Analysis
-
max time kernel
144s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe
Resource
win10-en-20211208
General
-
Target
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe
-
Size
131KB
-
MD5
eaf6a7625df801454ba48b03f7e6e4b2
-
SHA1
b7bd42c523f6694c2a8bbdbfc524051a8d7d4a2a
-
SHA256
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb
-
SHA512
3d20318d1b1753eb7c3cf802cdd2b172c6a55df6d18e1a63b24ca2cadcce2507c353b397f663099ea4c9ca508579e383051ac5698fab1e08e97969606ba9465c
Malware Config
Extracted
C:\41522ik48-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A89F898DE2F9BB8
http://decryptor.top/0A89F898DE2F9BB8
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToGrant.tif => \??\c:\users\admin\pictures\ConvertToGrant.tif.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\GrantEnable.tif => \??\c:\users\admin\pictures\GrantEnable.tif.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\PushEnable.raw => \??\c:\users\admin\pictures\PushEnable.raw.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\RestoreReset.tif => \??\c:\users\admin\pictures\RestoreReset.tif.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\SaveUnlock.raw => \??\c:\users\admin\pictures\SaveUnlock.raw.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\TraceUninstall.raw => \??\c:\users\admin\pictures\TraceUninstall.raw.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File renamed C:\Users\Admin\Pictures\UnlockSwitch.crw => \??\c:\users\admin\pictures\UnlockSwitch.crw.41522ik48 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exedescription ioc process File opened (read-only) \??\N: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\Q: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\Y: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\A: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\B: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\I: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\J: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\T: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\V: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\W: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\Z: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\H: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\L: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\M: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\R: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\P: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\S: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\X: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\D: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\E: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\F: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\K: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\O: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\G: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened (read-only) \??\U: e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7coiq4aq.bmp" e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe -
Drops file in Program Files directory 24 IoCs
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exedescription ioc process File opened for modification \??\c:\program files\RemoveCompress.jpeg e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\SplitSelect.jfif e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\TestAdd.png e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\AssertOut.mp4 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\ConvertToApprove.pptm e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\ResizeExpand.xsl e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\SyncCopy.png e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\InstallExit.txt e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\RenameConvertFrom.mp4 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\CompareRequest.MTS e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\LimitUse.pptx e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\MergeSend.pcx e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\MoveDeny.xlsm e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\RedoRevoke.png e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\RemovePush.MTS e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File created \??\c:\program files (x86)\41522ik48-readme.txt e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\AssertInitialize.DVR-MS e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\SuspendSwitch.php e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\TestResume.i64 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\RequestEnable.xml e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\ShowDebug.html e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\UnprotectCompress.ttc e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File created \??\c:\program files\41522ik48-readme.txt e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe File opened for modification \??\c:\program files\RemoveEnter.mov e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exepowershell.exepid process 2760 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe 2760 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe 3104 powershell.exe 3104 powershell.exe 3104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3104 powershell.exe Token: SeBackupPrivilege 2500 vssvc.exe Token: SeRestorePrivilege 2500 vssvc.exe Token: SeAuditPrivilege 2500 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exedescription pid process target process PID 2760 wrote to memory of 3104 2760 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe powershell.exe PID 2760 wrote to memory of 3104 2760 e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe"C:\Users\Admin\AppData\Local\Temp\e8c724785ff0233911a56176652a8b4090ea8c99118fd2cc95409cab745747bb.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2320
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3104-119-0x000001DAAF0D0000-0x000001DAAF0F2000-memory.dmpFilesize
136KB
-
memory/3104-122-0x000001DAAF110000-0x000001DAAF112000-memory.dmpFilesize
8KB
-
memory/3104-123-0x000001DAAF113000-0x000001DAAF115000-memory.dmpFilesize
8KB
-
memory/3104-124-0x000001DAC7830000-0x000001DAC78A6000-memory.dmpFilesize
472KB