Analysis
-
max time kernel
144s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-06-2021 04:58
Static task
static1
Behavioral task
behavioral1
Sample
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe
Resource
win10v20210410
General
-
Target
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe
-
Size
122KB
-
MD5
84645b3639932f0ca17d8e13c17dff87
-
SHA1
4435d46fa99b53cc986f16e41dd68823a77161ab
-
SHA256
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93
-
SHA512
5e4039974929fefaa43dc5d2e396bbaf1f4d88c8cfaa477b7705295cd310676f46d5ed17f1a6451e2040b93513654ab6303fcce2cceca1f7b4ee4340e2ce5eb3
Malware Config
Extracted
C:\j97i62j6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3DF9470FB8F43741
http://decoder.re/3DF9470FB8F43741
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exedescription ioc process File opened (read-only) \??\B: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\N: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\S: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\W: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\Z: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\I: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\J: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\K: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\O: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\R: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\U: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\A: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\H: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\M: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\T: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\V: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\X: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\Y: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\E: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\F: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\G: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\L: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\P: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened (read-only) \??\Q: 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe -
Drops file in Program Files directory 23 IoCs
Processes:
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exedescription ioc process File created \??\c:\program files\tmp 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\tmp 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\DenyUnpublish.svg 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\GetOptimize.cr2 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\j97i62j6-readme.txt 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\AddSend.m4a 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\GetComplete.dotm 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\HideWrite.otf 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\ImportExport.gif 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\InstallClear.vbs 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\InvokeRedo.midi 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\PopRemove.aif 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\j97i62j6-readme.txt 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\j97i62j6-readme.txt 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File created \??\c:\program files\j97i62j6-readme.txt 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\EditApprove.css 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\PopReset.dwfx 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\SearchGet.iso 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\SetOpen.tiff 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\StopBlock.wma 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe File opened for modification \??\c:\program files\StopLock.au3 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exepid process 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exevssvc.exedescription pid process Token: SeDebugPrivilege 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe Token: SeTakeOwnershipPrivilege 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe Token: SeBackupPrivilege 348 vssvc.exe Token: SeRestorePrivilege 348 vssvc.exe Token: SeAuditPrivilege 348 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exedescription pid process target process PID 628 wrote to memory of 1692 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe netsh.exe PID 628 wrote to memory of 1692 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe netsh.exe PID 628 wrote to memory of 1692 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe netsh.exe PID 628 wrote to memory of 1692 628 44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe"C:\Users\Admin\AppData\Local\Temp\44cd22cb40115a504bf933ec006d47ae0076f450f76b54783f846beca81c4c93.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:1692
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1160
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:348