Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-06-2021 05:03
Static task
static1
Behavioral task
behavioral1
Sample
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe
Resource
win10v20210408
General
-
Target
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe
-
Size
122KB
-
MD5
201cc0e5afe6984f23ff5b36964588ae
-
SHA1
0d7d093a29470e40a6c15aa75cd7607fff480cb6
-
SHA256
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992
-
SHA512
fbb9f80f58f7c1fef8807da4a6e5c40aae75def7e8d2cd3b82f8283def4621d148b4993ff736d40cac7978857e1c80716f447aee2622d6383acbba4563d4079e
Malware Config
Extracted
C:\vr855d-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/521B3AE3FFDF38EF
http://decoder.re/521B3AE3FFDF38EF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exedescription ioc process File renamed C:\Users\Admin\Pictures\LimitPing.png => \??\c:\users\admin\pictures\LimitPing.png.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw => \??\c:\users\admin\pictures\MoveOpen.raw.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\UseOut.tif => \??\c:\users\admin\pictures\UseOut.tif.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\CheckpointClear.png => \??\c:\users\admin\pictures\CheckpointClear.png.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw => \??\c:\users\admin\pictures\EnterCopy.crw.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw => \??\c:\users\admin\pictures\HideGrant.raw.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png => \??\c:\users\admin\pictures\ResetCompress.png.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw => \??\c:\users\admin\pictures\ResizeWrite.raw.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\DisableRegister.tif => \??\c:\users\admin\pictures\DisableRegister.tif.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\DismountFind.png => \??\c:\users\admin\pictures\DismountFind.png.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw => \??\c:\users\admin\pictures\JoinPush.crw.vr855d 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe" 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exedescription ioc process File opened (read-only) \??\A: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\E: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\F: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\H: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\N: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\T: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\V: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\X: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\B: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\J: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\L: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\R: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\U: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\W: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\Y: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\Z: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\G: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\I: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\O: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\P: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\Q: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\S: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\D: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\K: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened (read-only) \??\M: 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe -
Drops file in Program Files directory 25 IoCs
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exedescription ioc process File opened for modification \??\c:\program files\EnterAssert.htm 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\RestoreRemove.vstx 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\SendAdd.rtf 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\ShowGrant.kix 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\SubmitJoin.aiff 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\UninstallStart.tiff 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\CloseDisable.pcx 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\ConvertFromUndo.pptx 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\InvokeRead.rtf 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\OptimizeGroup.mpg 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\ResolveAdd.wma 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File created \??\c:\program files\tmp 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File created \??\c:\program files\vr855d-readme.txt 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\SelectUninstall.dib 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\UnregisterSave.mp2 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File created \??\c:\program files (x86)\tmp 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\RedoUnprotect.clr 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\MergeTest.jtx 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\PopEnable.wma 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\RemoveOpen.temp 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\SendProtect.pub 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\StopCompress.mht 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\UninstallEdit.potm 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File created \??\c:\program files (x86)\vr855d-readme.txt 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe File opened for modification \??\c:\program files\HideSync.m1v 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exepid process 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exevssvc.exedescription pid process Token: SeDebugPrivilege 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe Token: SeTakeOwnershipPrivilege 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe Token: SeBackupPrivilege 4124 vssvc.exe Token: SeRestorePrivilege 4124 vssvc.exe Token: SeAuditPrivilege 4124 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exedescription pid process target process PID 4648 wrote to memory of 4248 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe netsh.exe PID 4648 wrote to memory of 4248 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe netsh.exe PID 4648 wrote to memory of 4248 4648 9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe"C:\Users\Admin\AppData\Local\Temp\9df39b3b2b0ed8ed469d028cc4269655d6b70aef8b22a308f34e1929e4b00992.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:4248
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3316
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4248-114-0x0000000000000000-mapping.dmp