sodinokibi | f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

max time kernel
65s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v2.exe
Size

121KB
MD5

944ed18066724dc6ca3fb3d72e4b9bdf
SHA1

1a19c8793cd783a5bb89777f5bc09e580f97ce29
SHA256

74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
SHA512

a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
SSDEEP

1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Score

10^/10

sodinokibi credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\j01d0g93v2-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension j01d0g93v2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BC1326926F493EAB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/BC1326926F493EAB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zEmDZ56Cl2huOkd4bVXEG7qJp6z6IldITYxEwjwj7x+D5hhwD/74eoNV5DRXdCbx RSY4eyewIjnrwStslFwDNtmtTwnsBrECpkr9JEX3vIxkr8BNjWNoBSu+zZdHjjqA 1ZMrnRHfAowcapUqN5NqyolAl1+ZhNXz4LQZv+9AU3Jez47xxu0dBjCuIZd8v/5N jfGGMU0VxGlVbjbKQMcaD6Q6k06DcOh0wXvtIO3X56GH12L7YAJqeqOpql7nr5LM 6E0V89kKx7rifIKGl7tZA0+QpMAEVTQ/s08l3LOCArSASEP2pkIC7Brysd/Awp1n ZvEZz1GgWXuV7VVmPmIbeFEp96u1gaM8aif150lujC7i/NWOs2ocQO1xtiQFp4YJ VxM7CziKxn3pl83/h3yn+u8W6XhR+GgoWItR2FiJTl+jQbTHWnyJtGuwJQVoL8BW /0b+jHelrMS13RCsj48q8L1EDGKiJUKT1NsbYBvv7lebhiDgLCUJTV0ae2dmJwkl roV0+eKRw3kGyk/daqe5MNizTcQD/D8CWS5F2oVBLrRyhkNVthtagssFc/zlhSyl pTv3ZqZG4SDS0xWifHdQvionImO+OUa+CIp2IYZdzVDPgVYD5dShBxkszhw3FIqX VsZveymDx1SjY7wq0nqD4dPpaRRGkUSk09D13s0MunJw2vj0o4o3be55ZPxRnmNS KCpv13lVzLar35b5Tra7sZ2rdgvwUJ2ycJ690ktKi6E6QpjGZJbdr1kiwtorCNNz Sql+jUbgVwJR8ub+NNnki14sfjRw0iIVRZqcL6ctvznGsyciJsZ3ufxpC5s98qYd DDOju7SmmuX2muCOrY0mzZvMSQsjPoOAxwSjbol//kaKEq0j77jvcpaIyKbw3Viv ZOQ90HMLs2Wpmr8TWRJ2Pqb3glB0Pa3dQJLPEWSPuV5hQg9Pw3GwzttTHCfQItQN j6hdgaviycjSN/UbiMXrajuBW7nPgeJWU72lSLa3V8lbBRT2em2wW+nAMhZkmB/x LGBs20snbq0W+ow77Kz4zCxa3h9Fp0Gzs/yjqyJ62pkV+0+b5bjDgARfFWLqDj0R OaEM4Aulw+2KFdy8h9ca8cZZMTQ4uixRxEk1cAyv9reK8jpEBeGsLGC9X/4WDDAV bfbbZlhQ1X9RQdqNMqE29dQPb2RuUgXg9Ddir6wPWe7I0TZrUzjnuc7qYSjKeBst HEKB0nBkktOwyqBqMAwA7r4Yv5HBf1NkDB44HwSyPCVLQbIcydWuoIGbzNMsvAOd 4tYzEPH1O0sEvXqVspJjzG7gz8D4ncreCSyXCgB1nDNb5r0i8yLjKGBbQdG/io0S POcUH8WkR11IDFhoUXcsf81vzquLuPBdzZqO9JWX45a453Y9 ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BC1326926F493EAB

