Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-04-2022 15:25
Static task
static1
Behavioral task
behavioral1
Sample
sodinokibi.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
sodinokibi.exe
Resource
win10v2004-20220310-en
General
-
Target
sodinokibi.exe
-
Size
143KB
-
MD5
a3749c66f65d247d8a6fae1be26d3ef9
-
SHA1
c394464bba56e62ddfe2c9073932fb656fb78b6c
-
SHA256
d191761ac8a7b0a3525764664609a8fccfa3732d331c525e9c1c9eb0a7068a9c
-
SHA512
65bc1dba7e4de098e6b27b13b1e0723f703f645e4a4c6e53b7b03ec096a70d48ec2aca7e8bcd911ced61bab35e95983510604421ef35a593278414bfbb1cb01c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sodinokibi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation sodinokibi.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sodinokibi.exedescription ioc process File opened (read-only) \??\A: sodinokibi.exe File opened (read-only) \??\B: sodinokibi.exe File opened (read-only) \??\G: sodinokibi.exe File opened (read-only) \??\H: sodinokibi.exe File opened (read-only) \??\O: sodinokibi.exe File opened (read-only) \??\T: sodinokibi.exe File opened (read-only) \??\J: sodinokibi.exe File opened (read-only) \??\S: sodinokibi.exe File opened (read-only) \??\X: sodinokibi.exe File opened (read-only) \??\Y: sodinokibi.exe File opened (read-only) \??\F: sodinokibi.exe File opened (read-only) \??\I: sodinokibi.exe File opened (read-only) \??\Q: sodinokibi.exe File opened (read-only) \??\R: sodinokibi.exe File opened (read-only) \??\U: sodinokibi.exe File opened (read-only) \??\V: sodinokibi.exe File opened (read-only) \??\W: sodinokibi.exe File opened (read-only) \??\E: sodinokibi.exe File opened (read-only) \??\K: sodinokibi.exe File opened (read-only) \??\L: sodinokibi.exe File opened (read-only) \??\M: sodinokibi.exe File opened (read-only) \??\N: sodinokibi.exe File opened (read-only) \??\P: sodinokibi.exe File opened (read-only) \??\Z: sodinokibi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sodinokibi.exepid process 4852 sodinokibi.exe 4852 sodinokibi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
sodinokibi.exedescription pid process target process PID 4852 wrote to memory of 4456 4852 sodinokibi.exe cmd.exe PID 4852 wrote to memory of 4456 4852 sodinokibi.exe cmd.exe PID 4852 wrote to memory of 4456 4852 sodinokibi.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe"C:\Users\Admin\AppData\Local\Temp\sodinokibi.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4456-134-0x0000000000000000-mapping.dmp