7S5Mpu5ZdTQev+ryuwW9RU/HHOiVR6yLoh 3d/YxPPCqPeaXtrvPssI/5GMynY= ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3EA1A4E36040776B

http://decoder.re/3EA1A4E36040776B

Extracted

Path

C:\ProgramData\oitd618-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension oitd618. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66EFD50C7CD78C48 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/66EFD50C7CD78C48 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: UaGiRjW4GJrpFEKKjV69WOpG39uqXwKwLUp6IPRZu7mwHrsYg58KCm7BcylvhiMG WdhBqRppHjXd+yWmHXDV44mdERwelGd+Z6Jp3cF3hy54OsYMvjTsh+abPN0dTaH3 bXXFbkM9jC190A3Wr7MpBgKH5wx+rllweOGZlnoORdxm0NpfuP0M37dgNr/BDTVS yS45Ng7cvPJrJBP1QgftxaU6rOMHpU4mwWfzLS2a1p8zGOlxPnv0TcRtfKuaZFbR gX0XJG4xqMnDllgQqMEGrESxEoUErjn+UVcs8UfbvMUGpKiW1WRTZYhTK/tNqi6w CDreyxZQcstgY8/jqOaZEUcKcVsKTC1wBcHcasTvHEsYhY/tn7WN8JsOdLyE69uV aQvgLBOUoZQ6UYaDxfboMX1KYY0lsMjtXHMTYBjqq3zo4eDZH3qEcBbgzryOSz9U t30qQNDKN3zt0v+VHPk4FxuMpfF3f8XqWvfB1HSR3tl9NUiR4Cvi7v3R4UlRxFuz /seTRkZPuzTlCa3E+wARPdOTNIbQF8+yOdV4flkhtQv3PyxB5M+9c/JRPw6nFCW7 cLyIaX5W+majzXlkE3nhLci70kUi2nWssuiLXw+kxhTZb/JnS+5gxGLvIvsnQETL OWOZoiGPaP4J/LAs7mE7VfHeQcysL0Tr6infpAHY+IgmkMyMqDLlft9XxE7gNekc XKZkq2GGg9960senqiaYrMp1EAEQlGVkSMKL2xdbabQEYAPMepBvpNC9p9BE/0zV WT8PNDc6RzhhmOIHQVJwEbvcahgd5WxDer9mYQ1wW558J38wEfmgiSX1FCF1o752 NIz/mSA6QhYYoqS1resB9CUyOQS8VS1qA1xX0ppxDOy0zSIcVmPBy5s1PdkbBmWa Csa/OK91zFjdg0kO929HiqZxMuxBeQVrJ1hmfcxP6ihKGq7lQpNgcAtIbV4AbkiQ PWcUuS4s56MjX1V9kiRyOQv6Qbk+BPQbcK+AYP3uabETKZJJ2CcnQaEVYL2GGjzG yfvd3hnaaKnQKw4wPaZuEG5r6lDJMjnuCEjcI3jsjjgfy99VoZD1mCi9pbyMPzA5 Ak2hnLDltrPZXOoiXA4xEZ0NjjBPZHKvew4hS5yDOYph9I1upjBH6QxpeiAITfKg +qzaj6ukw5UAg7NVB/wDitZi10Bjqxe2/YWeSHE1+DJlOccRwD4GGXN7p2/fKEgo Qv+H5U8V27FimFrRO2xN/zopZ+bOgxMnHAuYcAkgYog73DTyhZAW4HiiBvmmVp3l wbBMb62u4GlA0q61TCxPiObOwogjZDOGvVrxgdjnLnLJhqJVM8HD4pW7ULXRf0jI F55juZhTf4QAW3zs2wez9Sr9005MUImxTZ+u//3k ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/66EFD50C7CD78C48

http://decoder.re/66EFD50C7CD78C48

Targets

    • Target

      v2.bin

    • Size

      121KB

    • MD5

      944ed18066724dc6ca3fb3d72e4b9bdf

    • SHA1

      1a19c8793cd783a5bb89777f5bc09e580f97ce29

    • SHA256

      74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

    • SHA512

      a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

    • SSDEEP

      1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks