General

  • Target

    1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4

  • Size

    136KB

  • Sample

    240514-et34xsad3z

  • MD5

    ce1eefe48010f4946cf45ffd6c4bebfa

  • SHA1

    18522badae740c53c22b0b05f58a233d390caab6

  • SHA256

    1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4

  • SHA512

    9c021178294d28a5cb83732a99c5d8bc5dc375c716895ef1aa53df24af45b01bb221029fede634e72ca2e3c3711d5f992f181820c35a80fa315db4231ddb4ff8

  • SSDEEP

    1536:Nxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:NtchTojrZxtMhiiZHjUyWr4X5FTDU

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au

Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Extracted

Path

C:\Users\oreh4i-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension oreh4i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE9B6522CECF0BF4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/DE9B6522CECF0BF4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ml0wH1SsdFBZfJ5SVWzvskOpGky84/5ATYnAyq2x0QinSlZx9ziHosqI3ZinE8XY GIS86AKGLMZPAsTgLoNZk1WxTXyD25xcs+WGxpZYNf47N2bMjJoFIBTeiHPfoPIz kaTtxh/dn8Z5NG3Y8GogTp3b7zkN3A23lX/ey7fZOTGumTCinfedFEHg0v3691LI uZk21eVaL7DYQpGyM1VdwxCIjdceokH2nWv6w0kFp74PCqUyP0qjZfhHKOP1papn uNGaJ/RrTVhthZIKqTphelIYjDPomVMxGLWaLsmfPBfkSeJ2U4bHuXs4j6rSMlkB +B0kWHiIjtchSiEiywZ9iiYnEE4ZeLfqZo7rQomM4f7T3G02b+XWO6n0NvQV6z+y n78y7EK6Sm1B4mIrZai5+qHCsZXM5KZV+Wbw/eqfmIZ/JHESo0K5/LHEzN1a/eNE WXuM0N6vf77I0mVg+PfvdLwswK5aGtTEqOVey6n/xD1meyavvTuHhrVhI3VWJzZp sdlACF6nlCmdXTtojdIsJUObKnJniN4C/ZCyqiW2ThVPQ4ow9luv4LaY1B+SNVTW ljvSadGztBLfXF5xbqKaNPuh8ch9oEmcIC2IyBqR3Etl81V2l9GS9PCF+fjCKlwe 9Lx6fzyqr1HfcNuMVIAYhSk3c9mJra8+M+OyEWHG4xJbDPBHpEAYuGEi4GPUXycE L6PGG4bHIPxUwB3z+qtDJl9psqGqR6pjlVRmh1aG7FoxG5hSEN5jtuR9i+HnYc35 gK6FQDmY/AWAWw6hdyJf0Ka5CA3CWHeAlc5UdPV3TWlrSQoGPLSNI5INvtxbadIP Ndz88XD728tAPAE40k03KbxC+Ec+PAfh15KfHzSn9TN5PDlqeIQiyMIkZnkXKsJV Wd5Kbfkv9OlNSwBc/DmumztNzTzDlIQM+foz2Whw1Et+IugETP2lQ3iGe2tF+08m IJeZjKdtl0/gWK6+mUUIz+RIsE5EInTpn2eYNFa9YJDyCTYqm4XmCmFaXu5LsDL8 k3UeSYULIYltDpQVsOtt8P8RSBwDqQ+XI3D/S6rPmybcAqzAPxIc8SgK8CDCJ7r7 hohYqXwB5ecQUeM+ouBDuhIOBaDnUxeIuy81i7iawCIAsNJeKZDC6liTx27rSewm QeNrFd4o+cmH0GIjNt9YugKfFl4kRtKWsGIC1eYnG7MVthxIcQQt/vgOb8zhG0ds 6nv3u3QxlN3zvK7KCQOtpqBKjc3uJnI1cHo060tYhaCoZuqqE7mgedz0LpDYpBcG rI+YBAXkExGd3JMJ1U41uvwcgKBDW5og9aeWT4WBKKxWwk4EjQBsDdK0FuxZJyc+ LzOHIakqyFPW6UJ4E/IzrlYtoFWa6w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE9B6522CECF0BF4

