Analysis
-
max time kernel
124s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
Resource
win10-en-20211208
General
-
Target
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
-
Size
164KB
-
MD5
7419fb7e3354a8d3fed0213d888312ae
-
SHA1
bbfe9e30414da1a127c65ed6915e30131dd6db81
-
SHA256
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919
-
SHA512
342d58371a58a1f3361dfaa51e27623d3a835782a196f0daa2349ecace963611ac2e839006be1db42ae6b4f591f591661ee062090ea8b2fd7c8a028fc1496072
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exedescription ioc process File opened (read-only) \??\A: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\M: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\U: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\W: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\G: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Z: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\B: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\E: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\F: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\I: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\L: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\O: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\P: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Q: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\S: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\V: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\H: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\J: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\K: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\N: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\R: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\T: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\X: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Y: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 428 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exepid process 2820 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe 2820 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3004 vssvc.exe Token: SeRestorePrivilege 3004 vssvc.exe Token: SeAuditPrivilege 3004 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.execmd.exedescription pid process target process PID 2820 wrote to memory of 660 2820 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 2820 wrote to memory of 660 2820 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 2820 wrote to memory of 660 2820 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 660 wrote to memory of 428 660 cmd.exe vssadmin.exe PID 660 wrote to memory of 428 660 cmd.exe vssadmin.exe PID 660 wrote to memory of 428 660 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe"C:\Users\Admin\AppData\Local\Temp\df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken