Analysis
-
max time kernel
107s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:55
Static task
static1
Behavioral task
behavioral1
Sample
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
Resource
win10-en-20211208
General
-
Target
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe
-
Size
114KB
-
MD5
7aa014e2800e080f3d14737599d21cf9
-
SHA1
62ae49505dad5b24f8fbc8b78fd73da18c55a068
-
SHA256
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be
-
SHA512
b71067909b78c018d17ef39ca21247cbc901e2635bb2394164ae9d97e35bf25021f922f3c2fa0e951f50c601ba136982f048640c76ea57d861e7d7c4f96a61f3
Malware Config
Extracted
C:\11f12v-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/601C74182C3405CC
http://decryptor.cc/601C74182C3405CC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoGet.png => \??\c:\users\admin\pictures\RedoGet.png.11f12v d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File opened (read-only) \??\M: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\P: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Z: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\A: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\E: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\K: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\V: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\W: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\G: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\L: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\N: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\R: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\T: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\U: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Y: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\H: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\J: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\Q: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\O: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\S: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\X: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\D: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\B: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\F: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened (read-only) \??\I: d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\r51d47s.bmp" d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Drops file in Program Files directory 24 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription ioc process File opened for modification \??\c:\program files\WriteCopy.pps d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ConfirmSwitch.jtx d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\FindClear.tif d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\RestartClose.pdf d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\SearchLimit.ini d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\UnprotectRead.vstx d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\UnpublishTest.vb d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\AssertUnlock.mp3 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\BackupCompress.dwg d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\BlockSubmit.mhtml d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ExpandLimit.tiff d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ExportResize.mht d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\MountProtect.pdf d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\OpenNew.xps d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\ReceiveExpand.easmx d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\SkipDeny.M2TS d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\SwitchUse.mpeg d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files\11f12v-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File created \??\c:\program files (x86)\11f12v-readme.txt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\AssertSwitch.dot d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\CompleteBlock.html d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\NewPush.odp d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\PublishRevoke.odt d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe File opened for modification \??\c:\program files\UnlockRestore.pdf d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exepowershell.exepid process 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe 4432 powershell.exe 4432 powershell.exe 4432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeBackupPrivilege 532 vssvc.exe Token: SeRestorePrivilege 532 vssvc.exe Token: SeAuditPrivilege 532 vssvc.exe Token: SeTakeOwnershipPrivilege 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exedescription pid process target process PID 3672 wrote to memory of 4432 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe PID 3672 wrote to memory of 4432 3672 d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe"C:\Users\Admin\AppData\Local\Temp\d9d6363529c399104f3afddf682c7437fbf5bddb33c778a67c1f0b6ff92fa0be.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4108
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4432-123-0x00000233B7980000-0x00000233B79A2000-memory.dmpFilesize
136KB
-
memory/4432-127-0x00000233B9B50000-0x00000233B9BC6000-memory.dmpFilesize
472KB
-
memory/4432-134-0x00000233B7A70000-0x00000233B7A72000-memory.dmpFilesize
8KB
-
memory/4432-135-0x00000233B7A73000-0x00000233B7A75000-memory.dmpFilesize
8KB
-
memory/4432-141-0x00000233B7A76000-0x00000233B7A78000-memory.dmpFilesize
8KB