sodinokibi | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

max time kernel
535s
max time network
556s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
31/03/2025, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/REvil_08_04_2021_121KB.exe
Size

120KB
MD5

2075566e7855679d66705741dabe82b4
SHA1

136443e2746558b403ae6fc9d9b40bfa92b23420
SHA256

12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
SHA512

312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
SSDEEP

1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa

Score

10^/10

sodinokibi credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\8r29n1h-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8r29n1h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F9F73AF08007CFEB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/F9F73AF08007CFEB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Y0sN7rsQTCf0ErEyuAoXANTs7PvAXJIhwBh4aOBF7RRNh6C7kTHOoDA/LzK0gyWq 50lFSbgo+mq9+bZQrQtMFSDJanyOivM0CO++Q1OEH+1UEotCb03IOaI48IvEg89R Rr7yn41MRxJbQ1v9ic4VoG4E/78Rx7moyY7IeqAzG48Re5dR0RS6zMlGSBtiBNR7 lM4hYY8PDjMPc1cUnMM9m4tHuCdWXNi6SDdZ9yxMV+5g2izIcm6nUKoIEdJFdlfC xJEYseSNe53s6M+DRtykoRbDIEANN0u8dBuQIACPeHFjlrzKUetVMa+0zOAa+GHz Rq/+I1S118/gZFtRBIkUS7nA1QJWX0ouU/B/lD6hHAP4TEH8nOBUY5ZP3T9YVpbi mQK+X1gEfUlsU71vWvQbkg3R7UYhYRexsGipJAkh6xUydy6v12Il+M0AauhtnD1v 1aH4VqvxBif6FKSbjoXK7mMm7yGmNUAJF6xsZhOv5+2im5KId9yrLoSNTKA8J88c iQpMRttyxrUko2uN4LFVoOojtt7uNtYG8FdbClKje9i054YFfsH36ub7qh+VBa9Z /6N6IkT2zCoPFvdMzm1zwO5KnRik+gotUEfkJFP25b9jevrlXSM8WMDbsv+y584f OaxXHJ562HVKrmjGL1dKxKrEfdvJtaPyksuYqeotk3YexshqIj10t46sRDRmkCv5 Z5oAIRUUAZMWaPY3OVkbfjx/amI3TZ+5a1OcMppZnk9imHGbDsRUNcFQARTci2XC /fsK0FLYRMqO6cvNPgEGm1Dso5txRFuEi8fDGMVcOcKZo2j3AteOKAZZja1q/y4K jCVUJoVEmptKe46wUubq7kZxZjhEIYHBgvtdSXKBe7cO7nW+L1qYyxfBqxGkE0Ya 5O9ShYDwcHBFYJjqn8zxYfvG3yYbgts6ydfe07uwPnfMRgh+jbLyB29llq2sWobm nhjiL8x9/vBcKDalSzWI/a6ACbhgheemQMe7m7aUb55VWhe7YyHxRu15xebZsRVL o+QKwWsdA5xp44bqbZ2yJtT+C6Cv4dx/q1DZVtYMugbuVXqqHqXvLvKA4N9qo/1t 7Rc/gOAYD92IRUOMkO86EUcApQYFtvrAxXMrVuC1IEhEQvpQ/AOXXhRwcA1dqN5g OO4KrDoFSksOKEVt1luLoxl771e+eZob4tK7VbWZtXQk+5cdqHxhEcgeKR+i/udy mfZevyY/by9IMifp2+FeaD0SAphw+fUeZzD01aHLxcQrjHmHpZXfE84jSnmdAcA1 eSk2oROlJ+nJgXSaUlF/jVYHePQbsa6GAuROboid9qhg+MHF5C7AJnom2pcLhRyr ci4wFJP0CZJUUctrnzb4BfDOKTxViyU5b6sUYeBFIkpyA3itMTDwQOskxb5kggOz Qt0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F9F73AF08007CFEB

http://decoder.re/F9F73AF08007CFEB

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\U:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\W:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Y:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\B:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\I:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\J:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\L:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\P:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\V:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\G:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\H:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\M:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\N:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\F:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\K:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\S:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\T:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\X:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Z:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\E:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\A:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\D:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\O:	REvil_08_04_2021_121KB.exe
File opened (read-only)	\??\Q:	REvil_08_04_2021_121KB.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p2g0p910ey.bmp"	REvil_08_04_2021_121KB.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\RestoreGrant.css	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ClearMount.easmx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\CompressPop.shtml	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\PopDismount.mpeg2	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ReadRepair.ini	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\ResizeInitialize.mpeg3	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SkipRestore.pps	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\WaitApprove.ttc	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\WaitCheckpoint.asx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\EnableRestore.dxf	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\OptimizeConvert.ADT	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\RenameSend.ttc	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\TraceFind.dwfx	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\UnlockDebug.jpeg	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\UnprotectRename.svgz	REvil_08_04_2021_121KB.exe
File created	\??\c:\program files\8r29n1h-readme.txt	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\FormatConnect.eps	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\NewSelect.rle	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\SubmitDismount.rle	REvil_08_04_2021_121KB.exe
File created	\??\c:\program files (x86)\8r29n1h-readme.txt	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\AddSubmit.AAC	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\OptimizeReceive.wmv	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\RegisterDisconnect.M2T	REvil_08_04_2021_121KB.exe
File opened for modification	\??\c:\program files\RepairInstall.xml	REvil_08_04_2021_121KB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REvil_08_04_2021_121KB.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
6092	REvil_08_04_2021_121KB.exe
6092	REvil_08_04_2021_121KB.exe
6092	REvil_08_04_2021_121KB.exe
6092	REvil_08_04_2021_121KB.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	6092	REvil_08_04_2021_121KB.exe
Token: SeTakeOwnershipPrivilege	6092	REvil_08_04_2021_121KB.exe
Token: SeBackupPrivilege	6084	vssvc.exe
Token: SeRestorePrivilege	6084	vssvc.exe
Token: SeAuditPrivilege	6084	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\8r29n1h-readme.txt

Filesize
7KB

MD5
66b71191618405342d88e6d3152ca5a1

SHA1
9713733fb61d699d06012201e421eb88145227c6

SHA256
0ef21e9e7b634edafc352d6634758f7cf5ed71f59b0b47691cce41772c4fb19b

SHA512
8bd03ebaca60301bc8e35db9d700a8a52e62e404c11856083ee67436fbb4d6e309af20a75c687bfa5d75fd4262b98229360503623a7cdf0adc5f63a0eda8266b

Download Submit