Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe
Resource
win10-en-20211208
General
-
Target
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe
-
Size
165KB
-
MD5
d3e026324b81c755f9058d7a42e96c75
-
SHA1
35d30a689c4b826e43d9255574fa09965c0a6ba7
-
SHA256
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3
-
SHA512
e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913
Malware Config
Extracted
C:\e70etl274-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C18DE0894BDBC268
http://decryptor.top/C18DE0894BDBC268
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitExit.raw => \??\c:\users\admin\pictures\WaitExit.raw.e70etl274 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => \??\c:\users\admin\pictures\ExitTrace.png.e70etl274 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\users\admin\pictures\ExportSearch.tiff f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\users\admin\pictures\InstallUnregister.tiff f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => \??\c:\users\admin\pictures\ExportSearch.tiff.e70etl274 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => \??\c:\users\admin\pictures\InstallUnregister.tiff.e70etl274 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File renamed C:\Users\Admin\Pictures\SelectSearch.tif => \??\c:\users\admin\pictures\SelectSearch.tif.e70etl274 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exedescription ioc process File opened (read-only) \??\P: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\R: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\T: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\U: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\B: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\I: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\L: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\A: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\M: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\X: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\H: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\J: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\K: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\N: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\S: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\E: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\F: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\G: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\Y: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\W: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\Z: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\D: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\O: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\Q: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened (read-only) \??\V: f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4a5s.bmp" f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe -
Drops file in Program Files directory 31 IoCs
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exedescription ioc process File opened for modification \??\c:\program files\DenyCompress.gif f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\OutConvertTo.rmi f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\ProtectGroup.zip f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\StartCopy.gif f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\e70etl274-readme.txt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\e70etl274-readme.txt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\CheckpointLimit.avi f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\InstallUnblock.mp3 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\SearchCompress.docm f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\CloseTrace.mid f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\MeasureAdd.vbs f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\UnregisterSelect.pps f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File created \??\c:\program files\e70etl274-readme.txt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\EditPing.avi f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\ExportApprove.php f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\SearchSkip.odt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\TraceGrant.scf f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\UndoPublish.cr2 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File created \??\c:\program files (x86)\e70etl274-readme.txt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\DisableLimit.wps f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\JoinOpen.ppt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\ReadCompress.jpeg f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\e70etl274-readme.txt f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\MoveSave.001 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\NewStart.ppsm f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\OutImport.doc f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\UninstallUndo.xhtml f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\UnprotectFormat.svg f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\CompleteUnblock.png f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\FindUndo.clr f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe File opened for modification \??\c:\program files\RequestPublish.html f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exepowershell.exepid process 1624 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe 1192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1192 powershell.exe Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exedescription pid process target process PID 1624 wrote to memory of 1192 1624 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe powershell.exe PID 1624 wrote to memory of 1192 1624 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe powershell.exe PID 1624 wrote to memory of 1192 1624 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe powershell.exe PID 1624 wrote to memory of 1192 1624 f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe"C:\Users\Admin\AppData\Local\Temp\f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1192-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/1192-57-0x0000000002730000-0x0000000002732000-memory.dmpFilesize
8KB
-
memory/1192-59-0x0000000002734000-0x0000000002737000-memory.dmpFilesize
12KB
-
memory/1192-58-0x0000000002732000-0x0000000002734000-memory.dmpFilesize
8KB
-
memory/1192-56-0x000007FEF38E0000-0x000007FEF443D000-memory.dmpFilesize
11.4MB
-
memory/1192-60-0x000000000273B000-0x000000000275A000-memory.dmpFilesize
124KB
-
memory/1624-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB