Analysis
-
max time kernel
148s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 16:00
Static task
static1
Behavioral task
behavioral1
Sample
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
Resource
win10v20210410
General
-
Target
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
-
Size
161KB
-
MD5
d599cfe7691e8499941d7e4f0d51616c
-
SHA1
843070b5c802a5dbc9afbbdf03ee1153f3249165
-
SHA256
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507
-
SHA512
f04a3e88dc69641e0682d6e74a7ac75f80e06924f3d25987e74674d9dabac040a70164cfa241078954274cb164c45bccdba3d06cd026934f66a12460a3add2e6
Malware Config
Extracted
C:\xn6cj-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/85EB5461AB1897A2
http://decryptor.top/85EB5461AB1897A2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File opened (read-only) \??\F: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\P: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\J: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\L: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\M: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Q: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\V: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Y: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\G: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\I: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Z: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\N: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\O: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\T: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\U: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\B: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\E: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\K: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\R: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\S: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\W: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\X: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\A: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\H: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Drops file in Program Files directory 17 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File opened for modification \??\c:\program files\RestoreRepair.vbe 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files\xn6cj-readme.txt 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files (x86)\xn6cj-readme.txt 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files (x86)\5c4c3ad0.lock 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ConnectUnblock.odp 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\PopEnable.mp4v 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RegisterUnregister.xltm 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RepairConvertFrom.shtml 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\GetComplete.mpeg3 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\MountSync.jpeg 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ResolveSend.wdp 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\UpdateRequest.search-ms 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files\5c4c3ad0.lock 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\GroupMerge.mhtml 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\UnpublishCopy.dot 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\GrantInstall.wax 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RestartCompare.m1v 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1704 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exepid process 1944 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.execmd.exedescription pid process target process PID 1944 wrote to memory of 1684 1944 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 1944 wrote to memory of 1684 1944 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 1944 wrote to memory of 1684 1944 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 1944 wrote to memory of 1684 1944 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 1684 wrote to memory of 1704 1684 cmd.exe vssadmin.exe PID 1684 wrote to memory of 1704 1684 cmd.exe vssadmin.exe PID 1684 wrote to memory of 1704 1684 cmd.exe vssadmin.exe PID 1684 wrote to memory of 1704 1684 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1704