sodinokibi | f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4

General

Target

55.exe
Size

289KB
MD5

500286eaf9eb11b34eb413bb0df5543b
SHA1

b889ff1138b2bd7a3033ca4c4868189dc8588f9b
SHA256

f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4
SHA512

65ce297688900f0c7b1eb3a327771eff79e366290761613b364f463787f66a46d14127e1a644b5fb8f26befdf90ce100110cf47107b9457f971ca8056402782a

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Path

C:\mg6590u252-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension mg6590u252. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C3DAA270FDF09AE8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C3DAA270FDF09AE8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ThCsKQMmFau/EiWMuMZxgMlaDLEHDOxqD/hE0xGRG7QQG9/TQ5WTGJYbItVgbKbz iBZsPkRvKWBkeqY1d6CEqBOgEogCAnuxWIa+pvCD0d8oLlztIwudlerJv0yDXDu4 Ouw8en+x1TjwbGncJIt+AXxRGSCmqWTSASLWrRJfB8wJgXk4OiCA5IChTow/VNX3 EEkwXSW8jLJafc/gD/llgzGnNTVblmVFgGX8DBr9/+1dWT2MzV1FwRKGSnwk/ODi hycb2GqlUAHdYH6qVYnHdwFfpGC13/Y7DZTJorWM3AwCClnCYGSDToHWxo3fkSLX FrtrnAPwzCuMFY/5k+le6TjOLKh1EuI0ow4qjXF+2ciDOYCcYWDfWwlNilJLqaVO kNHL5DXIaRYdhBt/3a/hTEnBOGNa2ZEAivyfRL8GilhAri95ac/sQ6WT5BSKHsXy xq/QPB0f6hfL8axwOCKwlrh8CEZ8UYn+ApUeUWQOTYrTFTZh6WNkpCnlEiVlBaZu UiEy/KW13wDajoxpl78h4fo43/ssVE8Q/zYy4P/xmfNFc7z1mk06DNT8dow+Xy0P 0+tzWlbNeHqmx247OOMooPhtxdCGFpGvOyJwvMzcROFE602fuLEE91LD6IiGpyIW hrXk5P54HRMpfOu0NE7z/t6b3jM1jICfJc7HJT2AJzcWhq/EQRR8ms43XgODUQ4L QjKy2kZpeV7U20wF54/QP0z8pTcaPXkWsaUHdYbAC4/7Z4LeXoavirgSHdL84yru 0kI3zDoGbyMS37sF7XnmM/7gNq5J7ZtNch/vaD3IaESNfCkI4eTMY8Ch6L4sgnQ6 /C9emm2MvM1r0dBUIUXiNBc49K+Ko5vRPMCwdYpr8ne+kq6fdh8shHnXOGi4NyVA DhQhYTJIOHOYpbRANf42RH4P8cXdsoapkMagJdzYCMSjIpiOXTo58+pwyI4wPv/I IBRZk0AGr48c5fWKZcpNmEzACtMtkAG3N7e5YsQRB49YuTdPHChjSYklv0/NQJ6r PKL17cooS9749YMhXJERX01h7afw5+uMkJHWThXgBmQXqD+BMVAMSeJsniYztZXZ syzQwn44RljCKhlvkhuPak/zPQuDjj1RnsRxEOiVQ/f7aYtVBgB/odHDs8KbQdNA pmwnWKxaVWwvolAHMCNJOyB0fFhN7idtLKSFro0mIwbFQrnCKjYRnlv3X4YoTsHY ipAIGNF+FlDpsDbQdo2iwmIEk0BjRHmif7y7dgkdzTqRofrIKkp9B0IagtKWZcoO 2w9XjkEtS04Ul+84r2Par6gMDm13P2PegJGlfnBKi8ca7pMkQFyn3g== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C3DAA270FDF09AE8

