Analysis
-
max time kernel
139s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-06-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe
Resource
win10v20210408
General
-
Target
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe
-
Size
1.1MB
-
MD5
ec926f3d4237e3aa70852c25c156df18
-
SHA1
c1d7970a15b0d4aa256df6d76e6862ac18d0c9b8
-
SHA256
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f
-
SHA512
b5a175bb9fbbf53f6c2c5ea0926ffdcddced47c3cadb50eef70d6bc91cb34094d97c20e51e6f693762bf9bc6aaf2b2803e4ff9173b97083bafb5db4fc9f2c8df
Malware Config
Extracted
C:\38ir1yt23-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/356713AAA308D158
http://decoder.re/356713AAA308D158
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitDebug.crw => \??\c:\users\admin\pictures\ExitDebug.crw.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\users\admin\pictures\MergeCompare.tiff c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\MergeCompare.tiff => \??\c:\users\admin\pictures\MergeCompare.tiff.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\MountDismount.tif => \??\c:\users\admin\pictures\MountDismount.tif.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\RemoveRegister.raw => \??\c:\users\admin\pictures\RemoveRegister.raw.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\ConvertToSend.crw => \??\c:\users\admin\pictures\ConvertToSend.crw.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\DenyReset.tif => \??\c:\users\admin\pictures\DenyReset.tif.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File renamed C:\Users\Admin\Pictures\DismountSplit.raw => \??\c:\users\admin\pictures\DismountSplit.raw.38ir1yt23 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exedescription ioc process File opened (read-only) \??\A: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\O: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\P: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\R: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\S: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\V: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\E: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\I: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\L: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\Q: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\U: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\X: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\N: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\Z: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\B: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\F: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\G: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\H: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\K: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\M: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\J: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\T: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\W: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\Y: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened (read-only) \??\D: c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10411foy11vb.bmp" c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exepid process 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Drops file in Program Files directory 16 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exedescription ioc process File opened for modification \??\c:\program files\OptimizeAdd.odt c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\OptimizeConnect.xht c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\ShowEnable.xlsm c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\UseBlock.rar c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\WritePop.contact c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File created \??\c:\program files (x86)\tmp c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\DisconnectUnregister.css c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File created \??\c:\program files\tmp c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File created \??\c:\program files\38ir1yt23-readme.txt c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\BackupDismount.3gp c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\HideConnect.pptm c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\StepUse.vstx c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\SwitchStep.gif c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File created \??\c:\program files (x86)\38ir1yt23-readme.txt c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\CompleteClose.emz c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe File opened for modification \??\c:\program files\CopyUnlock.vsx c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exepid process 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exevssvc.exedescription pid process Token: SeDebugPrivilege 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe Token: SeTakeOwnershipPrivilege 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe Token: SeBackupPrivilege 2520 vssvc.exe Token: SeRestorePrivilege 2520 vssvc.exe Token: SeAuditPrivilege 2520 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exepid process 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exedescription pid process target process PID 1000 wrote to memory of 3116 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe netsh.exe PID 1000 wrote to memory of 3116 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe netsh.exe PID 1000 wrote to memory of 3116 1000 c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe"C:\Users\Admin\AppData\Local\Temp\c249af7c493de4fe8a147333d5197461a6daa1f60393b5bdb5b74128dfc17b9f.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3116
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520