Overview

overview

10

Static

static

10

81689f1be9...ed.exe

windows7-x64

10

81689f1be9...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

  • Size

    115KB

  • Sample

    240715-mp7kjsscpk

  • MD5

    7e18b037a068c56417fb8e56aa7e49e8

  • SHA1

    f6739569a24358c8c060d7131be70712f70f36e0

  • SHA256

    81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

  • SHA512

    d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

  • SSDEEP

    1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

Score
10/10
sodinokibi$2a$10$prlicdjvilpwha0dxt26coefg3s.lfjg/h9fqsy0uepzhao43cc363665ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

Campaign

3665

Decoy

1kbk.com.ua

kalkulator-oszczednosci.pl

creative-waves.co.uk

mirkoreisser.de

fotoideaymedia.es

abogados-en-alicante.es

liikelataamo.fi

klusbeter.nl

jameskibbie.com

marathonerpaolo.com

milestoneshows.com

live-con-arte.de

tinyagency.com

beautychance.se

slwgs.org

midmohandyman.com

herbayupro.com

panelsandwichmadrid.es

baronloan.org

izzi360.com
Attributes
  • net

    false

  • pid

    $2a$10$PRliCdjvILpWha0dXt26COEfG3S.LFJG/H9fqsY0uepzhaO43cC36

  • prc

    visio

    CagService

    VeeamTransportSvc

    dbsnmp

    msaccess

    bedbh

    DellSystemDetect

    encsvc

    VeeamDeploymentSvc

    steam

    mydesktopqos

    sqbcoreservice

    dbeng50

    mydesktopservice

    firefox

    outlook

    tbirdconfig

    raw_agent_svc

    ocomm

    pvlsvr

    isqlplussvc

    sql

    ocautoupds

    thunderbird

    excel

    synctime

    EnterpriseClient

    wordpad

    bengien

    vsnapvss

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3665

  • svc

    MSSQL

    VeeamTransportSvc

    CAARCUpdateSvc

    AcrSch2Svc

    bedbg

    stc_raw_agent

    sophos

    BackupExecDiveciMediaService

    BackupExecVSSProvider

    VeeamNFSSvc

    CASAD2DWebSvc

    BackupExecAgentAccelerator

    veeam

    vss

    MSSQL$

    MSExchange

    sql

    PDVFSService

    VSNAPVSS

    MVarmor64

    AcronisAgent

    ARSM

    BackupExecRPCService

    VeeamDeploymentService

    svc$

    BackupExecAgentBrowser

    MVArmor

    MSExchange$

    BackupExecJobEngine

    mepocs

Extracted

Path

C:\Users\j029m1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension j029m1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F5255242D62A802D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F5255242D62A802D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kew0l0lsXRQKBqmIClo3E5MHu5Qcj3vnC1lVoRrZx8njmlqf9Yq015aZNgxXvFFf MGvQm+c9XMJQb2P8pe1uIQ540qjwx2uxHDZgc9JkDs0myNLLdQ/PNujiEmRe+ofL SYSpLb2WVW9fBZkGvjiUni9Vs92gNFnltUZWDvWPsWdFzKsK8V2UpnQ3XwUyA0Ni SLmd1d/6wYIu+/MjNJ2sm7UIw/Lvi8CHULYhLz8nf0acpoHIQ09FhK67oM9GqB8w HmbH1LLtSIM4SUrlMVXWoGoT37DZUeKXfn4Oi9CMm53e585KzKi5fdAsrPEwUeUS 98flAactqHCA3xVyQt6+J1yATb1vKwB5a6neP3Ne1EKm8BF2blktIovvqofFLX1E NVpALXnOlRyO+zMxzGDAVgBGRiA1ttXlwBl6ieFPu5y/jlqLEsow+SOqfTqJjFRK KoWmD9mekTWGXYlmFqrpBt/FC3E3l7WJmOS65ofGeiaVSolgsuQ7bTHXrzGUFuqW KCFxvq66FoGOueuvfdPjU7EVknAid0vNfrKfpyh2eBYm4ENKIp10vC0mEeVibPTV iHTbcCBzDVj/c1V/PEd47I9y19Du2i8vYhXCGUcWe1OQB7EeHqiU47ywv/viH1Ei 5/YPM8G5U/JjkzAHK9hVoLKRie+oEYRe7hxwHFGv8SHE8I2WTceAvORFlLWVJxEK 8Q0Kskc0mfagXqESEqICTbwGSEgYq3HPWe02eXL2+GUKvrdLhWbFuxZ8ijLOSN3Y zcB0jqIyZ06VlwC+uvL92C81HwKfAd9sDeV2xuGahF8lLLJrEVm6Depa/B7S3Z5Q VUUn1CO2DwMuaIPVZFPe/Up3s8I2upjERTzv23TlkFm2xzA4nq7TjV3bfuuOYlU8 Z4OCJzPJiTDun8fMIb/Q/jlth8ExgvbmHNG4FeZoNFPGD1jdOwQbtjBZihktGzkI aj5VTIkGstjcHarhqmBMGMZjQZ3SkKtFp+9jlxadp7B64kXxbvejCmUw5idx5QGA +u6ILV/ImL/2yWjABFLiOJKTqomvkpe4FCL/kn+8c/6XFZ2TgYW3bG8XY7ECipQW Aw6klOrl9OI2ayHQDTV1om1JJy16vCUl1xymOZ6L6Bt7A1P4aQzPMJkbZRJKymB7 1T7DX5J7KfUfC7dKtKSXMEemlt4LfJ1wanpiQ2mO1z+Xx3y+6Vze8I0XgPzKxD/x KERfl/NwySwACY9kzbDpulkklmXZs5fjZPTtfkr69NaGRwCVl59cAVMpe4Qj2Ypt UC4YyWVaAPJq19kH0KOpR5MicUD1GzEAbcoBOBFak8LwWrjE4veQOaF+hi/QWaKm tMTTBSLpyctMwjFdPS46ceArOf9G4PzL3U4gCQkxbtw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F5255242D62A802D

http://decryptor.cc/F5255242D62A802D

Extracted

Path

C:\Users\2er64-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Massive Prints. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2er64. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FAC260F1451E1E82 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FAC260F1451E1E82 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Hx0yCKRxh9IXpnwYhXZc1ItSTeDA/t59ZItrSspVNYBOD5Djx9E32EWxQVe+kAIj RRe0PE31r8Fbx9ow6Tm8I72UYyiSaOjOJUGSYgAdfQuDGJwKMUhMd1e8kxVVkNTz sPnc/xu+nR7BnEx9y7oScNpH2oiGG9mIXrQGA2oGVKA6ZpygYjn6YCEomSDqSjaR esf9zyP9YFjCqU4B1CsXu3t2/lCmBbfWtoZWYO7bLHkb1IiIC76IUxsV/IyPDUPs GM5EZnSqhyVvaE0kpz+K6xuX1xhcFXqOyNoOYzPtPZP35MONvwvLO0vrNmVZWbVg WH3J6GGnwdlqdQTLNKvALbwyWUM7QmKa2NDWbgqdR8zLmGZpBil81KNrL8i3bgWa 1Cvg3h2K9V4gtb1zAEXCjTen4qI0bDuPlkKm73zCPEn0zZsHxGI600/JMcy74g0w 6WvuFDpUYPUIIznLJlZMxiejx53i/zdzfNnhxQen1Vvdq+2zWRoRpcfRk0MqAsCm zVKv+VpNPrezzlytcbpTSJAB50uSh+lxWYcVNWgWif+ErgMDHyGGT2+QHkWDA00d vV6wwDVPXsU6qV9CWOeQ58JpprS+wRsd7aDFCPkvgAiOdCOyLbhL5fmv2M96/+q1 THKAESWDRI4vDDHX9xmy23suEfyCHJTlo1H2EfftfDGDzvKouBn0yCwQDgFSzuxk Df4Mp5gTlu7wkFeb76W+p3kRMi6/VqjT4C0fVhcj/jcl8hLOSdUN8/WXlHQLT+Wu wiGXAQ3SCb91+K2MG0FJ9NK9qC6Ow7UCVBgPVCG1q5XjN2YXZQNnQKiqmq8Zyyil BF3NQ37RkLg/T/sM/gBkwL0mGm+p3xk5S8VwjPV0Sb3SwbiO88oz/JvLIsEJD3u5 m5Qpv3Iy9mqf3scKIodh3yt0hjYjzuAb8Db0vJMi9TTN5s2H2fGiXk/GFaXoxSEr JzFLYO/TARM+URyNrUttnzqAMl9O3WwlGTZwGQHo5+uhxqc9wIkfaAe3njypvN1o q8kvnTzIhoGXUr3nFp3G7F/+PJYmcPxHF/YvzUQejWWkQYrdQHvPSYCPkLArp/nv hF3oJJi+DlQT3WyiA3U/NTqB0pLjYMrdHPjCMR0b2XNEEYwmBxdf3BqiKaNui9NZ 3U9J3hYahk/Ka3LLXCU/2heO9EIOZu/hw+mGfM3z7DMWkAWyixwHqJBaj+qixX6a dhpSzYzOxP6CrB1Y4bdew6sCmPbxQNZUDjzZUt8f0Br+mIW2mksKo/OpRa0SGnAi Yqb0tDvPRIFat7dpiiWPTy8xehbfhQW1FWhMT1ufelyrqeghtdVaCOmJRl/Azl2L Gxs+GidrDRXfutqdFiv2M9pIJ0X0xZuQD0GSgdBafgwsSt8Q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FAC260F1451E1E82

http://decryptor.cc/FAC260F1451E1E82

Targets

    • Target

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe

    • Size

      115KB

    • MD5

      7e18b037a068c56417fb8e56aa7e49e8

    • SHA1

      f6739569a24358c8c060d7131be70712f70f36e0

    • SHA256

      81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed

    • SHA512

      d6188e5536b6e0b5c49d572e35155d633c11fd30bc8d4bf4ea87fea7196ae2f67bca364a0afaeed8209e5d4b2be0b98d81c49293d3fed95c70c8388b8387899d

    • SSDEEP

      1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKwTNA28V5/Ogsck:mlnXEXyk7yvh4NKwTNF8V8v

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks