Overview

overview

10

Static

static

10

bazaar.202...ge.exe

windows10-2004-x64

1

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

3

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

7

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...te.exe

windows10-2004-x64

10

bazaar.202...32.exe

windows10-2004-x64

7

bazaar.202...32.exe

windows10-2004-x64

7

bazaar.202...RC.exe

windows10-2004-x64

10

bazaar.202...oad.js

windows10-2004-x64

3

bazaar.202...nt.exe

windows10-2004-x64

7

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

bazaar.202...in.dll

windows10-2004-x64

10

Resubmissions

14/04/2025, 17:40

250414-v89s1swlw9 10

05/02/2025, 06:51

250205-hmnx7swpgk 10

05/02/2025, 06:49

250205-hlsvrswpdj 10

28/04/2024, 18:31

240428-w6cwyaec5v 10

21/04/2024, 08:57

240421-kwwqhsfh8z 10

21/04/2024, 05:45

240421-gfvazacf82 10

18/04/2024, 19:05

240418-xry2ascb73 10

18/04/2024, 16:34

240418-t3alashf75 10

Analysis

  • max time kernel
    435s
  • max time network
    437s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/04/2025, 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bazaar.2020.02/HEUR-Trojan-Ransom.Win32.Sodin.dll

  • Size

    166KB

  • MD5

    acbd7cf1df4ef4e2c4812747cd443e66

  • SHA1

    9e386231a88ffafb3597fddfa909289febf105df

  • SHA256

    218ad6e33041a0bdb60c8de03e7dcdf42e5392e106a4b5b0436cdaa02a8dd2c9

  • SHA512

    8f116add8d2108ad314221bb4fb77308884c849d8f614f140ca7d989e481b4024afa37a768d20257296c0a6715ca8bb1341081eb896a6045617ea4e403b676f5

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3Q3VMg7UEgZp6:NJ0BXScFyfC3Hd4yg3V5K

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\2e0oqa9a-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2e0oqa9a. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F56037CFC935B019 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F56037CFC935B019 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bOdYpQjr++wvs45ShLLZHd79pcpnmBTpgxa74ad4If27oxuWcjXhOvQAexIoRATA MSFhPUPBWNlbjZA7yY61LtWG7bLhx89w3wILdUM6YIyvzcqaMEX3TQ7J3S7/tgRg SkatV6zQHIw+NiJH6/g0vrNH+wc02mxu8HfgC0uwkW3UypN7PBqrgEdq50/d8PNJ 6UfavsUjLYSbheGgQRZ+f24xpX6q3xf+ZAz9UZBYpps7NfPsHRvH+yFmQc43N8am UvInYe+8c+Hv6C9pVDzBIcnegJb9VpBVjay68nOG/gjohM6RbJbvy+2CfnS44Xhf 93w7yDuqj2sfKO+PDI9WFRDcgrpc+cBN6Mo8VJaIs32o5+MG1VPJMqF+kLm7d/Qj +XfVmKSdoFvixkiFbagAsF/Z6UYWtuCg1g9ggyuN1lIKiuvMEFA80LHGv8/SDTY+ uBd4gdh0Ea9oafAwpP7TOxmFcZIDnSsBAYfhKrFb5RL2sTqWCga31gEyJnlQVj9S 8RM0VXwZPVtlw1Zs6kVzuR9Z8tmnZKc0SMFTfgrV5GB3Tp5LHszZmpVujeiNNoDq 0fHazg9SmoCLV34FGC2MmWHrncNDYRixSwBfAlFBQ+bM9VQofWsnJ3h1P1dRtxcj AhjYfZXMG09lMXKgC9prdOPTfHpH6MOQzRrGhGvEp4e51Y6urQVgksKwZJZdEMtp hGI+HlERdp0ggDbfrzEBubMx6+iwNF0ambzB98NlC9APU+r/ZKZUG1vR5O5BFRtP MdJ0JvWLExNReokLXVNxEyz45dx1ugO5PP+yNhUT18bujZyNNwTazX0NyBkYl5mq 1XWOFb/BPjYsTfd7W+zHBy64tlIIzWeIjgpBnYyy8PPoMjn8eYNSZ9Pc6z4BOM3N TRm0j6QraxYgtqCi/aXV21S4KkaEaXKcGdMZnH/qvnKevF3D7kvSs9BC2iBbD4C4 PGcHQsCp9LSsLk2QexLZgaFbsnwYLNsvxM5DneNybZYfhuGSeKjkO4AlMP1q7eCj cFveiuvo4pZXEx3QaZoOZ8Fw0p7Fmd04pbhL3/JYEPi+opA2mmf/wtHXKJqf6i24 F8qCa9NDD7LRcQy9mv+JWRHFv7Ioxuz9MkIS/Zph4EOKnKoaFevki8rt5PSgfRkO FcIxDDhM6BmOdfVglJjB8U0N9TKFhfRz7FRW0NHjqCiRzdhsNr56dn9b3WHSaUe/ l4vAUPMC0cTcb6i+zsXJWn5yxath0fu4rwyUNobhbqHNXfFs3Ph7l/rRYOBIiv/u ZiP0URaInTXwDpEMRWxi/zCptEJ7+3855OPLzO10ck83C3PlhTzMN+UMJ3G9zKt4 6rR/Q5SRrnHJ5b75pBjPv03OLkGTOmrnxUIgtpkvn4f4TzX2G+RoYEGX ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F56037CFC935B019

http://decryptor.cc/F56037CFC935B019

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 38 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4628
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4800

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\2e0oqa9a-readme.txt
      Filesize

      6KB

      MD5

      112cdcc32d0b3b01159a841b6ac23720

      SHA1

      e6ac1fa368310e2da2222cfbc4ba9f567f5b01d0

      SHA256

      adbfb12a53606b4c4191cf4f4998686f021f3c712cffee22da71db34a14bb3a0

      SHA512

      135a6206319ea3f6a4f1a7150a276ae362108d3d606cadf36bc4fa19d2abf6f773c7a46685ba92dff5adf76640868f05ddcca42d53817fbfcb564f5d5fb3799a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzckbbmn.gqu.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2148-0-0x00007FFC4B003000-0x00007FFC4B005000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2148-1-0x0000019FFE6D0000-0x0000019FFE6F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2148-11-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2148-12-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2148-15-0x00007FFC4B000000-0x00007FFC4BAC1000-memory.dmp

      Filesize

      10.8MB

      Download