Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe
Resource
win10-en-20211208
General
-
Target
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe
-
Size
164KB
-
MD5
13d4c1451da6fa284c08c669a7d0e7c1
-
SHA1
2ea65287c7489d8ab5abd04e172c55d1518a4052
-
SHA256
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07
-
SHA512
f845335dd84b5bf9b20889dfd051bf012dfcf96adaf4f6de171b3a8e62f42cf03c0e18314ad6ca59ff3eb5e1c0ef3dce179845aac6582b9438c0b13809f47554
Malware Config
Extracted
C:\ygkpvai-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/26DB6161C15B4CBE
http://decryptor.top/26DB6161C15B4CBE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectMount.crw => \??\c:\users\admin\pictures\SelectMount.crw.ygkpvai df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exedescription ioc process File opened (read-only) \??\N: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\O: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\Q: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\R: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\T: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\Y: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\A: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\L: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\M: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\S: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\X: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\D: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\I: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\W: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\B: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\E: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\F: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\G: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\H: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\J: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\K: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\P: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\U: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\V: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened (read-only) \??\Z: df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe -
Drops file in Program Files directory 23 IoCs
Processes:
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exedescription ioc process File opened for modification \??\c:\program files\CheckpointNew.fon df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\PushOptimize.xhtml df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\RegisterImport.xlsm df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\StartConnect.csv df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\StopCompare.001 df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\SwitchCopy.3gp df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\WaitUnlock.jpg df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File created \??\c:\program files (x86)\ygkpvai-readme.txt df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\BackupEnter.mpg df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\DisconnectExit.scf df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\DisconnectRequest.xla df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\RenameProtect.crw df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\RestoreSync.zip df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\DismountStop.xlsx df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\FindCompress.clr df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\MergeStart.doc df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\OptimizeRead.avi df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\UnprotectOptimize.mov df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\WaitShow.gif df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File created \??\c:\program files\ygkpvai-readme.txt df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\ConvertToDismount.dxf df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\EnableInvoke.tiff df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe File opened for modification \??\c:\program files\SwitchConfirm.rle df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exepowershell.exepid process 2496 df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe 2496 df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3004 powershell.exe Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exedescription pid process target process PID 2496 wrote to memory of 3004 2496 df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe powershell.exe PID 2496 wrote to memory of 3004 2496 df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe"C:\Users\Admin\AppData\Local\Temp\df724c49a1401d66f690b0a940f70bd286671448a625690ccdfdc4c42b4b5b07.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3004-120-0x0000026639B60000-0x0000026639B82000-memory.dmpFilesize
136KB
-
memory/3004-124-0x000002663A6A0000-0x000002663A716000-memory.dmpFilesize
472KB
-
memory/3004-132-0x00000266219F0000-0x0000026639BE0000-memory.dmpFilesize
385.9MB
-
memory/3004-133-0x00000266219F0000-0x0000026639BE0000-memory.dmpFilesize
385.9MB