Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:55
Static task
static1
Behavioral task
behavioral1
Sample
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe
Resource
win10-en-20211208
General
-
Target
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe
-
Size
118KB
-
MD5
5405ddda4226b71222fd163ba2b76ed7
-
SHA1
574434e562607da3851dfc901bdd6922582e4e56
-
SHA256
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4
-
SHA512
ab25e3eeb4eecd0a031f259012f74a29e5462d278585547e429cdd190622c6d2faafffac6ba6030cae12e074c09b7cb1a3e732bbc7e0c045054ac5002c7235df
Malware Config
Extracted
C:\9jkz7m738t-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A126C43B138CD149
http://decoder.re/A126C43B138CD149
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exedescription ioc process File renamed C:\Users\Admin\Pictures\SplitMeasure.png => \??\c:\users\admin\pictures\SplitMeasure.png.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\users\admin\pictures\SyncTrace.tiff d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\UpdateClose.tif => \??\c:\users\admin\pictures\UpdateClose.tif.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\CompressUnprotect.png => \??\c:\users\admin\pictures\CompressUnprotect.png.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\LimitCompare.png => \??\c:\users\admin\pictures\LimitCompare.png.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\users\admin\pictures\OptimizeRestart.tiff d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\PublishTest.tiff => \??\c:\users\admin\pictures\PublishTest.tiff.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\ConvertToSubmit.crw => \??\c:\users\admin\pictures\ConvertToSubmit.crw.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\OptimizeRestart.tiff => \??\c:\users\admin\pictures\OptimizeRestart.tiff.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\ConvertFromAssert.crw => \??\c:\users\admin\pictures\ConvertFromAssert.crw.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\users\admin\pictures\PublishTest.tiff d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\EnablePing.tif => \??\c:\users\admin\pictures\EnablePing.tif.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\RepairUninstall.raw => \??\c:\users\admin\pictures\RepairUninstall.raw.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\ResolveUnprotect.crw => \??\c:\users\admin\pictures\ResolveUnprotect.crw.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File renamed C:\Users\Admin\Pictures\SyncTrace.tiff => \??\c:\users\admin\pictures\SyncTrace.tiff.9jkz7m738t d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1E8NAmhfRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe" d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exedescription ioc process File opened (read-only) \??\Z: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\A: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\B: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\G: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\I: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\L: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\P: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\F: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\H: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\K: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\O: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\Y: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\D: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\E: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\M: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\Q: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\S: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\T: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\U: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\J: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\N: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\R: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\V: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\W: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened (read-only) \??\X: d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe -
Drops file in Program Files directory 12 IoCs
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exedescription ioc process File opened for modification \??\c:\program files\ExitConvert.midi d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\ResetCompare.rtf d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\ResolveImport.docx d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\UnprotectConvert.WTV d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\CloseCompare.ods d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\DenyEnable.M2V d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\LimitEnter.vst d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\MergeMove.jpg d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\ResumeSplit.svg d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\SaveUnprotect.txt d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\ExitGet.docx d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe File opened for modification \??\c:\program files\InitializeSend.odt d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exepid process 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exevssvc.exedescription pid process Token: SeDebugPrivilege 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe Token: SeTakeOwnershipPrivilege 3420 d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe Token: SeBackupPrivilege 384 vssvc.exe Token: SeRestorePrivilege 384 vssvc.exe Token: SeAuditPrivilege 384 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe"C:\Users\Admin\AppData\Local\Temp\d97425d15c6e374e5b79f4196507144c7cfaf71f597751c60dd55538944902e4.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:636
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:384