General

  • Target

    malware_005D0000.bin

  • Size

    164KB

  • Sample

    241213-zjezkaznfp

  • MD5

    890a58f200dfff23165df9e1b088e58f

  • SHA1

    74e3d82f7ee81109e150dc41112cf95b3a4b5307

  • SHA256

    5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

  • SHA512

    2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d

  • SSDEEP

    3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Malware Config

Extracted

Family

sodinokibi

Botnet

5

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua

Attributes
  • net

    true

  • pid

    5

  • prc

    wordpad.exe

    outlook.exe

    tbirdconfig.exe

    agntsvc.exe

    thebat.exe

    mydesktopservice.exe

    sqbcoreservice.exe

    thunderbird.exe

    ocomm.exe

    excel.exe

    thebat64.exe

    steam.exe

    xfssvccon.exe

    firefoxconfig.exe

    sqlagent.exe

    ocssd.exe

    mydesktopqos.exe

    msaccess.exe

    isqlplussvc.exe

    mspub.exe

    winword.exe

    sqlbrowser.exe

    dbeng50.exe

    sqlservr.exe

    oracle.exe

    encsvc.exe

    powerpnt.exe

    dbsnmp.exe

    infopath.exe

    ocautoupds.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    367

Extracted

Path

C:\Users\lnb2t8g7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion lnb2t8g7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDE6B0E0A31A5F84 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/FDE6B0E0A31A5F84 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DxL1fVICf9+GWBiOpUXlthcpNsiHtnaspK7U3KU0ggsSpFreST1MG8KJRoAohXBG /QRuPMiqNiT5rXFCckJxrdQ7/4vKewSwtKsKfiAwFZHsmmRfF5eTrGlFdSzcyCN6 dCeqr6KjchRDCdHs0kV8sSqh19BEBByit5Uh4wJ5LaQhxISscqrXiCH/u4Hs1Pab Qnd1eFOrL+R7sPLB2rS2GAo5fX8P2aX4aDS48r9PDL8P9GQYRwIgAdlDHlUYokhT zkqTeqK79DrABUbHeDaXNM/ouRPgP8l9mW1PEJy89NA90ptt/nt3SyuiAWtwnFyV V70vij8qoEsXvTN5y7Kaj+aMc3AR72k5e5i01muIcWGZU8DxTIzjWCKEviR9mHW1 SVVLTPxFTCT47IzZIKWBa1eAT/Q1tgFWucMgTbBOgB+XzbHb71CT++XWX4VEh+jc +hToYt94yShChgIgxuuVkhrxBGvdfdT+q5Panr0LhXL9KCFLTi8pmzRD2EQa1EXR UjczQ0jEH94z5tqo56FiXE62RLgRJR+sb7SDTO/3nEMgpzCJrICzQbHRxdVdtgKY piqvtxdN2w1NMHHlJSnYvbgPBn+yqIWo32sP8J8jT0lJiy02jWcPyX3ThXL7c6yZ Gw0zaX7wLSejOnxrCEhMSMrsVCyl/R+mkPQDYdvn2V7R6QpjBoLj6WaxHpUUIiu4 SbtLM/MWRSuQxMuNkRd+6QCRv7tYRA+1vpQ1aiIhYJb0bLvNRPo4IzXW5VuKLmif fmnidU8iriLxw/pf9vigTAsSm0neWfY5ZLFVj8g6tB4o+a5SJtXsxPmRG7aAxVuC rLHrd7GI8VI9dO3vmy5Ob5RhvhUgJy4JlKiUPiiN3ZMGeby7t4Q8nT/mNeNqO+N9 MmMW4mV0qlw5aJ6Nn5SVF/40CiqBEH2sQxMcZEnD1HQZUt8zVhC6q+8p0Cs0xh9L +b+x3uIP4KBQLUmcnBSvS8Cyo9kmTPB0Aol8oKtHznMCwzdzDsDrgPfSpyoMNxEu 2vcPpi5iGEKXyp/fGYZZs/3Vd0vtlH+5DU+t1mw+MjTYyafgBdNbfiUalhCleeUx f829KsJZ0n/asN8Cyof7nisChVGq4zix9HFrFAsSzkADoTMCYyE2QDXNU+wtKYX/ jduKLXH64C/Q+k3UL17ApIT4h8RKOa2i40Nke7jthFsjAguUowXKGKhb8S/ORBfo zX90tYK4ZJIyEppy Extension name: lnb2t8g7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FDE6B0E0A31A5F84

http://decryptor.top/FDE6B0E0A31A5F84

Extracted

Path

C:\Users\5uh58-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5uh58. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/390AF667A234E006 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/390AF667A234E006 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 129a/f33Qrxehy0os5j/r4lSr/k0PtEt8awIp0EzLFXXAfui1suFSbK5KaB57MOa LcHH1PUyERuzZuQhsyeQRKjjHPxwgOpIl1jsfd6kr6Y9yuVgQhf+XeOXntvQEylb ZbLXml+J9CTs4FNT6wK0tNIVuEr97JoK3oU5mqX+UIR7CDJvq9xuKTHoYkUXDMUt 2GlNnNFepCydeJBk8rMDf/w4BN3xGEaxTjas2fJ1w+dvMuP381S51X+SuESC9I8X aNutGha2Ld0quYzGC1U+4pjxOZGwNPlWuXG3CZD2wP8KRyj4qGpGWP3mMjw7av/u rJOWdGC8CN0Xv0GYotvNswZcYIBHE1cTbnkHJVogHdJmhsGIZfITNgh2TKZY9NbU adgrmJOKptn4S82sj+bwQ9G+pXF2M960u4CN5XgUha0lfpqQ3GKjpQ92Wo0EvHCL Dvo4asqHKtASPn5Z8FqNcOcC3Vz9GVc85tcDV3BNoL+1Ycf/n5AzZnEW3KsH8ynH HaBlG+QYaeKph8VXr0umrnbSKLOyYUgYW7FqiJOSFOVJ3QFxuC3Z0U5QLEbGtOFu ufpAzUlXUGxuKJ1oWCTYGdXx3s5CvarmYfLJoEKw+jQbYHJGcC4O3IFHMRBlztEG mLPWG48HpX/obYQrfn5Fb7m7Us+mfuIQu1k0gjjZzCKqgi6cAQwQrC4n63QsQ93S AMR5jktmZxaF3YIUcbXkjO8UKWlwAwFHhKHMs5JxVL8xGLzUq9bKD7BbjkK/i8OF tJyzW61Sv1sF7CmF5TLsqwE7rPVDRwm6tWK/1FHN0kkYkdI3d9ymDhkgHydXiM2H I/SxYu/yKPfrlkIU9Ce4tbyN/Rc66dPdnLpiBO0AP0JDHuaIaciSP62+kMjk+0LT 50qHSKKfxnHVR8lb6C9H3BG1WjL5p19jZ7TjmBHoIuIrGFuYSnBSHVkyPwOvpm/M tG4A6abBgdA/1nt5gA6nq/BpEJmrPgUfK0aXBGxYQpPbv5HHydXhILVoUtqTCB/q EM4Dxp8z+pxSGqL86mTFZ55DqWw5/DxBnPRgW5RLjoNjU7avnxqpok/2QsLattwG y3PMfVwwU/X0Yl9r0bnYTzFJWAGgEoumpeOIE2hZYebQN4Te9YgOr1GIpwCfmutl QDGr82Szpm/77m7BTHp3c1u4XwQ8ydAvlIjaMKrf/GSKNveELXmnVsJO9VW9SJWL lLmKeoA1lVQ0s1bJ Extension name: 5uh58 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/390AF667A234E006

http://decryptor.top/390AF667A234E006

Targets

    • Target

      malware_005D0000.bin

    • Size

      164KB

    • MD5

      890a58f200dfff23165df9e1b088e58f

    • SHA1

      74e3d82f7ee81109e150dc41112cf95b3a4b5307

    • SHA256

      5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

    • SHA512

      2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d

    • SSDEEP

      3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks