sodinokibi | 8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

General

Target

048.exe
Size

157KB
MD5

a994cfba920bb87b9322aeda48282d11
SHA1

dcdade9e535ec79f839537e7ed38499d258020b3
SHA256

8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512

b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
SSDEEP

1536:LWlo4vFAPi8hnuy8Ey7pAe3U7Pbi4eTMluxtXDCntTnICS4A33e6m6uOY1E9C:Fi8Iy8EytSLbi4eTMlwDCnuZ3puJ1

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

048.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 048.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	048.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

048.exe

description	ioc	process
File opened (read-only)	\??\A:	048.exe
File opened (read-only)	\??\B:	048.exe
File opened (read-only)	\??\K:	048.exe
File opened (read-only)	\??\M:	048.exe
File opened (read-only)	\??\U:	048.exe
File opened (read-only)	\??\W:	048.exe
File opened (read-only)	\??\Y:	048.exe
File opened (read-only)	\??\E:	048.exe
File opened (read-only)	\??\G:	048.exe
File opened (read-only)	\??\J:	048.exe
File opened (read-only)	\??\O:	048.exe
File opened (read-only)	\??\T:	048.exe
File opened (read-only)	\??\X:	048.exe
File opened (read-only)	\??\H:	048.exe
File opened (read-only)	\??\Z:	048.exe
File opened (read-only)	\??\R:	048.exe
File opened (read-only)	\??\S:	048.exe
File opened (read-only)	\??\F:	048.exe
File opened (read-only)	\??\I:	048.exe
File opened (read-only)	\??\L:	048.exe
File opened (read-only)	\??\N:	048.exe
File opened (read-only)	\??\P:	048.exe
File opened (read-only)	\??\Q:	048.exe
File opened (read-only)	\??\V:	048.exe

Drops file in Windows directory 64 IoCs

Processes:

048.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_78c65fb1166338c9.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e73e48b327a51a42_apphelp.dll.mui_59096153	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_984baa246cdd2b6c_bootmgr.efi.mui_be5d0075	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.19041.1_none_13e0a2d70bde69d7.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_169f2b7caf71b955_listsvc.dll.mui_27f0fc85	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8954e205e48ee50a.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_303b0094e7d25ad2.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_3f1489cfda206346_memtest.efi.mui_71e15c22	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.1288_none_d7f32f1de5be2a2a.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.546_none_02af48cab422ff58.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_35fdf06025f6b37c.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_6ace49ac53b0c2de_axinstui.exe.mui_aea34130	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_296ac06bb93cb570.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.1_none_7d3387d217cafb37.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b45ebd382a2ceda1_dsregcmd.exe.mui_8ce2c638	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.546_none_3a4f6516d93a4779.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc_winmgmt.exe_8f8eb7b1	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692_bcrypt.dll_e2f091ac	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_nl-nl_8ff07c31ee6f4500_comctl32.dll.mui_0da4e682	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_ea022bbb47fc9865_gdiplus.dll_423f7010	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_95090027c7abbbb9.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_6c22b0c49894068b.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.19041.746_none_be082f599ecc9fb9.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-null_31bf3856ad364e35_10.0.19041.1_none_5f56fb00ba5a9142_null.sys_e821cef0	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_iprtrmgr.dll_50f5fe79	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c859c559627601c9_storagehealth.adml_00c6b7b3	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da_iprtrmgr.dll_50f5fe79	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485_winsku.dll_6e6c7799	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_0756b50d659bccdf_cryptsp.dll_ae5341e1	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_ff9103826a415cf2.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_rasdiag.dll.mui_15cb4ec4	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.19041.789_none_0a3c015ae890994a.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_es-es_fe0f0c83ff027428.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_he-il_0be8f8db96d74140.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0e76aa312b62e7b1_ws2ifsl.sys.mui_b672c7b4	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_5c4b115fa6f864cd_memtest.exe.mui_77b8cbcc	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hu-hu_0f39d18194c80f6e_msimsg.dll.mui_72e8994f	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d_wininit.exe_7a527f28	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e2ed1b5da749d72d.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.19041.906_none_93d59fea045662f4_comdlg32.dll_b1ffde97	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd_windows.ui.xaml.resources.win8rtm.dll_9480ac21	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_077d882c43db17cd_bootmgr.exe.mui_c434701f	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672_bcryptprimitives.dll_5dcb347c	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga40857.fon_2c8aa2e4	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_es-es_c0d7201ee41b954f.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_ncprov.dll.mui_40240de1	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_el-gr_78f993560d286ca3.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_8ab455d5934af9be.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_583b08a27682b4d0.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9baaad1ae7af9c30.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.19041.546_none_6734c593021dd8ae.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_02d56f028cfc5e3f.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b921fe5fa26ac15c_listsvc.dll.mui_27f0fc85	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_85775.fon_f144fe91	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.84_none_9deda7fa8ae8a1e8.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_en-us_83d24a0903134528_mswsock.dll.mui_d7c2a730	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_d6b579a445ec38dd.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_310330998a8ba7fa_offlinesam.dll_5e21eef0	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_a27d02ab81dd8cd2.manifest	048.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_ba47d7f37d90af73_wuaueng.dll.mui_297f975d	048.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

048.exe

pid process

2024 048.exe
2024 048.exe

pid	process
2024	048.exe
2024	048.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

048.exe

description	pid	process	target process
PID 2024 wrote to memory of 1268	2024	048.exe	cmd.exe
PID 2024 wrote to memory of 1268	2024	048.exe	cmd.exe
PID 2024 wrote to memory of 1268	2024	048.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\048.exe
"C:\Users\Admin\AppData\Local\Temp\048.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads