Analysis
-
max time kernel
163s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
Resource
win10-en-20211208
General
-
Target
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe
-
Size
160KB
-
MD5
093ba63d72c22e898bc85f253abc92e3
-
SHA1
cb1416b06c8f8ae887482bd664f77d1448f215a0
-
SHA256
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5
-
SHA512
621680af977d9b9b9cad2a7e6eb12e294f4051b74194651d7314cee3304b9b048f6b11642654821cc143a88834efda0637dfa0cd82f169034a82fc97f7cc2029
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-369956170-74428499-1628131376-1000\desktop.ini ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exedescription ioc process File opened (read-only) \??\B: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\H: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\J: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\W: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\F: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\I: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\K: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Q: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\R: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\U: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\V: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Y: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\X: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\A: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\E: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\L: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\M: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\P: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\S: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\T: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\G: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\N: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\O: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe File opened (read-only) \??\Z: ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exepid process 3048 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe 3048 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3608 vssvc.exe Token: SeRestorePrivilege 3608 vssvc.exe Token: SeAuditPrivilege 3608 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.execmd.exedescription pid process target process PID 3048 wrote to memory of 2440 3048 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 3048 wrote to memory of 2440 3048 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 3048 wrote to memory of 2440 3048 ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe cmd.exe PID 2440 wrote to memory of 760 2440 cmd.exe vssadmin.exe PID 2440 wrote to memory of 760 2440 cmd.exe vssadmin.exe PID 2440 wrote to memory of 760 2440 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe"C:\Users\Admin\AppData\Local\Temp\ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608