General

  • Target

    f15a676fff5bbe1e42d153dd272961376c9348b0876842014f97d3640d5bf40a

  • Size

    71KB

  • Sample

    240417-p6f52agb48

  • MD5

    eefd5afd58ae023abf172abab78a818c

  • SHA1

    71d0bfc93f6bf793ede56e3c076e91f85f5bf82d

  • SHA256

    f15a676fff5bbe1e42d153dd272961376c9348b0876842014f97d3640d5bf40a

  • SHA512

    b3e3e4ce84d6fc7e629ed76f3afa94be78e63f081d756d136f85c6f8ca9a5b13e0c150d8db2fd302f19ac9da26479f2d3e48289aae8fc82a7ca48c19448ee90f

  • SSDEEP

    1536:elJ/tfDfRMKfpt0nehWNMCm3wrZFvZpFShGp:MVc2YnsCmArZFh+q

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

Campaign

3665

Decoy

1kbk.com.ua

kalkulator-oszczednosci.pl

creative-waves.co.uk

mirkoreisser.de

fotoideaymedia.es

abogados-en-alicante.es

liikelataamo.fi

klusbeter.nl

jameskibbie.com

marathonerpaolo.com

milestoneshows.com

live-con-arte.de

tinyagency.com

beautychance.se

slwgs.org

midmohandyman.com

herbayupro.com

panelsandwichmadrid.es

baronloan.org

izzi360.com

Attributes
  • net

    false

  • pid

    $2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

  • prc

    visio

    CagService

    VeeamTransportSvc

    dbsnmp

    msaccess

    bedbh

    DellSystemDetect

    encsvc

    VeeamDeploymentSvc

    steam

    mydesktopqos

    sqbcoreservice

    dbeng50

    mydesktopservice

    firefox

    outlook

    tbirdconfig

    raw_agent_svc

    ocomm

    pvlsvr

    isqlplussvc

    sql

    ocautoupds

    thunderbird

    excel

    synctime

    EnterpriseClient

    wordpad

    bengien

    vsnapvss

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3665

  • svc

    MSSQL

    VeeamTransportSvc

    CAARCUpdateSvc

    AcrSch2Svc

    bedbg

    stc_raw_agent

    sophos

    BackupExecDiveciMediaService

    BackupExecVSSProvider

    VeeamNFSSvc

    CASAD2DWebSvc

    BackupExecAgentAccelerator

    veeam

    vss

    MSSQL$

    MSExchange

    sql

    PDVFSService

    VSNAPVSS

    MVarmor64

    AcronisAgent

    ARSM

    BackupExecRPCService

    VeeamDeploymentService

    svc$

    BackupExecAgentBrowser

    MVArmor

    MSExchange$

    BackupExecJobEngine

    mepocs

Extracted

Path

C:\Users\3bd23139wd-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3bd23139wd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DDEE73DC44BDDFB2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DDEE73DC44BDDFB2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3BratXcZFWZvNrJ8WojbHfX2qo4LLKc7rtv+I6eMt778i4R5BU4vLkDsTNC1Osp/ u8AkPXOXGfK3EQq83H1ck8oWiZZG7B4N33Rae0R+8kbUIw8ohMG7UxBQax/o/yng eL4H5ERXQr7p/yufP1v6wQG8pZfiK719Kae5TuKYScpmXQMuBYm2/Qqbnqm9r28u QMyKoB+LjFBYKFKx7Rhmq5ytgRCWaD8JQtzW8KCYmPQNwRPJ1hUEhr+8DYtPeoFm Ye7+0RwqJdCMe+tUkXaZmO5K6yAVzB1XTaD/5jISYFoGVOSuI5J4DBGbVgHp6c8i +UFFnZSsH7Fn7E5FtwHLrZcT1OneunResmdx1KnN6oHp4BExAyT4quuOlVw6k1O4 9XeTylpjqJdPLDnxm2JmUMsP1Uo81vT29dlkFoj3iC1wGjzrBJ+ZBkn88Cngmy1y gBbL9YP+ji79J6zXbG308QwXEwepp99PG72S0BhIFUXq1HzX5ziKcyrwwWVYhZmw oV2t7xPFz8G+RSqhHlWycetBS7tTjXYj1HvR8Q/A4syLxX48VYelrgeCLua9tKhY 1SSiREPD8q5xjgf4y7AwZaJJLAGAlBToKKJQpDWH/+9DiGzjEPIPTT+ajCD7w5o4 g0zx5zDk9gEy0kdufIbNLCEx3mFt05xhIQs0GsuqOksR1E4MJUxZ969qE0BSDQqL XX7AXLgg76TyhQBfXYgbPmXOkk1hRqvm+I4cOOOs8lcnQAUMBgbUYEiyD4ZRpGpi GYVpbEEybECn2e+ULf/g2DFJax/Xkii+oYuza7VO23OAPptpnypn0ggSETZzct8U vf1h/kVkGnqVzfEYCXUkRk/LeMFQn9eFdYOl8o/uC7FJ1v7WvohwVstbnwnagAR0 zUslmLMI6sUkKLG5goOo+6YQTfIKJG437VRuBkrvLWXermKaFguFqBoO5W5iC0Nh l/OQyfF2KghbQQnHaim4MGqKVznlW8Ymr6uV3pUakZRm2yM5oWY02ggQtLN2wv29 owFKqEsYjQRgQSbhYI1l3CSLCb59UOvvxkBgxH1nwsOstc300woV3mEHEkAimoQr DmDBK/GwmGexRi0hY1q7zMwUJ48rqdSznG81R0od+Tzj5ludXvVk0eqWQ4Eg5CpQ NpRWfQS2oe8VkycrQL0GjTc0l6H1GnDgZnQ0dkve5YKi88mWlf34gg1GpGk49gNC XME0yxjizb8J+yQYvqjvtualHXcYNyqFZjDrTnc2Y7Bs+YzZIrvAXrrWiExoVugi MdxqKsyrGlCeqDMnIXcYIcXPY0t7/0SJHICiIC14wjbtowg+OZ7P6Xb2wIUDkqWb 5v7QVskhY8uShbwPZHVLYa7ydBx0K5mB199h8z1ywZpmoLbXWXshGw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DDEE73DC44BDDFB2

http://decryptor.cc/DDEE73DC44BDDFB2

Extracted

Path

C:\Users\id59788s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension id59788s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ADB48A4231798669 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/ADB48A4231798669 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BrIWfUZMVjoAKG/uPHxcdxLdu2DWFNRvq8X/igzsJDLXQ9O6gwjpq2124zwSK5tG i0TpRuQuY+Hb5OexN0R3wvV0OyZvTerykSzrs+GyZGpWHfBWV+d8o7srbWKxg3bX M2MzlUc56+czhwQ74mE7s4CgyykzoMdrAHe5vO01ZzEhx/J/wgXZB48qC6JGQXH5 YcsZOZNZFpn8UThXm2g4KwoM+o3CDLmHU/l1Ubg/1HbZIt9ej4hy8RrbmgO/n1Yo lP6dcov5Gd8KFUaWpGvz80/i4SRFXv2iqfq+BTNe6UCA5NU+OIhqNzjW/TME4dxp bDBn8diQw2rsc+H3McnUnpz/VUjrHyXwF76Zf1oHG2/7f6dRqoo1oLY+yE1NGu99 EAp8M06XLxyb+8122gyVlYmhRprfsa+b3eHsLyOZhLr0V5lkLYnnke0p4ntxjtpV lG8qyiM0faIh8kaK67zVvGdy8y6PsIvDQ/dlBgHhOpS+kmCdwRx7uNJVh21bufIO z0sP58Wu55Gw7osqNDHcp017YOTlka1rOxSvjj3tmOWM9ibxh1GEnNnK26Yn+znq 2W9BN6nmnwH23+WHMOv52DRVag8OcxV+QNCzd7ek5zOxp0nrO6VX9bgXx1OzUKI/ uxWAjhY5wtLpm2I15lJkFIq1wxm7wr0yTOurefq6zNEs4yvt5EQm79yjoZNTY4Gm Tjy5YQHnDIylUIK5IzeoRxPj0zb6ZGWxA9xAJcUqwFyHEZs+eB5n6VMcBmjBpaqK FnzPKY5dH/eyrHwUjDztsgxREc/dT6siOgtY9Hmo8sHsrGc9nJHHKQWojSgk+qTn 0N6rwXGHWGZUdZArun2hVBOpQipj0UwfM3qYaGKJyTYu41yr4aywIJl2DF3HOC0V GIL5K3IKyWeJqDPu5dniXwtkSSNjwFH1LUge8Fma8WCJbAYgzXgrZe47qp5I4uMM Ys4kkXGshtxmgc5FFtpQN2Q3ki+hGwhIokulZGFoRwVAA+XeDbs2ptjwgc1sPs8k Nq1YDfuVZJtMk4371GDnrATWwEyfxlFB4tuvelyjMXht0g9fXV0ZsvgvEIV1NhbF 1tp6kOXPZPaDDMPSn32NrPi22h2I6xu/NEf1Ch4Qu4eBLAjiylcR5fvcLWatN7gT GGatBcLhx8iGvCppxk8Uk5/63hlDUFxOqstlKyVs89ebOQy1Hl95ucz8B1KWXFWD 3cj1SRfk4Sj8FZSm8m/A9kFzh1tLibxVFJ6MkdbXNHnMnF06BXUiBk9GMWpzofEN c3eIC11f2f0H8FoBOWKBd77+HRubirbXOTvukzlqwkojrqLR/Pivcb8yBGrtMXYZ KaeAWXH71sG1papFKlJqgiMPkQciFCzcruEAk4T1O76gKdx22tPZZFSc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ADB48A4231798669

http://decryptor.cc/ADB48A4231798669

Targets

    • Target

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

    • Size

      115KB

    • MD5

      7e18b037a068c56417fb8e56aa7e49e8

    • SHA1

      f6739569a24358c8c060d7131be70712f70f36e0

    • SHA256

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

    • SHA512

      d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

    • SSDEEP

      1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks