Overview

overview

10

Static

static

8

sodinokibi.bin.exe

windows7_x64

10

sodinokibi.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sodinokibi.bin.exe

  • Size

    542KB

  • MD5

    61c19e7ce627da9b5004371f867a47d3

  • SHA1

    4f3b4329871ec269043068a98e9cc929f603268d

  • SHA256

    bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

  • SHA512

    dd919e1dace4e1f246552bbb1b55cd13f38bdac8764afb67624d4331341dff1c3cd75616da26d9deb4e05c04163b78a5ff8b9ffec2f73b2c9b82d5a41e216244

Score
10/10
sodinokibiransomwarespyware

Malware Config

Extracted

Path

C:\4p171m6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 4p171m6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/584BF5555F34A14E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/584BF5555F34A14E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nASoLMNfbD+0hdPHoG+6kdSXHzDb5XZzZef/NPy2A6AOtnqF4C6im+r54sui7JzM wzuNmNXp75TZaCZwgZQRVde8MLsryxwJBtJ8S7XZ8kfs1ySDBS1bCtVaSHm99sNj UW/Sd3Z3s6iZCD+XvPKKZ4vxt/oWJ3Td/+O7hW0PwGGiP/R5Yvzo8C+ms67MyNv6 EF8udFMn0uw4cHps+W56JuVgaGi314y17AzvajJjSy2owFdwgpI7ULZ36ko9DxxN qXT/zhF/NIy0TJ/Re48pge60WDUCtRApCqdS0lafngwTYkdBPgbM/pBnJzyTDiCv Iao1yd/S3vzY5Gjjyf51EcYYseRZ60N5lIM/x709ScI+t1yB0JL1e+PXOEOTGMyo vD+YHvfOWFTat2lIStKz7cXROvPiFj8ZAUg/LNMK/9bl0FefrUpa7+aO6G9N5H65 6knCHnOIsNEa9Gup4WMNzgD0ZJO8Ae7fUz4O6InVXOwVbPQ+WYJi9nN2DJhmGI/W afIso2UpyvlngzGfOMoyDUnUJyj8DgzurqR8y+eGla1B3Fumr3LB0OsxNJsq3TDq oCEd2KFMonSDJvibkc5THx8Wx2b0W2tXTyVwUUcV497zSkrG2gHQFxxyNJ5oXIY6 8LUyjL0WVHoywY8xgq1zNL+VwhxtXlrWqeq11disbrzB9PCGMXMJgWmHeG9L34cD kM5dEDrEyr+z26pbgq0GZbFTcswoDLzXsMa4IHmG/LSbFWcRAXBIZfoOkmOn9UUi u9iMAVZ+lRu9cd+9MOPVc37F0Tb74Hxy7WOTnIXlABaLXY81hHr6kgqvXvrPnG+K Long1aP59Ncsntux/BRpCbjZFE4jAK8KO2pweifi7aWHC569a7QtObxgvd1J4sym cfkuljTjb8amOp94YLwTzC51XEezZvX/LNJQC7IjDRHW7DGM92MSYwLagi2hPmnw oV2DhyzJJQrnzLpSbMbrR4xKBCA3SZ6pgKBmT75eA04Y3NbwAhxQQLPlQTh7WSer Pf7yhf9KAdoQCpngXA/3JmC+xw+qUSVgIttEXd+d7s0HEXcz834HXZkSkVVTVj1c oEGiScPGXuoWx1koiHdTjETqz3KFfdx+Yf983ZDq6Q9wPtK8l1M11G5t Extension name: 4p171m6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/584BF5555F34A14E

http://decryptor.top/584BF5555F34A14E

Extracted

Family

sodinokibi

C2

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua
Attributes
  • pid

    5

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    367

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 2108 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sodinokibi.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\sodinokibi.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2020
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/208-8-0x0000000000000000-mapping.dmp
    Download
  • memory/496-2-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/496-3-0x00000000001F0000-0x00000000001FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/496-5-0x00000000005B0000-0x00000000005B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/496-4-0x00000000005A0000-0x00000000005A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/496-7-0x00000000006A0000-0x00000000006A6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/496-6-0x0000000000690000-0x0000000000691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-9-0x0000000000000000-mapping.dmp
    Download