http://decoder.re/BC1326926F493EAB

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\j01d0g93v2-readme.txt	v2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	v2.exe
File opened (read-only)	\??\E:	v2.exe
File opened (read-only)	\??\G:	v2.exe
File opened (read-only)	\??\I:	v2.exe
File opened (read-only)	\??\J:	v2.exe
File opened (read-only)	\??\O:	v2.exe
File opened (read-only)	\??\P:	v2.exe
File opened (read-only)	\??\L:	v2.exe
File opened (read-only)	\??\M:	v2.exe
File opened (read-only)	\??\S:	v2.exe
File opened (read-only)	\??\T:	v2.exe
File opened (read-only)	\??\A:	v2.exe
File opened (read-only)	\??\W:	v2.exe
File opened (read-only)	\??\X:	v2.exe
File opened (read-only)	\??\Z:	v2.exe
File opened (read-only)	\??\H:	v2.exe
File opened (read-only)	\??\K:	v2.exe
File opened (read-only)	\??\N:	v2.exe
File opened (read-only)	\??\Q:	v2.exe
File opened (read-only)	\??\R:	v2.exe
File opened (read-only)	\??\U:	v2.exe
File opened (read-only)	\??\V:	v2.exe
File opened (read-only)	\??\Y:	v2.exe
File opened (read-only)	\??\F:	v2.exe
File opened (read-only)	\??\D:	v2.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\ReceiveHide.wvx	v2.exe
File opened for modification	\??\c:\program files\RestartAssert.mht	v2.exe
File opened for modification	\??\c:\program files\TestWrite.emz	v2.exe
File opened for modification	\??\c:\program files\UpdateCompress.xltx	v2.exe
File opened for modification	\??\c:\program files\MeasureDeny.pot	v2.exe
File opened for modification	\??\c:\program files\PublishRegister.doc	v2.exe
File opened for modification	\??\c:\program files\UpdateUndo.aifc	v2.exe
File opened for modification	\??\c:\program files\StartClear.temp	v2.exe
File opened for modification	\??\c:\program files\ConnectMeasure.wma	v2.exe
File opened for modification	\??\c:\program files\InitializeApprove.svgz	v2.exe
File opened for modification	\??\c:\program files\ResumeSend.php	v2.exe
File opened for modification	\??\c:\program files\SplitEdit.mp4v	v2.exe
File opened for modification	\??\c:\program files\ConfirmSplit.png	v2.exe
File opened for modification	\??\c:\program files\DismountTest.aifc	v2.exe
File opened for modification	\??\c:\program files\HideSave.nfo	v2.exe
File opened for modification	\??\c:\program files\SyncDisconnect.mpeg2	v2.exe
File opened for modification	\??\c:\program files\UnregisterSuspend.otf	v2.exe
File opened for modification	\??\c:\program files\WaitLock.easmx	v2.exe
File created	\??\c:\program files\j01d0g93v2-readme.txt	v2.exe
File created	\??\c:\program files (x86)\j01d0g93v2-readme.txt	v2.exe
File opened for modification	\??\c:\program files\EnableBackup.cfg	v2.exe
File opened for modification	\??\c:\program files\OptimizeMeasure.wax	v2.exe
File opened for modification	\??\c:\program files\ResumeSync.potm	v2.exe
File opened for modification	\??\c:\program files\JoinUninstall.pptm	v2.exe
File opened for modification	\??\c:\program files\MergeProtect.DVR-MS	v2.exe
File opened for modification	\??\c:\program files\RepairUnlock.midi	v2.exe
File opened for modification	\??\c:\program files\ResolveAdd.wm	v2.exe
File opened for modification	\??\c:\program files\CompareRestore.mpg	v2.exe
File opened for modification	\??\c:\program files\CompressNew.wps	v2.exe
File opened for modification	\??\c:\program files\ResetOptimize.ADT	v2.exe
File opened for modification	\??\c:\program files\SwitchOut.jpeg	v2.exe
File opened for modification	\??\c:\program files\BackupExport.xlsm	v2.exe
File opened for modification	\??\c:\program files\StartDisable.xla	v2.exe
File opened for modification	\??\c:\program files\UnblockRemove.rtf	v2.exe
File opened for modification	\??\c:\program files\UseNew.temp	v2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3972	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2524	v2.exe
2524	v2.exe
2524	v2.exe
2524	v2.exe
2524	v2.exe
2524	v2.exe
2524	v2.exe
2524	v2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	v2.exe
Token: SeTakeOwnershipPrivilege	2524	v2.exe
Token: SeBackupPrivilege	1148	vssvc.exe
Token: SeRestorePrivilege	1148	vssvc.exe
Token: SeAuditPrivilege	1148	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5916	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe
5148	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5148 wrote to memory of 3972	5148	OpenWith.exe	107
PID 5148 wrote to memory of 3972	5148	OpenWith.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\j01d0g93v2-readme.txt
1⤵
PID:5136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\j01d0g93v2-readme.txt
1⤵
PID:5240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\j01d0g93v2-readme.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:5916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\j01d0g93v2-readme.txt
1⤵
PID:5952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5148
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SubmitRequest.xlsx.j01d0g93v2
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\j01d0g93v2-readme.txt

Filesize
7KB

MD5
873370cd3f55309fb37ccba8c844a0ba

SHA1
cb32e3761e5d2ff8aadae03a68a01848ec894359

SHA256
ceb35a32a48e47797e40a0955b326fc875cc7fd64767ba0918feae5d411a93f8

SHA512
1e02c09ed9b19fd042555a166a3981ccd2916a99728fbe0ee52aeaec40fb46577c52731cc7410be85c3e40c7e2993bad9834018b090365aa474beb6e17af8177

Download Submit
C:\Users\Admin\Desktop\SubmitRequest.xlsx.j01d0g93v2

Filesize
10KB

MD5
df3733b93cae053384b3fca542ddb837

SHA1
76a98a5f4e37be8e77d6237854bf9bccafc95ab2

SHA256
5389aab9a03188903834772f3adde32b12e855cdc586f17fe3290258ab780cd8

SHA512
fe66260739fbf1d5f54fef11421b753c5c43e89ecaa769ff20c3a67a551d5632271ea03a9ee5238773eaae5978ec921a675fc23a090e1e861bf281431db06031

Download Submit