Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows7-x64

1

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

6

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...te.exe

windows7-x64

10

bazaar.202...32.exe

windows7-x64

7

bazaar.202...32.exe

windows7-x64

7

bazaar.202...RC.exe

windows7-x64

1

bazaar.202...oad.js

windows7-x64

3

bazaar.202...nt.exe

windows7-x64

7

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

1

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

6

bazaar.202...in.dll

windows7-x64

10

Resubmissions

28-04-2024 18:31

240428-w6cwyaec5v 10

21-04-2024 08:57

240421-kwwqhsfh8z 10

21-04-2024 05:45

240421-gfvazacf82 10

18-04-2024 19:05

240418-xry2ascb73 10

18-04-2024 16:34

240418-t3alashf75 10

04-03-2024 18:33

240304-w7b12ahg61 10

02-03-2024 17:01

240302-vjn51sff57 10

02-03-2024 10:05

240302-l4xhfscc7v 10

Analysis

  • max time kernel
    1561s
  • max time network
    1564s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    166KB

  • MD5

    8d50eacadd7b377722828227a3d30350

  • SHA1

    cbe1881838871f1fa3672b97cec29955b786aba3

  • SHA256

    353ddd0a20aa154923d91052d8ef6c94a32fe9cb1293cde6b8d05b032a79237d

  • SHA512

    8ae9aa227b92c18d8dbb8882d6ee097537f69e8e5700ca25506ca9d3a1d7559b20b27a53ab6aff0812e20201256f5cea8aa008a82861f27d334df638695d9ef8

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QrEz7U4kTyN:NJ0BXScFyfC3Hd4ygovU4s

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\kr6ggp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension kr6ggp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54B95E8908DB6C9C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/54B95E8908DB6C9C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /8SGFNKGG+/HxHY+AF1wDKbJr3mIRrNgFW5pGM7oQLmjw1ISv+K6eZ58WFygqE3V EiQQV2xiEI+HfXW9YB0lpwhkmtnC1pZxFkZcwXB1+BRP0hlJKr8iIOC2xxFNriK5 LT22reNdxrCQZv0TakbS/EuI7yJMzQVVE1GnZj/s2xYBBFQOCDH1k6jsCGGKf2w5 cO4oMntkhqVIte0LBRmuCHB9z6Y2vUlxppTnm7eRzjft9zPP2jHBXNq4xivcyAm3 wqE/m/qzdI4g4ZHkOb+daYaL+AJBxAE2a29Mjn2rIXZFrfD7zun+g0EfOZ+Ucv4E 4/9nrMWePAYKaryOcFivxeSHi3Homy4C9aB/szCoXBDSHvJibGw2doNJmTJv/eoF OudDkokUeY12z12+NOofNaORy4eyzN5xyw6/VIiteW5FYeknRlmQGWx6kWfHH2sk 2PjbYowX2lxKIdcZmiea+CSdNVCA28/a9YkxvtMPX0r6r+CiYTvmcYtXGGjvVM8R V/ANBXcUpnTwNWBchYPFOuJ9WngC6BJMLyLWgDUnK3vZpNqG96IN24wThcgDc8AQ gf1xMdhBCyOiN9nqZFvOEr9t5BSW6YZpkkPUfjyJa1pSbv/1FNLwJf1aQlSrt8ab TqHvcu++C2eiwUcq++1gKLYLnh8Rcfft7CmQYof6OypMWQ+j4EtKkr18FKyGywwW hvlJ0TQYjxPqJMAEIFJJz3Fb4RCGTDKyOdIO0nDvlc84sAqBP/5l1aTztGxPGIV/ /g2Cu/sO8lTtFsHVZkVLYsdls4k2LmcJzEOFLJtLgc/WK8yl29RyA7zb/6OwQ11X ZwL3R7uUiiMUvqbMjM6f+4ToFYZQPv/s+jOjEm4SCNNta5k9dWctY288hGqXRE8A 5KAPmvR140EkN1OQEOZVBeTH2nnLwjGyYXgmnCutPYQaTlEbTuW/Pyq8ZHXKHJBU YJ8+neWhdEoRKtiC5ie3+RYE8VBt3IC1wSMsBx+NRWjRmvBxOAykRCqu9vDBtYUv 7k/3rwZLmJ113x8xTkf0JyiI3QWVdKuvuDyd3XgNKb8zOT5u11BWR8Mjio+8RtnS 2CDusG/xsmqIvEmefFPqoKnvhOJyXpauAuep/0Gccy0VOKjRfRws3U5/cN2M0Gt7 k2qD+wqI4R3ZGdoY2TDb3LCZav2SX1zMOBpIacbrTfEoEB0Ec6D0BtmnFbt+zQbY ceiy9Z/5HSBEpNAnP7YUNuffxBYsVXnCdlR2b8O8etLeG6WyQgaq6yDTbhISSv2B rdivi9OPFakeOYDGQqlNQZD8CV/3tOeeyOMXlrM4QNpml4Vi9bZmbPWENFbaj0ge u9ofaq8apjNTsVskoId10Il7CAYnUmquH1oTI+BQEKo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54B95E8908DB6C9C

http://decryptor.cc/54B95E8908DB6C9C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2172
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2500

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\kr6ggp-readme.txt
      Filesize

      6KB

      MD5

      19cca32068ce281bc9ad83b64f7aaf79

      SHA1

      004a492f949db42737a87247af4fefbeaff27218

      SHA256

      1078e46085f77a0f974f47375b50e18f863508cd29ca49f35b7f55b38bb20d07

      SHA512

      09e145aa15d708353818c9246fde9459b8db811e3da81599e257d009eeae7232c2833315748198a6428ad81af8e15d03fdc8ab755682749bbd3c0671fff843ed

      Download Submit
    • memory/2428-4-0x000000001B750000-0x000000001BA32000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2428-5-0x0000000002290000-0x0000000002298000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2428-6-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2428-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2428-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2428-9-0x0000000002CF0000-0x0000000002D70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2428-10-0x0000000002CF0000-0x0000000002D70000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2428-11-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp
      Filesize

      9.6MB

      Download