Analysis
-
max time kernel
149s -
max time network
52s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe
Resource
win10v20210408
General
-
Target
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe
-
Size
158KB
-
MD5
53550156f5250bc445aedad91fa9d665
-
SHA1
2fec5aca3bdaf419f12795491b70cd7f8fa8371f
-
SHA256
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb
-
SHA512
34caca932ae9e63d5e3ed22369901eb4a3ca68ff9d3c1825c2d47db5530f54c203de7916d256a09bdaab85145a9d64a1ac22e2a957436cc2765747550701b054
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exedescription ioc process File opened (read-only) \??\V: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\J: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\L: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\M: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\N: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\R: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\T: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\X: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\B: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\G: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\K: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\Y: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\Z: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\O: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\Q: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\S: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\H: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\I: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\P: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\U: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\W: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\A: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\E: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe File opened (read-only) \??\F: 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exepid process 1636 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe 1636 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe"C:\Users\Admin\AppData\Local\Temp\13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1636-61-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1636-63-0x0000000002140000-0x00000000021DF000-memory.dmpFilesize
636KB
-
memory/1636-64-0x00000000021E0000-0x000000000230D000-memory.dmpFilesize
1.2MB
-
memory/1636-65-0x0000000000320000-0x000000000033F000-memory.dmpFilesize
124KB
-
memory/1636-66-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1636-68-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1636-69-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1636-70-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/1636-67-0x0000000002590000-0x0000000002699000-memory.dmpFilesize
1.0MB