http://decryptor.cc/C3DAA270FDF09AE8

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

55.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportDisconnect.tif => \??\c:\users\admin\pictures\ExportDisconnect.tif.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\StopExport.crw => \??\c:\users\admin\pictures\StopExport.crw.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\UndoUnprotect.tiff => \??\c:\users\admin\pictures\UndoUnprotect.tiff.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\UnblockFind.png => \??\c:\users\admin\pictures\UnblockFind.png.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\RepairEdit.tif => \??\c:\users\admin\pictures\RepairEdit.tif.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\RequestResize.png => \??\c:\users\admin\pictures\RequestResize.png.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\SelectRestore.tif => \??\c:\users\admin\pictures\SelectRestore.tif.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\SkipClose.tif => \??\c:\users\admin\pictures\SkipClose.tif.mg6590u252	55.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.png => \??\c:\users\admin\pictures\ImportComplete.png.mg6590u252	55.exe
File opened for modification	\??\c:\users\admin\pictures\StepRead.tiff	55.exe
File renamed	C:\Users\Admin\Pictures\PublishRestore.crw => \??\c:\users\admin\pictures\PublishRestore.crw.mg6590u252	55.exe
File opened for modification	\??\c:\users\admin\pictures\UndoUnprotect.tiff	55.exe
File renamed	C:\Users\Admin\Pictures\StepRead.tiff => \??\c:\users\admin\pictures\StepRead.tiff.mg6590u252	55.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

55.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6wb0n.bmp"	55.exe

Drops file in Program Files directory 22 IoCs

Processes:

55.exe

description	ioc	process
File opened for modification	\??\c:\program files\CompareFind.wmx	55.exe
File opened for modification	\??\c:\program files\DisconnectPing.txt	55.exe
File opened for modification	\??\c:\program files\EnterResize.bmp	55.exe
File opened for modification	\??\c:\program files\MoveRedo.wmx	55.exe
File opened for modification	\??\c:\program files\ResetShow.dotm	55.exe
File opened for modification	\??\c:\program files\ResumeDeny.TTS	55.exe
File opened for modification	\??\c:\program files\SelectClear.dxf	55.exe
File opened for modification	\??\c:\program files\UnprotectOut.vstm	55.exe
File created	\??\c:\program files (x86)\mg6590u252-readme.txt	55.exe
File opened for modification	\??\c:\program files\AssertUnlock.ADTS	55.exe
File created	\??\c:\program files\microsoft sql server compact edition\mg6590u252-readme.txt	55.exe
File opened for modification	\??\c:\program files\PushSelect.tiff	55.exe
File opened for modification	\??\c:\program files\SaveStart.clr	55.exe
File opened for modification	\??\c:\program files\TestMerge.eprtx	55.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\mg6590u252-readme.txt	55.exe
File created	\??\c:\program files\mg6590u252-readme.txt	55.exe
File opened for modification	\??\c:\program files\UnpublishGroup.sql	55.exe
File opened for modification	\??\c:\program files\WaitShow.ram	55.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\mg6590u252-readme.txt	55.exe
File opened for modification	\??\c:\program files\GrantPush.avi	55.exe
File opened for modification	\??\c:\program files\ShowRemove.gif	55.exe
File opened for modification	\??\c:\program files\StartPublish.potm	55.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

55.exepowershell.exe

pid process

1464 55.exe
1016 powershell.exe
1016 powershell.exe

pid	process
1464	55.exe
1016	powershell.exe
1016	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

55.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1464	55.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe
Token: SeTakeOwnershipPrivilege	1464	55.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

55.exe

description	pid	process	target process
PID 1464 wrote to memory of 1016	1464	55.exe	powershell.exe
PID 1464 wrote to memory of 1016	1464	55.exe	powershell.exe
PID 1464 wrote to memory of 1016	1464	55.exe	powershell.exe
PID 1464 wrote to memory of 1016	1464	55.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\55.exe
"C:\Users\Admin\AppData\Local\Temp\55.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-2-0x0000000000000000-mapping.dmp

Download
memory/1016-3-0x000007FEF6370000-0x000007FEF6D5C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-4-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1016-5-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1016-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1016-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1016-8-0x000000001AA70000-0x000000001AA71000-memory.dmp

Filesize
4KB

Download
memory/1464-0-0x0000000003388000-0x0000000003399000-memory.dmp

Filesize
68KB

Download
memory/1464-1-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads