sodinokibi | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

max time kernel
424s
max time network
543s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250313-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250313-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/REvil_08_04_2021_121KB.exe
Size

120KB
MD5

2075566e7855679d66705741dabe82b4
SHA1

136443e2746558b403ae6fc9d9b40bfa92b23420
SHA256

12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
SHA512

312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
SSDEEP

1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa

Score

10^/10

sodinokibi credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\3m3699-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3m3699. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3FEA809B970F0CD2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/3FEA809B970F0CD2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0lg1Xem7thazsydUzkf7ZW06GORT5LQoRHYZHhALwoirDLwbyYfPAT4OCrDnkC2c NyeuVHHoBe6TJcQQzENgRwTcZawiaDeeteO/194kwnWQRZUfvLqSuLdUhUmEKrHy Po4M8N26nXAWEB7JWVx3i5shkYBkkBjvIOP+F/e5tvjQJb0prFcEhlUmhVWG98bj qzREOJMff3Kn9tv5VIOT7KZxhS0j3t/EdARXk6PfufNa0Qjm40bozyVgaOHHBwNe 8JSUDpXroKMNOxOGrIFlzJbxkSu07RJJqdtG/jk9ujGjE0E/UBhFADs0fXVa+Pm4 CtcGdF0UFWRaTLe0W9DyDKafbGKA128/uZhAhx3BCl/YfV2SPI8vujiGNHP+j+dH 0lv/ffahBJf0NSPJupQtfnLcD/yBK5HLuSnXizm4mzgY5KAPin0AC2FrOpZukc9A pgEtSUXD8BXWCUE6jkaqTISyTw/mp0/yDT2JkbVFKlUEqt55XmZ4YRhDGgiqOgT/ nD97ZW0sNy2DFSt7g2g0lB6m7b4dSV4zVQY4ga36FcVxISiB9Tew23l3QmCPwkpz tlQgPa4lj79xuSxqLkfoABSYdYb7PHUsBUCXIG4Wg8k/rh0ExcRBuvQTcoANjU8B 28jNl+7aNLsJaik6lCqWrp0xITbLCff7uNoyo5qpHmjuV3mFwmNtzO1/qTDT9L5B nPKQG8tXg0lTQ5OnaZu4sYGds4R0ILapvEyms1VaXSgcMsXxgvrCIxwmmzMvta7I e/4O8XMTWiinDUhVqYDWHXsZ+37x4mQrwwnU620c8CoaIF4LIy8mCcPAoSyb9Vbx /NffXobJKeagJeczpuvt4rtWUQrejHkCRGtD6OvSFMqR+gt/9RSzrksTOBk9NXIg uBFlAnh5t6ZkDvKo6RzWGbj6SNs2M68lNz89wqyFaJpAoTsqQzKj3iYPjnQi1QvL UTrdqu7MX7kVQcitJpn7F/Du4j1oZFn4aE3RhDgVW/j5TW0vrdndu/2xqPCcwrex MuqD6OFHpBQVe/YtpxqWCxhMfHzVjcBIYQxnop1nM6CLvDqdLjFY+jEHNsL/kvag UAnXmV2EbluzBEAbMYlyVMDaSYeCCW6Zftx0lnz95gCMFYSfYunKGkS4i77+uPHP K22EGsvj03rAsO3K0Qt9yh3zbZdTMVEbryhLSHx6oGyMPwSIWwyoxKaV8Mm+5Fa5 c9yaR5w2qLNJafKKxjiibQA7BfdUXscueqoQRDari8TdglSWn2XWZO4UkbwVS8Y9 6sbgE8wwxyHx4DkdlukVI5tLgJcrHsOuE6+jkh9cm4KkU2pmXI9nj5YfGsfPO9Ha lIsIkfYtq2wueHNCjK0JFsZ437aGu0ywFucYXGbcyPEocIuEwdI/Djq4NXeq2pdS ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3FEA809B970F0CD2

http://decoder.re/3FEA809B970F0CD2

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\L:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\W:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Z:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\E:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\P:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\B:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\D:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\I:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\U:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Q:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\S:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\V:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Y:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\F:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\H:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\K:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\M:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\N:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\O:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\R:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\T:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\X:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\A:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\G:	REvil_08_04_2021_121KB.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q6267s4213kf.bmp"	REvil_08_04_2021_121KB.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\CloseSplit.vssx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CompleteInvoke.inf	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SplitUse.png	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CompareStart.xltx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\EnableSync.mpg	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ExpandLimit.3gpp	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\InstallSync.i64	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\WriteRemove.otf	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\NewPublish.pot	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SendMerge.xlsx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\BlockEdit.pub	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ExitUnblock.vbe	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ResolveReset.vb	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SplitJoin.vsw	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\UnprotectAdd.mht	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\BackupSuspend.M2TS	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CopyMeasure.ini	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\DenyDismount.svg	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\RestartPush.wdp	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SendStop.scf	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ApproveConvertTo.xlsx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CompleteWrite.xls	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ResumeWait.htm	REvil_08_04_2021_121KB.exe
File created	\??\c:\program files\3m3699-readme.txt	REvil_08_04_2021_121KB.exe
File created	\??\c:\program files (x86)\3m3699-readme.txt	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\AssertPop.mp4	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\DisconnectPush.wmv	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ExitFind.jpe	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\PopApprove.mpeg3	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\PopInvoke.edrwx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\InvokeWrite.jpg	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\AddCheckpoint.iso	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CheckpointMeasure.m3u	REvil_08_04_2021_121KB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REvil_08_04_2021_121KB.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1200	REvil_08_04_2021_121KB.exe
1200	REvil_08_04_2021_121KB.exe
1200	REvil_08_04_2021_121KB.exe
1200	REvil_08_04_2021_121KB.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	REvil_08_04_2021_121KB.exe
Token: SeTakeOwnershipPrivilege	1200	REvil_08_04_2021_121KB.exe
Token: SeBackupPrivilege	980	vssvc.exe
Token: SeRestorePrivilege	980	vssvc.exe
Token: SeAuditPrivilege	980	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\3m3699-readme.txt

Filesize
7KB

MD5
05499a7ff4e74f46966f469d6b5ebecd

SHA1
345ea92db34da20bee2107049d37f184994bd4b3

SHA256
0734d18b92e2ef59924bc88a9235df615c6c5a69f79aef855c594477972cf1f0

SHA512
baa5ad981ff07be6e3fd5cfb46dd3958c1918490ff63f7a10d574712c961d60e9cdb25973ae8bf36c469918b6ea577c290473994fea9c2e70bf5e00b184f8826

Download Submit