Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-06-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
Resource
win10v20210408
General
-
Target
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe
-
Size
160KB
-
MD5
db8b26bc4d47e6b9e9667d22845503b5
-
SHA1
8ef2cddd379579555fbfb1e262be8f1db163a5be
-
SHA256
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd
-
SHA512
980557c69f657730c20d352dbd20aa5b17e5e506dc516a261d62b4e28a76ff2ec4e82390df6fa7a0a58522ca1b22be7ddb789c0079aae6bac0ab78b8bee08a91
Malware Config
Extracted
C:\43cc9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/21D81DB96890AB03
http://decryptor.top/21D81DB96890AB03
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File renamed C:\Users\Admin\Pictures\InstallProtect.tif => \??\c:\users\admin\pictures\InstallProtect.tif.43cc9 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File renamed C:\Users\Admin\Pictures\StopUninstall.tif => \??\c:\users\admin\pictures\StopUninstall.tif.43cc9 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File opened (read-only) \??\S: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\W: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Y: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\K: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\M: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\N: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\I: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Q: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\U: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\X: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\Z: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\A: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\G: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\H: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\P: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\D: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\F: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\J: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\L: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\R: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\T: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\V: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\B: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\E: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened (read-only) \??\O: 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\250.bmp" 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Drops file in Program Files directory 22 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exedescription ioc process File opened for modification \??\c:\program files\UndoBackup.emf 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files (x86)\7d75905f.lock 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ConvertFromUse.m4a 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\PopPush.edrwx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\SyncSwitch.zip 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files\43cc9-readme.txt 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ResizeEnter.rmi 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\UndoConfirm.ini 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\UnprotectTrace.wmf 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RestartSearch.midi 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ResumeDisconnect.mht 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\UnregisterRename.xlsm 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files (x86)\43cc9-readme.txt 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\DisableMove.wmx 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ExpandShow.ex_ 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ResetProtect.xls 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\RequestRegister.pdf 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\WriteUse.xml 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File created \??\c:\program files\7d75905f.lock 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\EnterFind.iso 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\HideResume.avi 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe File opened for modification \??\c:\program files\ProtectWait.fon 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3156 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exepid process 4024 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe 4024 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2988 vssvc.exe Token: SeRestorePrivilege 2988 vssvc.exe Token: SeAuditPrivilege 2988 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.execmd.exedescription pid process target process PID 4024 wrote to memory of 184 4024 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 4024 wrote to memory of 184 4024 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 4024 wrote to memory of 184 4024 36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe cmd.exe PID 184 wrote to memory of 3156 184 cmd.exe vssadmin.exe PID 184 wrote to memory of 3156 184 cmd.exe vssadmin.exe PID 184 wrote to memory of 3156 184 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe"C:\Users\Admin\AppData\Local\Temp\36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988