sodinokibi | f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

General

Target

v2.exe
Size

121KB
MD5

944ed18066724dc6ca3fb3d72e4b9bdf
SHA1

1a19c8793cd783a5bb89777f5bc09e580f97ce29
SHA256

74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
SHA512

a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
SSDEEP

1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Score

10^/10

sodinokibi credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\9ji5w-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9ji5w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C5255B4EE92C0173 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/C5255B4EE92C0173 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: x1taL+jGbUpeHckYauTI1R9ge1rUwcE4I0AhMjw4mfc8jJjGm0G0t9hoDNLU8EQ7 hzP5p5GZzqsgFEtYdRGMjJ/rtPCSjduimCedaEHnXYADKvteKUXiRRecJ34Jxt0A tPE/GOzrd0yOPckEYRWDoRdwdjUqahxsRF4IUL9Ih2o5ZkwEUfHfyhlO70nfovPP Oyehloetk1DZ5wDGXLSTvOovLtp+i3a+MPT6qeAYJ5vLvN40nCf6hRbFdxbGzHIA XV5qKrvPAUZP+zDQpC/2djrX3H3tKEvthwhP4Edwo6wKsjBSSVAvvU6nsJyG70P6 Scb49t2LKI9Mh0nS0+taO1yUc2Jw2htgl1Q0Ht/8cjrD/FkLNkX2QE7OohACKnZJ 9p3Jna3x/K2mqJVimAR/FrdKvJmpsDRERd/WfEgnSfToiaocBDYtifb4vqCT3MVU +p4e/IZubhFcIM022cEqRYvNsLw7t4eA2dltzv0MmM5o7mSjamORLMk8cQF2ll/G SQa+j7D5r0tWYwZpvhERu8uc7I7mAHryMGCYkQZlzEnVnPt6gJaVrVqs278FjJm7 kb+xSd9CFduJGWre2wntzn6ypQAat7FEEEXSCUPokRQo8ItOqyhbaCvRIEhfPkxt mtg9i5wkatRbPpNRg+ra5Ht7cQORfuExWeKnk77qARqR6cEIJPBrFpuCYMPEImPH BU+Hj8pmH+8ieJNw8M2vUrv7e3MVHl4pyCcgrJhJvowd9ettnszFlXZ/0nZN76yQ NZPXn2RBppDEeVDSHKlhT2WnXT8YLLCUYv5MXNR0Jbh4Y2/mTnD6t211Z1LkDAuz pfKcsehar5OB7U+HAe3WIHIrytlhX/H1awNmPfFO0/KLBoJG1G7ufO3vMsa4jBM+ ssIDfn/ahJin54dlc+dEhcOpopS88/RCk730Xxs3Bf02OAhhpSuOe3dqVIC6GMto YoriViVcsSBv5F/sPNiAvvwET58iA10scWTXIAN/uI5wNPbb71CexRIdYog39rFn 6XIFZOF00MuYvkbhZOcCGYFH+rreRTeB6uGN0YllIqgSSmj6+nDOY1X75+o8zPTZ N3WtvzmBn25Ct88TqiWeRagG9piBVGafjK0DtK4ww400T2SllEnsaEo9PzQdrAiU UB7zXwQ1HgSRrzjcg3Sx8D6oY1qbB/+rZCB0rZCcxcAZCg1o2UoWWLeMMNAcH2+3 KNvJEX7oA3akjZ4Mn/nL/IxmqrS4X4LqcLZb0maSeQKHRkqENHvcT2AfZRjgNAMe NbPGARb63obfat+7fBZkDwqenNsQd9TrBV4llWMXb5ynt/+rlwJBsT+W4wsBnI4r 1zBAD94CsbKx6tiN+p9ZC7wUkI0= ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C5255B4EE92C0173

http://decoder.re/C5255B4EE92C0173

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\9ji5w-readme.txt	v2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	v2.exe
File opened (read-only)	\??\W:	v2.exe
File opened (read-only)	\??\Y:	v2.exe
File opened (read-only)	\??\H:	v2.exe
File opened (read-only)	\??\M:	v2.exe
File opened (read-only)	\??\N:	v2.exe
File opened (read-only)	\??\G:	v2.exe
File opened (read-only)	\??\L:	v2.exe
File opened (read-only)	\??\S:	v2.exe
File opened (read-only)	\??\P:	v2.exe
File opened (read-only)	\??\Q:	v2.exe
File opened (read-only)	\??\R:	v2.exe
File opened (read-only)	\??\U:	v2.exe
File opened (read-only)	\??\X:	v2.exe
File opened (read-only)	\??\A:	v2.exe
File opened (read-only)	\??\I:	v2.exe
File opened (read-only)	\??\K:	v2.exe
File opened (read-only)	\??\Z:	v2.exe
File opened (read-only)	\??\D:	v2.exe
File opened (read-only)	\??\O:	v2.exe
File opened (read-only)	\??\V:	v2.exe
File opened (read-only)	\??\F:	v2.exe
File opened (read-only)	\??\B:	v2.exe
File opened (read-only)	\??\E:	v2.exe
File opened (read-only)	\??\J:	v2.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ja38k.bmp"	v2.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\DebugSearch.emz	v2.exe
File opened for modification	\??\c:\program files\ClearConvertTo.asx	v2.exe
File opened for modification	\??\c:\program files\CompareSync.sql	v2.exe
File opened for modification	\??\c:\program files\CompressReceive.pps	v2.exe
File opened for modification	\??\c:\program files\FormatCheckpoint.css	v2.exe
File opened for modification	\??\c:\program files\GetUnpublish.aifc	v2.exe
File opened for modification	\??\c:\program files\GrantMerge.M2TS	v2.exe
File opened for modification	\??\c:\program files\LimitMove.cr2	v2.exe
File opened for modification	\??\c:\program files\ResetPing.TTS	v2.exe
File created	\??\c:\program files\9ji5w-readme.txt	v2.exe
File created	\??\c:\program files (x86)\9ji5w-readme.txt	v2.exe
File opened for modification	\??\c:\program files\EditSubmit.xhtml	v2.exe
File opened for modification	\??\c:\program files\SearchSplit.wmv	v2.exe
File opened for modification	\??\c:\program files\UpdateBackup.htm	v2.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9ji5w-readme.txt	v2.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9ji5w-readme.txt	v2.exe
File opened for modification	\??\c:\program files\JoinExpand.mp2	v2.exe
File opened for modification	\??\c:\program files\PushDisconnect.easmx	v2.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\9ji5w-readme.txt	v2.exe
File opened for modification	\??\c:\program files\OutTrace.vst	v2.exe
File opened for modification	\??\c:\program files\RevokeOpen.odt	v2.exe
File opened for modification	\??\c:\program files\SearchInitialize.otf	v2.exe
File opened for modification	\??\c:\program files\SelectSync.xlsm	v2.exe
File opened for modification	\??\c:\program files\BlockSet.wmf	v2.exe
File opened for modification	\??\c:\program files\ConvertFromSync.mpg	v2.exe
File opened for modification	\??\c:\program files\GroupRestart.wma	v2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2380	v2.exe
2380	v2.exe
2380	v2.exe
2380	v2.exe
2380	v2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	v2.exe
Token: SeTakeOwnershipPrivilege	2380	v2.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResolveApprove.WTV.9ji5w
1⤵
- Modifies registry class
PID:2776

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\9ji5w-readme.txt
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\9ji5w-readme.txt

Filesize
7KB

MD5
bce638d1535bf48d1c324b8cb16d9ac6

SHA1
150e6537d2c5a5f2dbb8b852da0d0aafc01b0ef0

SHA256
e3432d71004e613fbc9a9c4d0841e5d73ba7a1fdbd9b4027df63b47c202edca4

SHA512
e5cf5791765542ebd45aa9f13ccf8203434dd58c5f0e6dcbeb5ffe8dc8bc8b02b5d920a04f4d0de15e892500a08b9ff30c3d8bc2b2e4b3557bb620d62f2b699e

Download Submit

Resubmissions

Analysis

Sharing