Analysis
-
max time kernel
138s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
Resource
win10-en-20211208
General
-
Target
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
-
Size
160KB
-
MD5
093ba63d72c22e898bc85f253abc92e3
-
SHA1
cb1416b06c8f8ae887482bd664f77d1448f215a0
-
SHA256
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5
-
SHA512
621680af977d9b9b9cad2a7e6eb12e294f4051b74194651d7314cee3304b9b048f6b11642654821cc143a88834efda0637dfa0cd82f169034a82fc97f7cc2029
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exedescription ioc process File opened (read-only) \??\B: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\L: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\O: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\P: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Z: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\G: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\H: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\I: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\S: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\E: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\N: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Q: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\R: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\U: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\W: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\X: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Y: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\A: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\F: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\J: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\K: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\M: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\T: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\V: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1376 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exepid process 1624 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1464 vssvc.exe Token: SeRestorePrivilege 1464 vssvc.exe Token: SeAuditPrivilege 1464 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.execmd.exedescription pid process target process PID 1624 wrote to memory of 1096 1624 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 1624 wrote to memory of 1096 1624 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 1624 wrote to memory of 1096 1624 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 1624 wrote to memory of 1096 1624 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 1096 wrote to memory of 1376 1096 cmd.exe vssadmin.exe PID 1096 wrote to memory of 1376 1096 cmd.exe vssadmin.exe PID 1096 wrote to memory of 1376 1096 cmd.exe vssadmin.exe PID 1096 wrote to memory of 1376 1096 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe"C:\Users\Admin\AppData\Local\Temp\ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1376
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB