Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe
Resource
win10-en-20211208
General
-
Target
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe
-
Size
158KB
-
MD5
37c62627383200afa90abf92bf5c4f72
-
SHA1
ba0cce7a0b27b4d6c29abeb6d02f5bc54c6c8cd9
-
SHA256
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0
-
SHA512
9eb9aade0df35394f2b326d630dd24899edd388c7f19f7da81b99b347ab402994f0ed4540c9a8bf58f2e1abada2632e98b714e615e25d71ee5892d2cbff16fca
Malware Config
Extracted
C:\38oy88-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/286D3BBE994DC093
http://decryptor.top/286D3BBE994DC093
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exedescription ioc process File renamed C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.38oy88 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Searches\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Pictures\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Links\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Music\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Desktop\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Documents\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Downloads\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Libraries\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Music\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Public\Videos\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exedescription ioc process File opened (read-only) \??\B: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\E: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\H: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\J: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\Q: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\S: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\F: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\I: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\L: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\P: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\T: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\Z: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\D: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\G: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\K: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\M: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\U: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\V: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\W: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\X: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\A: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\N: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\O: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\R: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe File opened (read-only) \??\Y: e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ra7.bmp" e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1528 vssadmin.exe -
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exepid process 952 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1964 vssvc.exe Token: SeRestorePrivilege 1964 vssvc.exe Token: SeAuditPrivilege 1964 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.execmd.exedescription pid process target process PID 952 wrote to memory of 828 952 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe cmd.exe PID 952 wrote to memory of 828 952 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe cmd.exe PID 952 wrote to memory of 828 952 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe cmd.exe PID 952 wrote to memory of 828 952 e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe cmd.exe PID 828 wrote to memory of 1528 828 cmd.exe vssadmin.exe PID 828 wrote to memory of 1528 828 cmd.exe vssadmin.exe PID 828 wrote to memory of 1528 828 cmd.exe vssadmin.exe PID 828 wrote to memory of 1528 828 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe"C:\Users\Admin\AppData\Local\Temp\e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB