Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows11-21h2-x64

1

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...te.exe

windows11-21h2-x64

10

bazaar.202...32.exe

windows11-21h2-x64

7

bazaar.202...32.exe

windows11-21h2-x64

7

bazaar.202...RC.exe

windows11-21h2-x64

1

bazaar.202...oad.js

windows11-21h2-x64

3

bazaar.202...nt.exe

windows11-21h2-x64

7

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

bazaar.202...in.dll

windows11-21h2-x64

10

Resubmissions

28-04-2024 18:31

240428-w6cwyaec5v 10

21-04-2024 08:57

240421-kwwqhsfh8z 10

21-04-2024 05:45

240421-gfvazacf82 10

18-04-2024 19:05

240418-xry2ascb73 10

18-04-2024 16:34

240418-t3alashf75 10

04-03-2024 18:33

240304-w7b12ahg61 10

02-03-2024 17:01

240302-vjn51sff57 10

02-03-2024 10:05

240302-l4xhfscc7v 10

Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-04-2024 05:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    164KB

  • MD5

    722e15d85827d3ac13e56e8108688012

  • SHA1

    cab935a24d7d0ea7e8d93851f7ea94ab9bccfc34

  • SHA256

    578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1

  • SHA512

    59e24cf313db4413f44f16a8276d072f43402e718c25e1d00e81ddc69a1937473cfd1902c320bc9175d75a0d43a53ab3e971b8447ec1cf9cf9aa3aa536464273

  • SSDEEP

    3072:BrX1t2U05pbJ5xhxY9doh7O79siUs/NaT8Sp:BrltH05f5v2i7O93No7

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\4v5z3o8-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 4v5z3o8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E54FBA4B20552B63 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E54FBA4B20552B63 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: T10z1YpPOUUYpO5o3MnyrJ5xJoXaGlbGSsfR2hq0GclOT/y1UDsRKELVfmmye1QR B+svbyaxRybN8ZJzaPuVt1KWVj677iaJeAtvJKdt/ZeatyWgMYxQdDZj63R0oSkP YirHUjEoxyKMCLdCFIaEmIlQq2KHe0z1+FD+RnyYGkyLqEgZ7fC/BGkP96tfkJVS h8BnF7r9k290ecreN8GdNZFDnwTqpLqggnfxaMP9UCpZG6nlzblMZGBM7GY7Wcx5 W2Ic7VM9eQ7jFaezy05p8++ck7fEAeHT43l8AQ5woeuVNpoabOEuMH32WOv0iuB2 THSz6xHmSFerKTFT2DSq9nkFuiFiGpdP8ufs+6oheU5OFfGeBCBUDjwBtqQqJeFI 3JlZ7iFiay2LPb24rTc1nHdczMILg2Pest+IUaaKkJVHixmycIEo1zMGl30xUE36 N0fnT9ZeL1Ez3vlcHuYenD+pkStvGwZEIBScz3iRrqqv9L8m05wYQ54pY4eywZZH Z4I4BT0ZsIXw8KZi2d+cX194KS7lPpHNO5CXpNmKG9TjfbucPY3U5dPvk20OAgYK 4u6A94Q8odC2w5BuE7JCJDnjMXfLFtR5GUvJk48jKZWbqwzke36mkbpDEgC6oPqQ eGrymc6U20aH8e5G4HHMV9+M2kVCHTi/nOd0iPX3vYheWoVHo3R5XvWcLKeKll1P l0pkd2E2TBCZksE4XpaUxF8h+VFBJhmdbMf4XyzffAR88Vl/JYcskHxeB7X9tCnZ KzHwP2u6wbZgQ3cCQ9m4RZJd5hE1iNYrjiRYEFiSd4qxlAk8h3esc8N9xiEMs/BA 8Q7EDMe/bc/Eyit8xhm4RUwHzdNPNj745LhYkqd0Pdwy7MrdBO2RyGIIf3aD5gSd 7Ow8o54liybD7Eq88JSOzcxfh/YYFQsMLLBdL4purnaa+N836fK1iJssS8JVvnrd WF+gZrfKEW6fEDUhzHQPRldEdXwtB3dMYf/bDM9tilZ0Lw8q2mL0Bsk65MBqmRuZ xFIZeYbdT7K7m/lwjTVZ9sPyjpvSuj+2YzzSEQoI/bJYAJRWxyaS8wc6PjH+8OFf ORSuBOml38p/z2PKAVMnP9VY2mfyeuAn1yyZM9y285QW1Iqxe6dfAzGpBvQtJjjZ o1ZN78fqDasOz9OqTExreAEpGY5e6Njy+DQtgMHRFIQvGsjyDKVCKqvSwsKwcBUc h8ef4yYFi+j0j+jy3jaL/ndAGeI= Extension name: 4v5z3o8 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E54FBA4B20552B63

http://decryptor.top/E54FBA4B20552B63

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3052
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\4v5z3o8-readme.txt
      Filesize

      6KB

      MD5

      95edd569d831a96f14eea0f92c58a743

      SHA1

      18f90356878b476c55b2ee69bacc5587dc5ce4c9

      SHA256

      dad2bd48cf03b98b4af870ef6ae2572cf8a7e734671acd85efe91ff1b9bd3a1e

      SHA512

      dea8412b10b109c6a416da691ebd43a3bb58e02f75b2f0f44ef296b283be61e155acb4ed57d5051a5071bb82c9ba08de3e1752fa726270997ad5cf6e9f5683e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rcaxwhey.irm.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/4216-8-0x000001FB69330000-0x000001FB69352000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4216-9-0x00007FFC56F10000-0x00007FFC579D2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4216-11-0x000001FB51280000-0x000001FB51290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4216-12-0x000001FB51280000-0x000001FB51290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4216-10-0x000001FB51280000-0x000001FB51290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4216-15-0x00007FFC56F10000-0x00007FFC579D2000-memory.dmp

      Filesize

      10.8MB

      Download