http://decoder.re/DE9B6522CECF0BF4

Extracted

Path

C:\Users\75807p12y-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 75807p12y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6DD8DE497CDFB9D1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/6DD8DE497CDFB9D1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7Vpl6ONLOjxmNf9Hk9FuBSWT2PYbw8zWx+9CwtY6UkvtxKCg4v0h1spb0Acc5Unq Fez86t1HEkI0qRgaGI/SXKqtu8sG40kBZwYpyjfi3XJ4y2BBzwib6FctuhyspyVQ Q3AOmNnnfOk1zY/KlYnI73EwpQ/bw3QLlBvxE8kk6lOQxb2ips61ya2IbF9ehfNK v2PqzVX4wsVyjekUnMplop5FBddnmyDSJiBh5aN7/Zz3YiCbJJsiJ7iKocgmOeYy 639Uqa62y/xVYovnsQqG/+tmYkcMq7QY4/jQIWTg9lYrhv0rLntadEajCOWxXyCC 1cLDLIjLZc8NsefgF1i2OIHBZs6hJ5q71NErQstJXToxAEL/p//5b9GweOQ5H90Z kcGbMxz1y3kw7852gF02Xz/L81rUBvwQeOzPcgeyTczqsEPpmqhkLuHbSsJrTB57 NDDxRygUJh4Xhr3605zNGGgYz/bPHGMBC+qNpV1GJysP88DMnWTTUrSi0iNC1/vv xuA5gax3AcI8XvQmViPPXcFEybTFauN0vPZ5cEFF+HOCL5JJOSX3GlrL4IYDK0VR rdyJ/F4vDA5i/OmoPiMY+pJL1INzGbqreKkEQTm+Zl53+nY2oUMdR066OKAQLAye ZLgASOhbZIOSwB3JlYES1NO9BRgXtOFGTr49S3f6aZD91INqRV27eVi/bfuvXP3Y SoUWJzFoPNLrooQq4tBOwJo7SLXM99JvDXjlBVi0Zmrd0hvfijzEwpazn7XDrtW+ l4wq6Ag5RuM8QLqoJ12tZwySlRLsapCI2meovfqbr6NpneUBV/q4RZJjxSreGKVN 5pvWDWQlj2TzR3BN2oPqciNxIG3iqS+hVkSUrk7/Y8Fjf+hCKv8VKyA+oKzAnaHP dOKoDk8oZJV6Sbk+xDdPDd4vX0V7FdPOy74KPyHtiu9dMmZAxpVOIt0oO84Pbkx7 ZVRrV2Kj2ZBYHD5D5qlvrWpHESCLe6Cls/4cPlB+7a6dwTnu4iPLqvm364Gdy8mN 1VG3mNA1aqPKDzipKO3ANrKDOvheluBs7U96g8rvJOZynjPivj0jQ9LzKYo7UMli h7+i6YQgdMJRaQBsnl8EVJwXKqFwHwGfglnZ6KDdAwFVXnzADpZ5N3tfqBtqeViJ o+uu4lH8Tjk0jRV0aYeUO52AUMNABMFNFUWfCBEbUoG8idPk+CoflSnMWwV7MYAL yb162H3KfZqf1nXhza2ZljeM4VTKivkSB2gSUyC+Ph0k/tOUsyQsZh7jrvex+vGR BdvZdoMDcK2Bx7Ct7gK1kqBSkd/WqqkR0JWNNEg2gJS6SK8br4QKirRgQux+O70U bME0bukHxIlgepqSPCVuok8cxFHUsHdYZPvUcZLVYQXBLg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6DD8DE497CDFB9D1

http://decoder.re/6DD8DE497CDFB9D1

Targets

    • Target

      1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4

    • Size

      136KB

    • MD5

      ce1eefe48010f4946cf45ffd6c4bebfa

    • SHA1

      18522badae740c53c22b0b05f58a233d390caab6

    • SHA256

      1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4

    • SHA512

      9c021178294d28a5cb83732a99c5d8bc5dc375c716895ef1aa53df24af45b01bb221029fede634e72ca2e3c3711d5f992f181820c35a80fa315db4231ddb4ff8

    • SSDEEP

      1536:Nxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:NtchTojrZxtMhiiZHjUyWr4X5FTDU

    Score
    10/10
    • Modifies Windows Firewall

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Defacement

1
T1491

Tasks