Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows10-ltsc 2021-x64

1

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

6

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...te.exe

windows10-ltsc 2021-x64

10

bazaar.202...32.exe

windows10-ltsc 2021-x64

7

bazaar.202...32.exe

windows10-ltsc 2021-x64

7

bazaar.202...RC.exe

windows10-ltsc 2021-x64

3

bazaar.202...oad.js

windows10-ltsc 2021-x64

3

bazaar.202...nt.exe

windows10-ltsc 2021-x64

7

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

bazaar.202...in.dll

windows10-ltsc 2021-x64

10

Resubmissions

03/02/2025, 21:57

250203-1t5hmsvmat 10

03/02/2025, 04:37

250203-e896saslgn 10

31/01/2025, 18:35

250131-w8gmxatmc1 10

Analysis

  • max time kernel
    726s
  • max time network
    538s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03/02/2025, 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    164KB

  • MD5

    708ef2feaf6fc35f33486111d9c0f97b

  • SHA1

    9d91bfe8fd44ff1d75551807017e634c2b7580d1

  • SHA256

    23d7cd4b0535b40662dc211b4ae28c4b5383c66b4b686064bd391a259da80d48

  • SHA512

    35db49ab278f1c78d7193e8c75d07fd9d66bab62a7f140b451f03b9fe49138525d92ffe08cd155ae4b6ceec4eca91f2253fba71ddf1af5cb6f701d9b3899d04f

  • SSDEEP

    3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfsJmjUm:veoUeZR2TRCWQFfsJmj

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\6axy1c6ry5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6axy1c6ry5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2267772BC400EDA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C2267772BC400EDA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VLiVXyNnCdra90WvvWtLfghTfLgyutBF/xKJ7Aq1WSv+YDU9DbekbNH67R5yuh8/ tZcyzRSyeJYkPTWg2Oa+kxi0zZJTU+8utVYWXwitsnVtWYEu0qitg1FeNNJ+XvMA 21+osf9osfCMBcTMt7NpZMsRfYxK8/GcVfSILvHffpGiFacPnWMvURflI2bPyOYJ DdUt0/yXKSgk+UQ3RBQWOoETUYWiCap1tktNMGq5c5Q+hzryu9SjmXOIju/bVE/d rcz8xEB8w/oh4IYeIN7VNlGO2PMzHsw7IMqDyG0S3v0TOV2XHAKho5e/TgNW/E4N uTJks1sK+T6xMggLBmAYkIHjyfTAriemS+xOdvfvHB3bdRSQbaitTy1LKoUFcQBP qwvpC0JpPKmZz0z3YndVHqL+5m0ZNPs8/BO56lAUGVgYjQ+Q34NpTNN9dCQt9bcD 9OAi0uHQgMWKmcAFPAgVkUuCbED3z1PkOxQ+HPqkkvsMIbtoDlWQt54WMp4c8jnX 0Rr4XDedQjoK/+5ZHe1dVaG2SyHv6/6ScdZjDwDGTcldY0JCCaIak6T4H/aWlZqR HKv3LTznoG9WhQm83w8o5dF5wMal9YyHXGpH+fsjsW6QaZSjoxGm3gjJAL+ji39r wMnMekE2L5npwue5JhSVrHyBrGbdxqTNoP1YZPyX4AJ2GfxP4Rvnrkc0N2BVZFL6 1BetT5X+gJIPNkU5ZWJ9kjPzwQC6TENE06ii8lBKp9sN8J7E9trNSL+wB3U5zowg re1bfWCeL07axSWGp2nFudr7/yjJVmKLuOo6cJ8wWSiX9qw210jr+px2VibpHADB 4uGE1l7ZaffmQlqEcIGyyHvcxll8GpbvpRSxdv6YHA24bBOgbGESdMOaMjN4T9W0 pgIjOEUxekTE4CL6VhytgbsirwMQsdv+rejJ/h3gbJXYTO3chCPSTU8sBqIigtq8 etm9AY4piU27iMlgTtZIXYjKcxrdJZ+Rj6UZtLzVH0JUL5YzC9KR2Kh50YVHVmNF J0w+9vmLP/QhlaJoORYtJzxBfvG+T9/a7uu6BIgFvVWr6Sm5pifyq3B/6qFwbPvd jGiEnKuE46oR65e8QpJRnTYoU5ONqL3rZ89hqsGr41vZczVieC4hzkBzJ9Qvj/hM jReCcUfHXpXEjxu+2cP0vKpGJP1F9sIiDUkwKl+8Nc8Gzm3uGSDxDZ/45E2WYrBV 9pqP8MfEFGqA0jEJTrncHC2i5dsZj0Z6XkIvs+oxrvNEemwn2iwYChzhV2EkHA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2267772BC400EDA

http://decryptor.cc/C2267772BC400EDA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:236
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2728
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\6axy1c6ry5-readme.txt
      Filesize

      6KB

      MD5

      6833dbb8205a30275205862151872584

      SHA1

      375677f224fca51b698239de7a89c42c81f8c72d

      SHA256

      a15b08accea55500b5b5d7d8ccde6b068003188cdd9c600f29ff0d73bf12e8df

      SHA512

      316817893ff5a0a81643b256167e2e45f723f18f88602db58a47f5d5640d847e5f8aec21d7305c502b26eabab7088d86e5edfaf3ade69ed593d54f09c9715d2d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arndjnqz.kgk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/236-0-0x00007FFEBB3C3000-0x00007FFEBB3C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/236-6-0x00000147F45C0000-0x00000147F45E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/236-11-0x00007FFEBB3C0000-0x00007FFEBBE82000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/236-12-0x00007FFEBB3C0000-0x00007FFEBBE82000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/236-13-0x00007FFEBB3C0000-0x00007FFEBBE82000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/236-16-0x00007FFEBB3C0000-0x00007FFEBBE82000-memory.dmp

      Filesize

      10.8MB

      Download