Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
Resource
win10v20210410
General
-
Target
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
-
Size
160KB
-
MD5
db8b26bc4d47e6b9e9667d22845503b5
-
SHA1
8ef2cddd379579555fbfb1e262be8f1db163a5be
-
SHA256
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd
-
SHA512
980557c69f657730c20d352dbd20aa5b17e5e506dc516a261d62b4e28a76ff2ec4e82390df6fa7a0a58522ca1b22be7ddb789c0079aae6bac0ab78b8bee08a91
Malware Config
Extracted
C:\6e0dque1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3673630DFC17628
http://decryptor.top/F3673630DFC17628
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartUninstall.tiff => \??\c:\users\admin\pictures\StartUninstall.tiff.6e0dque1 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\users\admin\pictures\StartUninstall.tiff 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File renamed C:\Users\Admin\Pictures\ConvertFromUpdate.raw => \??\c:\users\admin\pictures\ConvertFromUpdate.raw.6e0dque1 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File renamed C:\Users\Admin\Pictures\MountEdit.tif => \??\c:\users\admin\pictures\MountEdit.tif.6e0dque1 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File renamed C:\Users\Admin\Pictures\MountRead.tif => \??\c:\users\admin\pictures\MountRead.tif.6e0dque1 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File renamed C:\Users\Admin\Pictures\SaveRequest.raw => \??\c:\users\admin\pictures\SaveRequest.raw.6e0dque1 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File opened (read-only) \??\E: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\O: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\U: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\X: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Y: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\D: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\A: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\B: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\G: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\I: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\P: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Q: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\W: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\F: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\J: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\K: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\L: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\M: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\S: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\T: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Z: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\H: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\N: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\R: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\V: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d8zcr5w.bmp" 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Drops file in Program Files directory 34 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File opened for modification \??\c:\program files\StepAdd.ini 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files (x86)\7d75905f.lock 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\CloseSplit.ppsm 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\InstallExit.au3 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\InvokeClear.svg 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\InvokeEnable.dxf 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ProtectUnregister.dib 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RevokeMove.wps 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ConnectLimit.rle 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\PingResize.jfif 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\WritePublish.jtx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\DisableComplete.vsdx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\MeasureSwitch.ex_ 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\WaitLimit.mp2 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\BackupRestore.doc 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\GroupRemove.wmx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\PushHide.png 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\EnableApprove.gif 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\EnterUninstall.eprtx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ReadUninstall.xht 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RedoResolve.jpe 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\StopMerge.7z 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files\6e0dque1-readme.txt 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files (x86)\6e0dque1-readme.txt 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\GrantUnlock.zip 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\PushUnlock.cfg 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\UninstallCheckpoint.TS 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\UseDebug.vsdm 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RestoreTest.iso 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files\7d75905f.lock 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\InitializeUnregister.emf 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\NewPush.vssx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RedoInstall.vssm 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\WatchDebug.wav 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exepid process 3968 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe 3968 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1136 vssvc.exe Token: SeRestorePrivilege 1136 vssvc.exe Token: SeAuditPrivilege 1136 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.execmd.exedescription pid process target process PID 3968 wrote to memory of 192 3968 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 3968 wrote to memory of 192 3968 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 3968 wrote to memory of 192 3968 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 192 wrote to memory of 2760 192 cmd.exe vssadmin.exe PID 192 wrote to memory of 2760 192 cmd.exe vssadmin.exe PID 192 wrote to memory of 2760 192 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe"C:\Users\Admin\AppData\Local\Temp\36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136