sodinokibi | bac39c44a1510bb472f8e306f4b46421302444c521711eebc2b9244068a8df72

General

Target

new.exe
Size

189KB
MD5

dd5865ef1d0c647a7d73c6d5ea11cd0b
SHA1

4b93dcb6cced53118f972e84a69355da98adeda7
SHA256

bac39c44a1510bb472f8e306f4b46421302444c521711eebc2b9244068a8df72
SHA512

fd053d24599247b709536beefdc4d0dfd5ff33835391d3b4819f2162c808cc57ffcdac970cc387b57d4556d23dc4b8b2273060de8fcecc7392fcbf873dbc837c

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

new.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation new.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	new.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

new.exe

description	ioc	process
File opened (read-only)	\??\G:	new.exe
File opened (read-only)	\??\L:	new.exe
File opened (read-only)	\??\N:	new.exe
File opened (read-only)	\??\W:	new.exe
File opened (read-only)	\??\A:	new.exe
File opened (read-only)	\??\Y:	new.exe
File opened (read-only)	\??\K:	new.exe
File opened (read-only)	\??\E:	new.exe
File opened (read-only)	\??\F:	new.exe
File opened (read-only)	\??\H:	new.exe
File opened (read-only)	\??\P:	new.exe
File opened (read-only)	\??\U:	new.exe
File opened (read-only)	\??\X:	new.exe
File opened (read-only)	\??\Z:	new.exe
File opened (read-only)	\??\B:	new.exe
File opened (read-only)	\??\J:	new.exe
File opened (read-only)	\??\M:	new.exe
File opened (read-only)	\??\O:	new.exe
File opened (read-only)	\??\Q:	new.exe
File opened (read-only)	\??\R:	new.exe
File opened (read-only)	\??\S:	new.exe
File opened (read-only)	\??\T:	new.exe
File opened (read-only)	\??\I:	new.exe
File opened (read-only)	\??\V:	new.exe

Drops file in Windows directory 64 IoCs

Processes:

new.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.19041.1266_none_81db67969fabe5c6.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f5e30ee8b348f36.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-etw-ese_31bf3856ad364e35_10.0.19041.1_none_8fa08a745a1a81a2_etweseproviderresources.dll_f21e8ea7	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_cc60cf52118b76e2_memtest.efi.mui_71e15c22	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_19e50489d0787aec_bootmgr.efi.mui_be5d0075	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_es-es_2c55246d83884e93.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.906_none_697cd7dad1ab7e2e_usermgr.dll_015952d1	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1288_none_7a49f980f48daa96_dwmcore.dll_523baf47	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fixt.fon_f6726a58	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_msmpeng.exe_2f1c6923	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.264_none_5c643b8f866d5e2b.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_40c79c50b42ec552.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.19041.488_none_77ac529b46dc3a08_rasl2tp.sys_d69e0fa7	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da_rasmigplugin.dll_7ee2aa40	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos737.fon_8de20802	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_8af479c5386ed751_bootmgr.exe.mui_c434701f	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_51f6670d7297a2d2_memtest.efi.mui_71e15c22	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.207_none_0527f99c13420d2f.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.19041.1237_none_5f00842b9149cc7c_tdx.sys_d0cc4fd9	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpapi.dll.mui_ef0a9748	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.746_none_11e04cec24452336_dwm.exe_04cf416e	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.battery.ppkg_90037481	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0_scfilter.sys_87d261f5	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.1_none_3ef7d405e850df76.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81_ntoskrnl.exe_0fb0ab79	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.1_none_878832244c2bbd32.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.867_none_b4e9fc09cfcbdd7c_axinstui.exe_eba3b15b	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.546_none_a5535ccb0430ada2.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7ce61c7d809eedfd_storagehealth.adml_00c6b7b3	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d_netiomig.dll_917b9a36	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97ded4f562f4e50a.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48_lsass.exe_682060de	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_785d60c10b52e5f3.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_9bf49926b22e3d9a.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1288_none_a61ec92f9e248eae_kernelbase.dll_7f3dc5f6	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.1023_none_167a0dedb3a3167c.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sr-..-rs_4bed07716ee5b93f.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_02d56f028cfc5e3f.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d74bd5437b437cf1_bootmgr.efi.mui_be5d0075	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese.resources_31bf3856ad364e35_10.0.19041.1_en-us_aa43e6777eda8f90.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a_srpapi.dll.mui_2693a558	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scarddlg.dll.mui_300ae9df	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_6e1b81482baf9a17.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_edd4f3bf115270f1.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_cs-cz_e1f032fad674dbed.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1081_none_314b50cb6e47ee49_winbio.dll_7228629e	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-es_34945f448871668f_bootmgr.efi.mui_be5d0075	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_10.0.19041.1_none_1cdf560fd553ffa5.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_en-us_d572d73fc54e8110.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_cfc21f8d801be317.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.19041.264_none_70a447772a188950.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_73e5bd029f7ac27a.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_6e154087aa2e1290.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_be1670627d88fc7f.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a05534499914e28b_rpcepmap.dll.mui_349798e1	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_14089ec954fee325_kmddsp.tsp.mui_80ddeedb	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9dd9712c9cddd429.manifest	new.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_a7fd6f88bbbece6f_comctl32.dll.mui_0da4e682	new.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

new.exe

pid process

4260 new.exe
4260 new.exe

pid	process
4260	new.exe
4260	new.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

new.exe

description	pid	process	target process
PID 4260 wrote to memory of 380	4260	new.exe	cmd.exe
PID 4260 wrote to memory of 380	4260	new.exe	cmd.exe
PID 4260 wrote to memory of 380	4260	new.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads