Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-04-2021 19:05
Static task
static1
Behavioral task
behavioral1
Sample
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe
Resource
win10v20210410
General
-
Target
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe
-
Size
120KB
-
MD5
a9d0f7e5c8f73806660711e59026e433
-
SHA1
e435b0fb78497445aa8b677aa170cf2c3c66d509
-
SHA256
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d
-
SHA512
8ab3f03a83d8e785e9989de01073c3f3e3d6659b6086822284bb276da03b8b434295902508ecb1be21b04dbf17f4ac7677658837bd21af911a44a0b784b947b4
Malware Config
Extracted
C:\346geh1b-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C49220B27BA53756
http://decoder.re/C49220B27BA53756
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exedescription ioc process File opened (read-only) \??\R: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\T: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\U: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\A: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\I: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\J: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\K: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\L: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\V: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\X: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\F: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\H: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\S: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\B: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\N: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\Q: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\W: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\Y: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\E: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\G: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\M: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\O: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\P: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe File opened (read-only) \??\Z: ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exepid process 1820 ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exevssvc.exedescription pid process Token: SeDebugPrivilege 1820 ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe Token: SeTakeOwnershipPrivilege 1820 ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe Token: SeBackupPrivilege 300 vssvc.exe Token: SeRestorePrivilege 300 vssvc.exe Token: SeAuditPrivilege 300 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe"C:\Users\Admin\AppData\Local\Temp\ecb315b1fabea9de977b44e0399d87ecca6e962776bb63bbac0fff01e312e27d.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB