Overview

overview

10

Static

static

10

13857b32be...le.exe

windows7_x64

10

13857b32be...le.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe

  • Size

    158KB

  • MD5

    53550156f5250bc445aedad91fa9d665

  • SHA1

    2fec5aca3bdaf419f12795491b70cd7f8fa8371f

  • SHA256

    13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb

  • SHA512

    34caca932ae9e63d5e3ed22369901eb4a3ca68ff9d3c1825c2d47db5530f54c203de7916d256a09bdaab85145a9d64a1ac22e2a957436cc2765747550701b054

Score
10/10
sodinokibiransomware

Malware Config

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb.sample.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:828

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1636-60-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-61-0x0000000000220000-0x000000000022A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1636-63-0x0000000002140000-0x00000000021DF000-memory.dmp
      Filesize

      636KB

      Download
    • memory/1636-64-0x00000000021E0000-0x000000000230D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1636-65-0x0000000000320000-0x000000000033F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1636-66-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-68-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-69-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-70-0x0000000000270000-0x0000000000276000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1636-67-0x0000000002590000-0x0000000002699000-memory.dmp
      Filesize

      1.0MB

      Download