sodinokibi | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

28-04-2024 18:31

240428-w6cwyaec5v 10

21-04-2024 08:57

21-04-2024 05:45

18-04-2024 19:05

18-04-2024 16:34

04-03-2024 18:33

02-03-2024 17:01

02-03-2024 10:05

Analysis

max time kernel
1561s
max time network
1564s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Size

166KB
MD5

8d50eacadd7b377722828227a3d30350
SHA1

cbe1881838871f1fa3672b97cec29955b786aba3
SHA256

353ddd0a20aa154923d91052d8ef6c94a32fe9cb1293cde6b8d05b032a79237d
SHA512

8ae9aa227b92c18d8dbb8882d6ee097537f69e8e5700ca25506ca9d3a1d7559b20b27a53ab6aff0812e20201256f5cea8aa008a82861f27d334df638695d9ef8
SSDEEP

3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QrEz7U4kTyN:NJ0BXScFyfC3Hd4ygovU4s

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\kr6ggp-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension kr6ggp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54B95E8908DB6C9C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/54B95E8908DB6C9C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /8SGFNKGG+/HxHY+AF1wDKbJr3mIRrNgFW5pGM7oQLmjw1ISv+K6eZ58WFygqE3V EiQQV2xiEI+HfXW9YB0lpwhkmtnC1pZxFkZcwXB1+BRP0hlJKr8iIOC2xxFNriK5 LT22reNdxrCQZv0TakbS/EuI7yJMzQVVE1GnZj/s2xYBBFQOCDH1k6jsCGGKf2w5 cO4oMntkhqVIte0LBRmuCHB9z6Y2vUlxppTnm7eRzjft9zPP2jHBXNq4xivcyAm3 wqE/m/qzdI4g4ZHkOb+daYaL+AJBxAE2a29Mjn2rIXZFrfD7zun+g0EfOZ+Ucv4E 4/9nrMWePAYKaryOcFivxeSHi3Homy4C9aB/szCoXBDSHvJibGw2doNJmTJv/eoF OudDkokUeY12z12+NOofNaORy4eyzN5xyw6/VIiteW5FYeknRlmQGWx6kWfHH2sk 2PjbYowX2lxKIdcZmiea+CSdNVCA28/a9YkxvtMPX0r6r+CiYTvmcYtXGGjvVM8R V/ANBXcUpnTwNWBchYPFOuJ9WngC6BJMLyLWgDUnK3vZpNqG96IN24wThcgDc8AQ gf1xMdhBCyOiN9nqZFvOEr9t5BSW6YZpkkPUfjyJa1pSbv/1FNLwJf1aQlSrt8ab TqHvcu++C2eiwUcq++1gKLYLnh8Rcfft7CmQYof6OypMWQ+j4EtKkr18FKyGywwW hvlJ0TQYjxPqJMAEIFJJz3Fb4RCGTDKyOdIO0nDvlc84sAqBP/5l1aTztGxPGIV/ /g2Cu/sO8lTtFsHVZkVLYsdls4k2LmcJzEOFLJtLgc/WK8yl29RyA7zb/6OwQ11X ZwL3R7uUiiMUvqbMjM6f+4ToFYZQPv/s+jOjEm4SCNNta5k9dWctY288hGqXRE8A 5KAPmvR140EkN1OQEOZVBeTH2nnLwjGyYXgmnCutPYQaTlEbTuW/Pyq8ZHXKHJBU YJ8+neWhdEoRKtiC5ie3+RYE8VBt3IC1wSMsBx+NRWjRmvBxOAykRCqu9vDBtYUv 7k/3rwZLmJ113x8xTkf0JyiI3QWVdKuvuDyd3XgNKb8zOT5u11BWR8Mjio+8RtnS 2CDusG/xsmqIvEmefFPqoKnvhOJyXpauAuep/0Gccy0VOKjRfRws3U5/cN2M0Gt7 k2qD+wqI4R3ZGdoY2TDb3LCZav2SX1zMOBpIacbrTfEoEB0Ec6D0BtmnFbt+zQbY ceiy9Z/5HSBEpNAnP7YUNuffxBYsVXnCdlR2b8O8etLeG6WyQgaq6yDTbhISSv2B rdivi9OPFakeOYDGQqlNQZD8CV/3tOeeyOMXlrM4QNpml4Vi9bZmbPWENFbaj0ge u9ofaq8apjNTsVskoId10Il7CAYnUmquH1oTI+BQEKo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54B95E8908DB6C9C

http://decryptor.cc/54B95E8908DB6C9C

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	Process
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe

Drops file in Program Files directory 16 IoCs

Processes:

rundll32.exe

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\kr6ggp-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\UseRestart.emf	rundll32.exe
File opened for modification	\??\c:\program files\RepairConnect.png	rundll32.exe
File opened for modification	\??\c:\program files\LimitRestore.wdp	rundll32.exe
File opened for modification	\??\c:\program files\PopEnter.reg	rundll32.exe
File opened for modification	\??\c:\program files\RevokeGroup.odt	rundll32.exe
File opened for modification	\??\c:\program files\UnlockRestore.ttc	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\kr6ggp-readme.txt	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\kr6ggp-readme.txt	rundll32.exe
File created	\??\c:\program files (x86)\kr6ggp-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\CompleteSync.vdw	rundll32.exe
File opened for modification	\??\c:\program files\GroupFind.ppsm	rundll32.exe
File opened for modification	\??\c:\program files\InvokeBlock.bmp	rundll32.exe
File opened for modification	\??\c:\program files\ResumeImport.vbe	rundll32.exe
File opened for modification	\??\c:\program files\UninstallHide.mov	rundll32.exe
File created	\??\c:\program files\kr6ggp-readme.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exepowershell.exe

pid	Process
2420	rundll32.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exepowershell.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2420	rundll32.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeBackupPrivilege	2500	vssvc.exe
Token: SeRestorePrivilege	2500	vssvc.exe
Token: SeAuditPrivilege	2500	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2316 wrote to memory of 2420	2316	rundll32.exe	28
PID 2420 wrote to memory of 2428	2420	rundll32.exe	29
PID 2420 wrote to memory of 2428	2420	rundll32.exe	29
PID 2420 wrote to memory of 2428	2420	rundll32.exe	29
PID 2420 wrote to memory of 2428	2420	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\kr6ggp-readme.txt

Filesize
6KB

MD5
19cca32068ce281bc9ad83b64f7aaf79

SHA1
004a492f949db42737a87247af4fefbeaff27218

SHA256
1078e46085f77a0f974f47375b50e18f863508cd29ca49f35b7f55b38bb20d07

SHA512
09e145aa15d708353818c9246fde9459b8db811e3da81599e257d009eeae7232c2833315748198a6428ad81af8e15d03fdc8ab755682749bbd3c0671fff843ed

Download Submit
memory/2428-4-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2428-5-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2428-6-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2428-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-9-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2428-10-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2428-11-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download