Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 16:00
Static task
static1
Behavioral task
behavioral1
Sample
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
Resource
win10v20210410
General
-
Target
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe
-
Size
161KB
-
MD5
d599cfe7691e8499941d7e4f0d51616c
-
SHA1
843070b5c802a5dbc9afbbdf03ee1153f3249165
-
SHA256
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507
-
SHA512
f04a3e88dc69641e0682d6e74a7ac75f80e06924f3d25987e74674d9dabac040a70164cfa241078954274cb164c45bccdba3d06cd026934f66a12460a3add2e6
Malware Config
Extracted
C:\h5dd91j88r-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9654F9AF342C5545
http://decryptor.top/9654F9AF342C5545
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SkipConfirm.png => \??\c:\users\admin\pictures\SkipConfirm.png.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\SearchInstall.tiff 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\BlockComplete.tiff => \??\c:\users\admin\pictures\BlockComplete.tiff.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\MeasureWait.raw => \??\c:\users\admin\pictures\MeasureWait.raw.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\PushRequest.png => \??\c:\users\admin\pictures\PushRequest.png.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\SearchInstall.tiff => \??\c:\users\admin\pictures\SearchInstall.tiff.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\BlockComplete.tiff 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\DebugUpdate.png => \??\c:\users\admin\pictures\DebugUpdate.png.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File renamed C:\Users\Admin\Pictures\MoveUnregister.png => \??\c:\users\admin\pictures\MoveUnregister.png.h5dd91j88r 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Drops startup file 2 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\5c4c3ad0.lock 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\h5dd91j88r-readme.txt 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File opened (read-only) \??\T: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\V: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\W: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\E: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\I: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\M: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\O: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\S: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\D: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\A: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\K: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\R: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\B: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\F: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\J: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\U: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Y: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Q: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\X: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\Z: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\G: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\H: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\L: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\N: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened (read-only) \??\P: 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9sh3df.bmp" 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Drops file in Program Files directory 32 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exedescription ioc process File created \??\c:\program files (x86)\h5dd91j88r-readme.txt 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\UndoEnable.gif 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\CloseUninstall.3g2 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\SuspendPing.vsd 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RequestWatch.dwfx 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\WatchWrite.mp4v 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files\h5dd91j88r-readme.txt 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\EditExport.emf 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\LockGrant.jpeg 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\PushUnpublish.WTV 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\UnlockDisable.gif 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\WatchUnregister.avi 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\MeasureUnregister.zip 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\MergeSet.vsdm 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ReceiveUninstall.csv 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RevokeTest.dib 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ComparePop.ppsx 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ExitDeny.m4v 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ExitDisable.pptm 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\UnpublishSuspend.ADT 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\RevokePublish.aiff 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\SubmitSwitch.vsdm 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\TestResume.otf 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files\5c4c3ad0.lock 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ConvertFromExpand.scf 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\ConvertFromInitialize.wmf 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\DebugExit.emf 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\OutEnter.eprtx 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File created \??\c:\program files (x86)\5c4c3ad0.lock 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\DenySend.xltx 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\GroupSelect.aiff 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe File opened for modification \??\c:\program files\JoinConvertFrom.png 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2628 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exepid process 3656 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe 3656 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3308 vssvc.exe Token: SeRestorePrivilege 3308 vssvc.exe Token: SeAuditPrivilege 3308 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.execmd.exedescription pid process target process PID 3656 wrote to memory of 2232 3656 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 3656 wrote to memory of 2232 3656 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 3656 wrote to memory of 2232 3656 2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe cmd.exe PID 2232 wrote to memory of 2628 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2628 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2628 2232 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308