sodinokibi | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

General

Target

bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll
Size

166KB
MD5

103f84a7f18492bb17b68cede3a8c53d
SHA1

ed4e3c82883ef862df0a86f858d30fae4bda8cf3
SHA256

1b9dfd1fe17d3783b2ab4a6d583be6fca9ba164d2a1cd6814c710774ec9bd031
SHA512

7bf42382e4c9cdeae9e364a16945366eaebd5ea1859a09d8b8dff5d79593812a07e0037aa54464ae3ec25990b259d87c3c8462391986dbfaff961377972fb512
SSDEEP

3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QU+lKg0rjCL:NJ0BXScFyfC3Hd4ygPlKjrjC

Score

10^/10

sodinokibi discovery ransomware

Malware Config

Extracted

Path

C:\Users\cgly9643-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome, Radici Products. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension cgly9643. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C63FFA58E7EA44B2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C63FFA58E7EA44B2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KmmX/+Ho6it998Qq1Uy+qX72xBFvGHpXMp0B0PbqI7YS07TomlCV9DkRK141ag+b i5Mx7UvOxKpecZxslR1YPAmoGOGPEpB+zoNI2hsXWJf9N1zD0E8OSc5f8zRIL3DD U/TcVt6EkTaAbtZ2pjFNL9IoUWzxc1J6hK+3XjeZJauUTIt0AtENrPIpaFenl3WY kBpNTp9/Qx79ke3ybKSHaHWLOtEiVvqbYhfnHk7Z8elkoX3xJ00WmD3UIAtTO3rM o2jMxGSmIgYF/pTa1Tb1BA5qt3VXfLbgJNie5G6o6ChuFCH2pGhaW+B/AeDwLOKs rKYjFHvia5tVDQLpofy3xP8pNI9X5ykkFQY012bXI5j6l7X1pnXe6Wu8J/u4Kyk+ FzoyUgQL9moioI32yzEZN/BeMQiWRZ9ch/4GgC/F3W1GFPZi6uWe1HYynmXFiJpb eI+h+YxVHTYyBNvXv3v10p3GIx/MDD9enVvu6rTDkHKISLktEDyeyPtGSUysS8gm mIDoT78/5n8mNkwgvWVIa91RC9ucgNHm99PCxs0gUFPTrGX3Nl4TdtK2M0zsaLT8 xzaT/WbbZlfb/SldU8FPgYnCTkbjy51JFhkRSSL9zz1MAiDTc9Bnv4JyNmB+Gk7D vgo5tf5gzW2IkMI+9+eVyswP/qPdIMazklgnTRP79jT6ccTCaKt5wCxPiAaCNFQJ /jA80oKcEUNnjk1NQ2JEXLqCAsMGjfYV0Z5w0U1rasSh74wepAGtO4bUdRMk0OVu gSaxmPzoZ2t5X6H4D7eFQJcLaqVQ4VwDIYEQrqn2vfzJ4a6QP9ArgTN19Sl8F9qF NWu7pgolrcNjbtZPrfcM9fr5RH3hGUwFOgwim36hQGNyRD31Hq0emRljD0lWiwZW U1oqUjtWSmPvB/yRnyJkSSc5nQsoVsdtSHtJhyCsrcR8l3zSPFB4RVr0Du9T3/V+ eazIvWSiI4zGRKxz2roUxNvqR7iQu65NweKnmqVAHkfJ8Hb/99g/ydNs+KW53h6b UOdpV48UounwkwpbPl0PkHKnO9L10ZJKOISHPFxwgdqSf6+4/04/j3qYP/6G9MJV xJ3T4Tr3jiANiPscOVcIC8fXxafQqc4xTN2EmemfRCDoGSWPL14bo7nbDYqI1Ig8 0rPrNPxAR951E3C7MK46/R6aQuUDFY0FdyuorvmIGQUJpnnA0bY5lkkY8bzQGl9K aDij6vjyNeGJ0fK3iNfvoJEApOm9BdkxNBFLR+PWNh+6E4IM0a/ltIRPHpknrtE1 TdwXhQsr1gL+mVVT3tnmNpemwXBzw144ahagNArRZM82eptBeuoQF+qD2ZQMTmej C0MujsL/wX8JIClmUqV0T9x3VH93+R3mJ0FNWFMVS1Urs1R9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C63FFA58E7EA44B2

http://decryptor.cc/C63FFA58E7EA44B2

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\InstallRestart.vsw	rundll32.exe
File opened for modification	\??\c:\program files\StopRevoke.reg	rundll32.exe
File opened for modification	\??\c:\program files\CompleteClear.wav	rundll32.exe
File opened for modification	\??\c:\program files\RequestSearch.dotm	rundll32.exe
File opened for modification	\??\c:\program files\SplitOut.xlsx	rundll32.exe
File created	\??\c:\program files (x86)\cgly9643-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\DenySend.MTS	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\cgly9643-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\InstallStep.docx	rundll32.exe
File opened for modification	\??\c:\program files\SendSuspend.wmv	rundll32.exe
File opened for modification	\??\c:\program files\TestExit.xls	rundll32.exe
File created	\??\c:\program files\cgly9643-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\CloseGroup.tiff	rundll32.exe
File opened for modification	\??\c:\program files\DenyUnlock.xhtml	rundll32.exe
File opened for modification	\??\c:\program files\ExportUndo.mp3	rundll32.exe
File opened for modification	\??\c:\program files\MountDeny.wm	rundll32.exe
File opened for modification	\??\c:\program files\UseSet.tiff	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\cgly9643-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ProtectCompress.eps	rundll32.exe
File opened for modification	\??\c:\program files\RedoRename.mhtml	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\cgly9643-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ExportOut.js	rundll32.exe
File opened for modification	\??\c:\program files\NewBlock.inf	rundll32.exe
File opened for modification	\??\c:\program files\WriteLock.scf	rundll32.exe
File opened for modification	\??\c:\program files\DisconnectComplete.rar	rundll32.exe
File opened for modification	\??\c:\program files\NewRepair.M2T	rundll32.exe
File opened for modification	\??\c:\program files\UnblockConfirm.vsd	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	rundll32.exe
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	rundll32.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2972 wrote to memory of 2988	2972	rundll32.exe	31
PID 2988 wrote to memory of 3032	2988	rundll32.exe	32
PID 2988 wrote to memory of 3032	2988	rundll32.exe	32
PID 2988 wrote to memory of 3032	2988	rundll32.exe	32
PID 2988 wrote to memory of 3032	2988	rundll32.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\cgly9643-readme.txt

Filesize
6KB

MD5
3da23f21dce3a0e353b6ae2c18632ee0

SHA1
329871fa8464056e8f8c7274da7ada20d2c168e8

SHA256
97a9dfc14b97121b3e3eb1adf776356250048870cf01d7433c3a2df9de8cb0a3

SHA512
aa33b50c9388475680dccb4cad45fcff4d60d251f8a81b9d8a86c4dcb2faaf67029f456f7bb20c5d4cdf1b9416d48e01da889c3382c41135f8c5b117deef2158

Download Submit
memory/3032-4-0x000007FEF600E000-0x000007FEF600F000-memory.dmp

Filesize
4KB

Download
memory/3032-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/3032-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/3032-8-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/3032-9-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing