Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe
Resource
win10-en-20211208
General
-
Target
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe
-
Size
120KB
-
MD5
45b4086d503c8c97fb212cb7a0cf2b53
-
SHA1
5596c6d801d4eecece08a2605042ce7dccb471be
-
SHA256
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28
-
SHA512
674bc378963fb65bdd1c7956058af332e040d1da74d683874c538e917b58c7c28cecdb93bd47c27c8aee749bd21b8dc5e626813e56f49da301080fe31f272465
Malware Config
Extracted
C:\43vr37cd0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D370D595B944546C
http://decoder.re/D370D595B944546C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResumeApprove.png => \??\c:\users\admin\pictures\ResumeApprove.png.43vr37cd0 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File renamed C:\Users\Admin\Pictures\SkipDeny.crw => \??\c:\users\admin\pictures\SkipDeny.crw.43vr37cd0 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File renamed C:\Users\Admin\Pictures\SaveSplit.png => \??\c:\users\admin\pictures\SaveSplit.png.43vr37cd0 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File renamed C:\Users\Admin\Pictures\ResumeDisable.png => \??\c:\users\admin\pictures\ResumeDisable.png.43vr37cd0 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exedescription ioc process File opened (read-only) \??\A: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\B: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\I: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\J: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\K: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\M: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\Z: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\F: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\G: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\H: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\P: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\V: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\Y: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\N: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\O: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\S: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\U: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\D: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\X: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\E: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\L: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\Q: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\R: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\T: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened (read-only) \??\W: e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hh1u2.bmp" e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe -
Drops file in Program Files directory 14 IoCs
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exedescription ioc process File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\43vr37cd0-readme.txt e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File created \??\c:\program files\43vr37cd0-readme.txt e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\CopyRepair.ppsm e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\UninstallRestart.jpeg e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\43vr37cd0-readme.txt e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\CompareExit.asx e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\SkipCopy.tiff e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\SuspendSet.rar e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\43vr37cd0-readme.txt e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\BlockHide.mpeg3 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\ExpandConfirm.pcx e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\PublishBlock.TS e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File created \??\c:\program files (x86)\43vr37cd0-readme.txt e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe File opened for modification \??\c:\program files\ExpandWrite.vsdm e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exepid process 1608 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe 1608 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe 1608 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exevssvc.exedescription pid process Token: SeDebugPrivilege 1608 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe Token: SeTakeOwnershipPrivilege 1608 e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe Token: SeBackupPrivilege 1820 vssvc.exe Token: SeRestorePrivilege 1820 vssvc.exe Token: SeAuditPrivilege 1820 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe"C:\Users\Admin\AppData\Local\Temp\e77e82020c2779190390cdd1b7fef705e4666caa3bfa8498119c37e7086f3d28.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB