sodinokibi | d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c

General

Target

sodinokibi.exe
Size

143KB
MD5

a3749c66f65d247d8a6fae1be26d3ef9
SHA1

c394464bba56e62ddfe2c9073932fb656fb78b6c
SHA256

d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c
SHA512

65bc1dba7e4de098e6b27b13b1e0723f703f645e4a4c6e53b7b03ec096a70d48ec2aca7e8bcd911ced61bab35e95983510604421ef35a593278414bfbb1cb01c

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sodinokibi.exe

description	ioc	process
File opened (read-only)	\??\U:	sodinokibi.exe
File opened (read-only)	\??\A:	sodinokibi.exe
File opened (read-only)	\??\I:	sodinokibi.exe
File opened (read-only)	\??\K:	sodinokibi.exe
File opened (read-only)	\??\L:	sodinokibi.exe
File opened (read-only)	\??\O:	sodinokibi.exe
File opened (read-only)	\??\R:	sodinokibi.exe
File opened (read-only)	\??\T:	sodinokibi.exe
File opened (read-only)	\??\V:	sodinokibi.exe
File opened (read-only)	\??\W:	sodinokibi.exe
File opened (read-only)	\??\D:	sodinokibi.exe
File opened (read-only)	\??\B:	sodinokibi.exe
File opened (read-only)	\??\E:	sodinokibi.exe
File opened (read-only)	\??\H:	sodinokibi.exe
File opened (read-only)	\??\N:	sodinokibi.exe
File opened (read-only)	\??\P:	sodinokibi.exe
File opened (read-only)	\??\X:	sodinokibi.exe
File opened (read-only)	\??\Z:	sodinokibi.exe
File opened (read-only)	\??\G:	sodinokibi.exe
File opened (read-only)	\??\M:	sodinokibi.exe
File opened (read-only)	\??\F:	sodinokibi.exe
File opened (read-only)	\??\J:	sodinokibi.exe
File opened (read-only)	\??\Q:	sodinokibi.exe
File opened (read-only)	\??\S:	sodinokibi.exe
File opened (read-only)	\??\Y:	sodinokibi.exe

Drops file in Windows directory 64 IoCs

Processes:

sodinokibi.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.15063.0_none_9c6c22cbabcb6847_usermgr.dll_015952d1	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.15063.0_none_765491bc18e3ab9b.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_zh-cn_b933028e5bbba2e5_comctl32.dll.mui_0da4e682	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1b72f2a049408d5f.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_cdcd398d082a0e9e.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_e25bed23d101e5a7_msimsg.dll.mui_72e8994f	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_de-de_5be8d57b685c3b22_scdeviceenum.dll.mui_815e7662	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.15063.0_none_f5ad4336b7886518_lsaiso.exe_51c00eb7	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_332a24478e119029.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_460932e9ff0c93bd_setupapi.dll_8d9de2e7	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_92e9ee428a325ae8.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_97fd1b03b03c8b39_mpsdrv.sys.mui_b2aea3b6	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-es_8fb72afa21e2997c.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_85f1257.fon_77baa7cb	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.15063.0_none_df697b059d7eb384_windows.ui.xaml.inkcontrols.dll_523c865d	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_de-de_ad8894065477f34a.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f2e55c68b9b08e2_scarddlg.dll.mui_300ae9df	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948_svchost.exe_4dd0f0bc	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.15063.0_none_7c75c42fae043d1e_winhttp.dll_6cd72d6e	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.15063.0_none_2345529e4fd90644.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-microsoftyahei_31bf3856ad364e35_10.0.15063.0_none_4be71b6968e80401_msyh.ttc_e9e03d20	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_11ae3d61e1691e19.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.15063.0_none_420692083d1f600a.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_sv-se_b993099aee9048c9_bootmgr.exe.mui_c434701f	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-es_fbe28aa7df58a2d3_msimsg.dll.mui_72e8994f	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-version_31bf3856ad364e35_10.0.15063.0_none_c9f38ce4d1570426_version.dll_406ddf44	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_fc701b8f57f23c7f_comctl32.dll.mui_0da4e682	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.15063.0_none_45de7edd11c7c1ce.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2b6c8e7c08218e26_drvinst.exe.mui_e88f4c73	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_473f3bcd45fa2eca_wmiutils.dll.mui_42583eaf	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga737.fon_11d63f16	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b1b128a97e9410e9_scardsvr.dll.mui_5f6fb64f	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sv-se_8675d120d143f7db_comctl32.dll.mui_0da4e682	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_6ee1eb5adc000190.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_1b70ea73251f149e_drvcfg.exe_8370a674	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_d24874d4a9b4e91a_gpsvc.dll.mui_0c160ac2	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.15063.0_none_bb57d0370769d62e.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.15063.0_none_72996f15c8286420_netiomig.dll_917b9a36	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nl-nl_12b8897efda1c4da_comctl32.dll.mui_0da4e682	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842_certprop.dll.mui_602eaab4	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_10.0.15063.0_none_da9b103ede2c5b31.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.15063.0_none_4b359c6cad232586_authz.dll_c0d80602	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_f39dd1f571ccd621.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_b8dd2546aef29fc8_dcomp.dll_a2e93a7d	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_5b9d9831c6538b40.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_uk-ua_984ffe364f2362cb_comctl32.dll.mui_0da4e682	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_f71c2ad88cd00633_msimsg.dll.mui_72e8994f	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_aa80fca424a5c223.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_msvcp_win.dll_48149df4	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_de-de_f9e061c50cc99b3e_firewallapi.dll.mui_43c7a05b	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ype-segoeui_regular_31bf3856ad364e35_10.0.15063.0_none_859ed1f2d02a9db5_segoeui.ttf_b39275ad	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_de-de_2f549ff69030259d_rasauto.dll.mui_12fa2c50	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_dcac18822cef5417_sppsvc.exe.mui_40875a72	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_79fc50ac4945a493.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.15063.0_none_7c26291346c6844d_wtsapi32.dll_470d4d41	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_de-de_d846e1155eb73b0a_tcpipcfg.dll.mui_a5479fc1	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf.manifest	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_msmplics.dll_50e185fa	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_qps-ploc_90edd29d3b867db7_memtest.exe.mui_77b8cbcc	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_b007ff450adb462f_tcpipcfg.dll.mui_a5479fc1	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_27839b07aafca9cf_memtest.efi.mui_71e15c22	sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_02178f11778cf984_wuceffects.dll_0c15b7d5	sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

676 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

sodinokibi.exe

pid process

2328 sodinokibi.exe
2328 sodinokibi.exe
2328 sodinokibi.exe
2328 sodinokibi.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2036 vssvc.exe
Token: SeRestorePrivilege 2036 vssvc.exe
Token: SeAuditPrivilege 2036 vssvc.exe

pid	process
676	vssadmin.exe

pid	process
2328	sodinokibi.exe
2328	sodinokibi.exe
2328	sodinokibi.exe
2328	sodinokibi.exe

description	pid	process
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sodinokibi.execmd.exe

description	pid	process	target process
PID 2328 wrote to memory of 1288	2328	sodinokibi.exe	cmd.exe
PID 2328 wrote to memory of 1288	2328	sodinokibi.exe	cmd.exe
PID 2328 wrote to memory of 1288	2328	sodinokibi.exe	cmd.exe
PID 1288 wrote to memory of 676	1288	cmd.exe	vssadmin.exe
PID 1288 wrote to memory of 676	1288	cmd.exe	vssadmin.exe
PID 1288 wrote to memory of 676	1288	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-120-0x0000000000000000-mapping.dmp

Download
memory/1288-119-0x0000000000000000-mapping.dmp

Download
memory/2328-116-0x00000000008A0000-0x00000000008C3000-memory.dmp

Filesize
140KB

Download
memory/2328-115-0x00000000008A0000-0x00000000008C3000-memory.dmp

Filesize
140KB

Download
memory/2328-118-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/2328-117-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads