Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe
Resource
win10-en-20211208
General
-
Target
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe
-
Size
115KB
-
MD5
ab5b30424c5b33662c98e03462ec286c
-
SHA1
bdaff521b07ec866281f070c177a4bfbc0a56790
-
SHA256
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f
-
SHA512
779f6bbfebac2e7412394d42a03f9da94eadf23ccb0a5380c908cdef3331b9cf538049e0c880fac27d7d02c3c797bc7457201817fd6faecba2ba302194744596
Malware Config
Extracted
C:\xkit97-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EEEBA3B21F1F0709
http://decryptor.cc/EEEBA3B21F1F0709
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountGrant.raw => \??\c:\users\admin\pictures\MountGrant.raw.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw => \??\c:\users\admin\pictures\PushUnregister.raw.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\users\admin\pictures\StopSet.tiff.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => \??\c:\users\admin\pictures\UnblockExit.tif.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\users\admin\pictures\StopSet.tiff dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\users\admin\pictures\UpdateGet.tiff dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png => \??\c:\users\admin\pictures\ExpandGet.png.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => \??\c:\users\admin\pictures\ShowGrant.tiff.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => \??\c:\users\admin\pictures\UpdateGet.tiff.xkit97 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\users\admin\pictures\ShowGrant.tiff dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7THSMUAouJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe" dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription ioc process File opened (read-only) \??\I: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\K: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\O: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\X: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\Q: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\T: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\U: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\A: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\E: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\F: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\N: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\P: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\V: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\Z: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\D: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\H: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\J: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\L: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\R: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\S: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\B: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\G: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\M: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\W: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened (read-only) \??\Y: dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9q586uo.bmp" dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe -
Drops file in Program Files directory 38 IoCs
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription ioc process File opened for modification \??\c:\program files\InstallShow.htm dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\StartDisconnect.7z dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\xkit97-readme.txt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\UnlockClear.wps dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ClosePush.M2TS dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ConvertEdit.jfif dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\RequestPublish.gif dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\RevokeDebug.rtf dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\CheckpointSubmit.docx dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\SubmitTest.mpg dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\UnlockBlock.easmx dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\CompleteCheckpoint.pptm dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\DisconnectRemove.xsl dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\InvokeUpdate.dotx dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\PingPush.svgz dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\NewBlock.xml dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\xkit97-readme.txt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\CopyConfirm.mov dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\MountNew.mpg dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ResolveRequest.ods dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\RemoveInitialize.ppt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ResetRevoke.asf dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\StepRestore.odt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File created \??\c:\program files\xkit97-readme.txt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ConvertToSync.pptm dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\FormatExpand.xps dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\GroupResume.js dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\GetEnable.mpp dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\PopOut.vssm dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\RedoSplit.TTS dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ResetDebug.ex_ dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File created \??\c:\program files (x86)\xkit97-readme.txt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\AddInitialize.mpeg3 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ConvertToNew.TS dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\EditSwitch.ttf dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\ResetUninstall.ttc dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File opened for modification \??\c:\program files\UnprotectExit.reg dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\xkit97-readme.txt dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exedescription pid process Token: SeTakeOwnershipPrivilege 1688 dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe"C:\Users\Admin\AppData\Local\Temp\dd8028e5d5f57da2e6e3cf897e5e183b5b3194dd6886aef12e29c14cc3354e7f.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB