sodinokibi | 06028df498075f962ef0f594b8a27abd90cc19edf02fe78b6aa6e977a93850f9

General

Target

new.exe
Size

941KB
MD5

708bf86b696629ad04fb3ed46232b8a8
SHA1

4ad1a2030f928cdbc75a4e10eeb6689cbe5ca2c1
SHA256

06028df498075f962ef0f594b8a27abd90cc19edf02fe78b6aa6e977a93850f9
SHA512

6d4b69c77c1ac794d5ff82c175665ef789af5af1be5a3f81c5a1d494e81335e0908998e5c78da5c727abb71631de6c7276eefcdd5298c7d7f1b917c771979228

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

new.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation new.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	new.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

new.exe

description	ioc	process
File opened (read-only)	\??\X:	new.exe
File opened (read-only)	\??\Z:	new.exe
File opened (read-only)	\??\A:	new.exe
File opened (read-only)	\??\F:	new.exe
File opened (read-only)	\??\G:	new.exe
File opened (read-only)	\??\O:	new.exe
File opened (read-only)	\??\V:	new.exe
File opened (read-only)	\??\L:	new.exe
File opened (read-only)	\??\N:	new.exe
File opened (read-only)	\??\P:	new.exe
File opened (read-only)	\??\B:	new.exe
File opened (read-only)	\??\E:	new.exe
File opened (read-only)	\??\H:	new.exe
File opened (read-only)	\??\J:	new.exe
File opened (read-only)	\??\K:	new.exe
File opened (read-only)	\??\U:	new.exe
File opened (read-only)	\??\Y:	new.exe
File opened (read-only)	\??\M:	new.exe
File opened (read-only)	\??\Q:	new.exe
File opened (read-only)	\??\R:	new.exe
File opened (read-only)	\??\I:	new.exe
File opened (read-only)	\??\S:	new.exe
File opened (read-only)	\??\T:	new.exe
File opened (read-only)	\??\W:	new.exe

Drops file in Windows directory 64 IoCs

Processes:

new.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_it-it_bc383e9a8755fadf.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hu-hu_b554802d4a83e6fc.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_en-us_7cd59418f708faf0_wudfpf.sys.mui_f61e9e86	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_abf2f270a2e2fdd5_rasautou.exe.mui_55686a97	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3e1a1833a5494f75_srpapi.dll.mui_2693a558	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.546_none_3a4f6516d93a4779_imm32.dll_53c2ab30	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_rtm.dll.mui_55e4e990	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80850.fon_2e7bdf2f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_c00d07e45f7b48b1_bootmgr.exe.mui_c434701f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_kmddsp.tsp_c999e400	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_7bd241ac79147d55_bootmgr.exe.mui_c434701f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_10.0.19041.1_none_0fd2c5ae0a7cd53b_netbios.sys_6f23c4df	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_8ab455d5934af9be_windows.ui.xaml.controls.dll_4c861b99	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd076cb21a41edb1_volmgrx.sys.mui_b0c205d7	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.19041.207_none_3c300852ab214f81.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_80b4fbf2a39aea5a_winlogon.exe.mui_3280fc46	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_setupapi.mof_8d9de59f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_76775b16ccf4c886_memtest.exe.mui_77b8cbcc	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_725e78755886a3f4.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msobjs.dll_052c8a60	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_25d6f2766f7cf9c2_storagehealth.adml_00c6b7b3	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_wiarpc.dll.mui_0c913b87	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_bg-bg_dd016b0b9ea8d750.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.19041.1_none_3bcc397d635fe6c8.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nl-nl_de526fb546773452_msimsg.dll.mui_72e8994f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_de-de_0528803147204d22.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.19041.1_none_a1c3d9420e6939cc.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_de-de_d3e4be20082aef2b.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_apps.inf_0b7d7d89	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_a65df33be4649fa7_dsreg.dll.mui_5d9efc7e	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_da-dk_8eac972b9796148b.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_638e961dd6edabb1_trustedsignalcredprov.dll.mui_5edc427b	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_uk-ua_00edb9ea93827738_comctl32.dll.mui_0da4e682	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b2a2923fc0594488_mswsock.dll.mui_d7c2a730	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_he-il_47e71de5429c9e8d.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.264_none_44ecb7e259b46a0a.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_fb1b92cca7311236_combase.dll.mui_6db10b33	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564_sbservicetrigger.dll_b5ff30d2	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_mofd.dll.mui_793ef98d	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpsvc.dll.mui_0c160ac2	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_21b80f3a6591f527_mofd.dll.mui_793ef98d	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe_comctl32.dll.mui_0da4e682	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.19041.1266_none_727d8ac8ed2b3e80.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7_atl.dll_0c7220db	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_it-it_f55158e81544d580_iscsicli.exe.mui_64c0a23c	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_wmiapsrv.exe.mui_b1567840	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_b193c3d6386ad9e5.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5_efssvc.dll.mui_03cc4e41	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_e86919b4bac0ee7b.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.546_none_9623bac4eb215e13_mpr.dll_e8c35b01	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_lv-lv_354120845477e45d_comctl32.dll.mui_0da4e682	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.546_none_0fdfc09722e8c30a_ndproxy.sys_4a9480d5	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fc045c385de0a407_dnsrslvr.dll.mui_1e1a1ed1	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_b4205a674b468594_comctl32.dll.mui_0da4e682	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_5c4b115fa6f864cd.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.1_none_60f873a5caaf6704.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_j8514oem.fon_cf1af1d6	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsicli.exe.mui_64c0a23c	new.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

new.exe

pid process

4064 new.exe
4064 new.exe

pid	process
4064	new.exe
4064	new.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

new.exe

description	pid	process	target process
PID 4064 wrote to memory of 3096	4064	new.exe	cmd.exe
PID 4064 wrote to memory of 3096	4064	new.exe	cmd.exe
PID 4064 wrote to memory of 3096	4064	new.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads