sodinokibi | d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c

Analysis

max time kernel
117s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-04-2022 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sodinokibi.exe
Size

143KB
MD5

a3749c66f65d247d8a6fae1be26d3ef9
SHA1

c394464bba56e62ddfe2c9073932fb656fb78b6c
SHA256

d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c
SHA512

65bc1dba7e4de098e6b27b13b1e0723f703f645e4a4c6e53b7b03ec096a70d48ec2aca7e8bcd911ced61bab35e95983510604421ef35a593278414bfbb1cb01c

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sodinokibi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sodinokibi.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sodinokibi.exe

description	ioc	process
File opened (read-only)	\??\A:	sodinokibi.exe
File opened (read-only)	\??\B:	sodinokibi.exe
File opened (read-only)	\??\G:	sodinokibi.exe
File opened (read-only)	\??\H:	sodinokibi.exe
File opened (read-only)	\??\O:	sodinokibi.exe
File opened (read-only)	\??\T:	sodinokibi.exe
File opened (read-only)	\??\J:	sodinokibi.exe
File opened (read-only)	\??\S:	sodinokibi.exe
File opened (read-only)	\??\X:	sodinokibi.exe
File opened (read-only)	\??\Y:	sodinokibi.exe
File opened (read-only)	\??\F:	sodinokibi.exe
File opened (read-only)	\??\I:	sodinokibi.exe
File opened (read-only)	\??\Q:	sodinokibi.exe
File opened (read-only)	\??\R:	sodinokibi.exe
File opened (read-only)	\??\U:	sodinokibi.exe
File opened (read-only)	\??\V:	sodinokibi.exe
File opened (read-only)	\??\W:	sodinokibi.exe
File opened (read-only)	\??\E:	sodinokibi.exe
File opened (read-only)	\??\K:	sodinokibi.exe
File opened (read-only)	\??\L:	sodinokibi.exe
File opened (read-only)	\??\M:	sodinokibi.exe
File opened (read-only)	\??\N:	sodinokibi.exe
File opened (read-only)	\??\P:	sodinokibi.exe
File opened (read-only)	\??\Z:	sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sodinokibi.exe

pid process

4852 sodinokibi.exe
4852 sodinokibi.exe

pid	process
4852	sodinokibi.exe
4852	sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sodinokibi.exe

description	pid	process	target process
PID 4852 wrote to memory of 4456	4852	sodinokibi.exe	cmd.exe
PID 4852 wrote to memory of 4456	4852	sodinokibi.exe	cmd.exe
PID 4852 wrote to memory of 4456	4852	sodinokibi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-134-0x0000000000000000-mapping.dmp

Download