sodinokibi | f4afe7132798deb7f231018b513af2284ed549d3e14b46e8b1190b4b9c1b5f18

General

Target

fast_gas.exe
Sample

200102-xjawzexxnn
SHA256

f4afe7132798deb7f231018b513af2284ed549d3e14b46e8b1190b4b9c1b5f18

Score

10^/10

ransomware evasion spyware trojan sodinokibi

Malware Config

Extracted

Language

ps1

Source

Extracted

Path

C:\0w835r1erf-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 0w835r1erf. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/BCFA73F317FB2A2B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 97VTi++bAM59ScVRoTG2YP7y9Qu0D5RxOZWuFGw1hFwNWfxuAa9Ra604D808YpxS zUVbHvY/TO+YDJ5KQ/BVtWRDRvE+w4+SWJcz2tkPOWbPYY7KX/VjOoZHGCK0JGro UTbO3bUdNFtxvj+/VDVTLZ1+fOVUSeBoQbZL2SHoCwc3kfGqnHtggZfrBwAWNz5l +Y7UIT3IX2zi/IV+PjWwlXA1ntj6Oti0/7Epc0T1Up06Z3Ql07I8cfmWw3PCLNjq 7gz99BpW2FFnKVezwyxeNi93PFzUPVSFI3bI7SG2oQmbwZluatGSU6XBKNnwr4bw YCIGV6ROpmMEpwv4eLU0mrjRt9tIlGAth8jfYoP0+xGlMoD+/4wlyO0MPbNnAoV3 b8W9Uxbbd2op6CXvw6gJff5xle1Ro2BvRhargTMkzoWNfrDeb347UCQFadNind5e cHNYOKQ9cS4wk37OwiyT3HXBEPGlNQ4GSeYyWUaNjy6dAW472DlIKshaoBRXwZdQ 7eWh0LoKc5oGA24pp42rWyc5DxvRvqT416SfdlGSz70NblA13j06kyIn6tTjq50X EZPyUbo3BxiMWxJ1K3mGb+XPlg5EMi0lkFzqioYm/JG4/BgcmiGHQARtcWBT13An EEmk308OdoK4TIEzhoV/U0krob2t5+Mrdm5LcASxwJsjl2Vi4vFyDsVVhgbZkIux OigqMGff34b/F4xc7ZKYKFKK6eMWtGyqQSYL16k8IkOTCQgr6luwyhs8oIPh7Wrt MaUmAAsROh4bTcsUvJXHXjhyY4GwgPpYUW/uqBEumBvuK4zq1G6GklKMjFylgyBi v8PrGw089BtISbLkGIoq1JTJdYCtlRcTbxGQhcpdjaRwBBFAe2uYq+FYXUTn/DmW dlWQdY/hPX8LCtEZ/MZLv0DMGCKr6wJvIoxdtUS+Y8nh0U4f6U67yJ3FAj8Yuv39 ZtFlK7AZ4GI+dwy9+LGZKvBGOlXt48p/a6nmvw5mW7kqelEpGmnO8uucq3aCBitj TbVlhqtuQRXLAMPK59c71ttYRtYXMPFZol7DpuNA5hu7PQiOJVQZr99cC6NrWV4h zqun0a38HIqckdt430T9Hc/JDkM350U8xBGkHBf31m57gPsVrkTXUnv3X7bC2vBy V2DtOw== Extension name: 0w835r1erf ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B

http://decryptor.top/BCFA73F317FB2A2B

Signatures

Suspicious use of WriteProcessMemory 1 IoCs

Processes:

fast_gas.exe

description pid process target process

PID 4992 wrote to memory of 5068 4992 fast_gas.exe powershell.exe

description	pid	process	target process
PID 4992 wrote to memory of 5068	4992	fast_gas.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeBackupPrivilege	4568	vssvc.exe
Token: SeRestorePrivilege	4568	vssvc.exe
Token: SeAuditPrivilege	4568	vssvc.exe

Drops file in Program Files directory 50 IoCs

Processes:

fast_gas.exe

description	ioc	process
File opened for modification	\??\c:\program files\MoveProtect.3g2	fast_gas.exe
File opened for modification	\??\c:\program files\RepairHide.zip	fast_gas.exe
File renamed	C:\Program Files\TestCheckpoint.vsdm => \??\c:\program files\TestCheckpoint.vsdm.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\AddInitialize.emf => \??\c:\program files\AddInitialize.emf.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\ConfirmMerge.asx	fast_gas.exe
File renamed	C:\Program Files\ConfirmMerge.asx => \??\c:\program files\ConfirmMerge.asx.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\DismountGet.css => \??\c:\program files\DismountGet.css.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\PingSubmit.txt	fast_gas.exe
File opened for modification	\??\c:\program files\TestCheckpoint.vsdm	fast_gas.exe
File renamed	C:\Program Files\AddAssert.emz => \??\c:\program files\AddAssert.emz.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\DisablePush.M2V => \??\c:\program files\DisablePush.M2V.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\SuspendTrace.xlsx	fast_gas.exe
File renamed	C:\Program Files\ReadRedo.reg => \??\c:\program files\ReadRedo.reg.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\UseWatch.asx	fast_gas.exe
File renamed	C:\Program Files\ConfirmHide.xml => \??\c:\program files\ConfirmHide.xml.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\MeasureDisconnect.mp2v => \??\c:\program files\MeasureDisconnect.mp2v.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\ImportPop.mpg => \??\c:\program files\ImportPop.mpg.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\GroupMove.vbe => \??\c:\program files\GroupMove.vbe.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\OptimizeWrite.pptx => \??\c:\program files\OptimizeWrite.pptx.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\PublishComplete.ppsx	fast_gas.exe
File renamed	C:\Program Files\PublishComplete.ppsx => \??\c:\program files\PublishComplete.ppsx.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\SetSubmit.m1v => \??\c:\program files\SetSubmit.m1v.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\AddAssert.emz	fast_gas.exe
File renamed	C:\Program Files\SearchConnect.pps => \??\c:\program files\SearchConnect.pps.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\UseWatch.asx => \??\c:\program files\UseWatch.asx.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\SuspendTrace.xlsx => \??\c:\program files\SuspendTrace.xlsx.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\RepairHide.zip => \??\c:\program files\RepairHide.zip.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\AddInitialize.emf	fast_gas.exe
File opened for modification	\??\c:\program files\ConfirmHide.xml	fast_gas.exe
File opened for modification	\??\c:\program files\DisablePush.M2V	fast_gas.exe
File opened for modification	\??\c:\program files\GroupMove.vbe	fast_gas.exe
File opened for modification	\??\c:\program files\MeasureDisconnect.mp2v	fast_gas.exe
File opened for modification	\??\c:\program files\MergeWatch.pps	fast_gas.exe
File opened for modification	\??\c:\program files\SetSubmit.m1v	fast_gas.exe
File created	\??\c:\program files (x86)\0w835r1erf-readme.txt	fast_gas.exe
File opened for modification	\??\c:\program files\ImportPop.mpg	fast_gas.exe
File renamed	C:\Program Files\MoveProtect.3g2 => \??\c:\program files\MoveProtect.3g2.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\OutUnpublish.tiff	fast_gas.exe
File opened for modification	\??\c:\program files\ReadRedo.reg	fast_gas.exe
File renamed	C:\Program Files\DisableDisconnect.asx => \??\c:\program files\DisableDisconnect.asx.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\OptimizeWrite.pptx	fast_gas.exe
File renamed	C:\Program Files\PingSubmit.txt => \??\c:\program files\PingSubmit.txt.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\WatchAdd.rtf => \??\c:\program files\WatchAdd.rtf.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\DisableDisconnect.asx	fast_gas.exe
File opened for modification	\??\c:\program files\DismountGet.css	fast_gas.exe
File renamed	C:\Program Files\MergeWatch.pps => \??\c:\program files\MergeWatch.pps.0w835r1erf	fast_gas.exe
File renamed	C:\Program Files\OutUnpublish.tiff => \??\c:\program files\OutUnpublish.tiff.0w835r1erf	fast_gas.exe
File opened for modification	\??\c:\program files\SearchConnect.pps	fast_gas.exe
File opened for modification	\??\c:\program files\WatchAdd.rtf	fast_gas.exe
File created	\??\c:\program files\0w835r1erf-readme.txt	fast_gas.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v0wfl9o83b.bmp"

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

description	ioc
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3\Blob = 030000000100000014000000eab040689a0d805b5d6fd654fc168cff00b78be31400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000db78cbd190952735d940bc80ac2432c00f0000000100000030000000435fe6564241d6b3828352ef9be443d511c21f0afb325c4038a5820f00d87774a8ef2193ddaae065b2572faf2bf0ee63190000000100000010000000ea6089055218053dd01e37e1d806eedf5c00000001000000040000000010000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000007b050000308205773082045fa003020102021013ea28705bf4eced0c36630980614336300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820101009365f63783950f5ec3821c1fd677e73c8ac0aa09f0e90b26f1e0c26a75a1c779c9b95260c829120ef0ad03d609c476dfe5a68195a746da8257a99592c5b68f03226c3377c17b32176e07ce5a14413a05241bf614063ba825240ebbcc2a75ddb970413f7cd0633621071f46ff60a491e167bcde1f7e1914c9636791ea67076bb48f8bc06e437dc3a1806cb21ebc53857ddc90a1a4bc2def4672573505bfbb46bb6e6d3799b6ff239291c66e40f88f2956ea5fd55f1453acf04f61eaf722cca7560be2b8341f26d97b1905683fba3cd43806a2d3e68f0ee3b4716d4042c584b440952bf465a04879f61d8163969d4f75e0f87ce48ea9d1f2ad8ab38cc721cdc2ef
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

Discovering connected drives 3 TTPs 6 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fast_gas.exepowershell.exe

description	ioc	process
File opened (read-only)	\??\E:	fast_gas.exe
File opened (read-only)	\??\F:	fast_gas.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\C:	fast_gas.exe
File opened (read-only)	\??\A:	fast_gas.exe
File opened (read-only)	\??\B:	fast_gas.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fast_gas.exepowershell.exe

pid process

4992 fast_gas.exe
5068 powershell.exe

pid	process
4992	fast_gas.exe
5068	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fast_gas.exe
"C:\Users\Admin\AppData\Local\Temp\fast_gas.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Discovering connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious behavior: EnumeratesProcesses
PID:5068