Analysis
-
max time kernel
148s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:44
Static task
static1
Behavioral task
behavioral1
Sample
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe
Resource
win10-en-20211208
General
-
Target
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe
-
Size
118KB
-
MD5
08fad193fc03bad8132bd791155212d2
-
SHA1
5c56fd5246f3680f4576a9e633fb76acfb15f994
-
SHA256
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4
-
SHA512
d2e3460998d409a530f5435f9c7693d1aa684b5016b8abcbfd86530cd2ed2fd7849094bf2be865e2f75179f557567265b8ee6091c39d96d7cb8c7b89a9d2835e
Malware Config
Extracted
C:\0u8txz0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78AE43A9C61A1316
http://decoder.re/78AE43A9C61A1316
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exedescription ioc process File renamed C:\Users\Admin\Pictures\UndoReceive.tif => \??\c:\users\admin\pictures\UndoReceive.tif.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\WaitOut.crw => \??\c:\users\admin\pictures\WaitOut.crw.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\CompareSkip.tif => \??\c:\users\admin\pictures\CompareSkip.tif.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\users\admin\pictures\OpenCompress.tiff eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\OpenCompress.tiff => \??\c:\users\admin\pictures\OpenCompress.tiff.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\SubmitOpen.png => \??\c:\users\admin\pictures\SubmitOpen.png.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\ResetConnect.tif => \??\c:\users\admin\pictures\ResetConnect.tif.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\users\admin\pictures\RevokeRestore.tiff eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\RevokeRestore.tiff => \??\c:\users\admin\pictures\RevokeRestore.tiff.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\DenyRename.crw => \??\c:\users\admin\pictures\DenyRename.crw.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\MoveComplete.png => \??\c:\users\admin\pictures\MoveComplete.png.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\ReadOut.tif => \??\c:\users\admin\pictures\ReadOut.tif.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File renamed C:\Users\Admin\Pictures\RegisterUnlock.png => \??\c:\users\admin\pictures\RegisterUnlock.png.0u8txz0 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1E8NAmhfRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe" eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exedescription ioc process File opened (read-only) \??\B: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\F: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\G: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\K: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\L: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\M: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\N: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\Q: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\R: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\V: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\W: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\Y: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\A: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\E: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\H: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\J: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\O: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\P: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\S: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\X: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\Z: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\D: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\I: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\T: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened (read-only) \??\U: eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i465i01y1e156.bmp" eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Drops file in Program Files directory 8 IoCs
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exedescription ioc process File opened for modification \??\c:\program files\UninstallSubmit.3gp2 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\UnpublishRename.potx eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\EditSkip.3g2 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\LimitDeny.wmx eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\RedoDisable.fon eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\SelectExport.TTS eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\SendUninstall.xlsm eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe File opened for modification \??\c:\program files\UnblockWait.midi eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exepid process 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exevssvc.exedescription pid process Token: SeDebugPrivilege 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe Token: SeTakeOwnershipPrivilege 3984 eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe Token: SeBackupPrivilege 2212 vssvc.exe Token: SeRestorePrivilege 2212 vssvc.exe Token: SeAuditPrivilege 2212 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe"C:\Users\Admin\AppData\Local\Temp\eeeeb1d683c948d0426e253d708445817ad66460a93ef53668dd67a6f5f223d4.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2372
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212