Analysis
-
max time kernel
172s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe
Resource
win10-en-20211208
General
-
Target
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe
-
Size
165KB
-
MD5
08402b4bc7e5527315b690e6ee0c1565
-
SHA1
76062deff96a613ea455abc3014b531e5fd13aee
-
SHA256
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5
-
SHA512
12638ca4ff87b239ccc519376c7043681ac70f26b8dda16c6b308c11415facd1da00f3e3338d9a258373c2497bfc0b1a900a787340cad35691ffa4cdcd9af623
Malware Config
Extracted
C:\98ip629-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7130F6F3EEDF344
http://decryptor.top/B7130F6F3EEDF344
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResumeConfirm.png => \??\c:\users\admin\pictures\ResumeConfirm.png.98ip629 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File renamed C:\Users\Admin\Pictures\TraceLimit.raw => \??\c:\users\admin\pictures\TraceLimit.raw.98ip629 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File renamed C:\Users\Admin\Pictures\SplitBackup.png => \??\c:\users\admin\pictures\SplitBackup.png.98ip629 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exedescription ioc process File opened (read-only) \??\X: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\B: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\G: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\I: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\L: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\P: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\Q: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\S: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\U: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\E: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\F: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\J: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\D: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\V: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\Y: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\Z: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\O: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\R: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\K: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\M: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\N: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\W: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\A: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\H: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened (read-only) \??\T: f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\460tpv51.bmp" f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe -
Drops file in Program Files directory 33 IoCs
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exedescription ioc process File opened for modification \??\c:\program files\DenyRead.tiff f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\SendWait.WTV f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\UninstallPing.TS f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\UnpublishRepair.potm f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\DebugRegister.rar f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\DisconnectClose.cr2 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\RemovePing.rm f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\UnprotectRestart.ttf f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\SyncCheckpoint.ADTS f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\WatchAdd.vsdx f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\CopyReset.xlsb f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResetMove.xlsb f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResetDisconnect.pptm f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResolveReceive.ppsm f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\RevokeUnprotect.asp f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\OpenDismount.xltx f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\RequestCompare.otf f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\PublishAdd.vssm f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\RequestClear.mp4 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResetSwitch.css f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\UnblockUnprotect.dxf f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\WatchProtect.m4a f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File created \??\c:\program files\98ip629-readme.txt f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\PingCompare.mp3 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\SearchExpand.mht f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\WatchApprove.ps1xml f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\WriteRedo.xla f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File created \??\c:\program files (x86)\98ip629-readme.txt f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\JoinDebug.xlsx f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResolveResume.txt f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\SuspendDismount.xls f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\PingRevoke.png f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe File opened for modification \??\c:\program files\ResolveMove.ex_ f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exepowershell.exepid process 3784 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe 3784 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4504 powershell.exe Token: SeBackupPrivilege 852 vssvc.exe Token: SeRestorePrivilege 852 vssvc.exe Token: SeAuditPrivilege 852 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exedescription pid process target process PID 3784 wrote to memory of 4504 3784 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe powershell.exe PID 3784 wrote to memory of 4504 3784 f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe"C:\Users\Admin\AppData\Local\Temp\f582a3e83181096236a5d63445ced2ea2f6f61bb9b4ddf82762dd2ae11c233a5.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4504-124-0x00000233EFE10000-0x00000233EFE32000-memory.dmpFilesize
136KB
-
memory/4504-129-0x00000233F1FA0000-0x00000233F2016000-memory.dmpFilesize
472KB
-
memory/4504-136-0x00000233D7CE0000-0x00000233EFE50000-memory.dmpFilesize
385.4MB
-
memory/4504-142-0x00000233D7CE0000-0x00000233EFE50000-memory.dmpFilesize
385.4MB