Analysis
-
max time kernel
168s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:36
Static task
static1
Behavioral task
behavioral1
Sample
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe
Resource
win10-en-20211208
General
-
Target
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe
-
Size
122KB
-
MD5
38bb6d3370e91deee960c8aeb6b0a50e
-
SHA1
ba9e23c4f6e7435e90e92ffef836386053c04ca3
-
SHA256
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e
-
SHA512
532b5f6d68b2526250d1c307cf265b84985ce4c4bc4b00a3c6c05edb051bcc6fa06b64c987de1279746a2c5d91c951aa6c4820546cf2985a1e6d608c0a011b22
Malware Config
Extracted
C:\duv1m9p5-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/35FC0859A7DC3DF3
http://decoder.re/35FC0859A7DC3DF3
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoGet.png => \??\c:\users\admin\pictures\RedoGet.png.duv1m9p5 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe" 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription ioc process File opened (read-only) \??\F: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\G: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\L: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\T: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\Z: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\D: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\I: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\R: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\S: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\X: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\H: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\M: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\O: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\P: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\Q: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\U: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\V: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\W: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\A: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\B: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\E: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\J: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\K: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\N: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened (read-only) \??\Y: 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o09l815.bmp" 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Drops file in Program Files directory 26 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription ioc process File opened for modification \??\c:\program files\BlockSubmit.mhtml 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\CompleteBlock.html 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\PublishRevoke.odt 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File created \??\c:\program files (x86)\tmp 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\BackupCompress.dwg 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\AssertUnlock.mp3 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\ExpandLimit.tiff 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\MountProtect.pdf 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\OpenNew.xps 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\ReceiveExpand.easmx 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\SearchLimit.ini 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File created \??\c:\program files\tmp 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File created \??\c:\program files\duv1m9p5-readme.txt 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\UnlockRestore.pdf 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\WriteCopy.pps 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\SwitchUse.mpeg 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\AssertSwitch.dot 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\ConfirmSwitch.jtx 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\FindClear.tif 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\NewPush.odp 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\RestartClose.pdf 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\SkipDeny.M2TS 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\UnprotectRead.vstx 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\UnpublishTest.vb 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File created \??\c:\program files (x86)\duv1m9p5-readme.txt 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe File opened for modification \??\c:\program files\ExportResize.mht 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Drops file in Windows directory 13 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\423379043\3468251582.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\828754195.pri netsh.exe File created C:\Windows\rescache\_merged\3418783148\3128450559.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri netsh.exe File created C:\Windows\rescache\_merged\1974107395\4149693858.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\3533431084.pri netsh.exe File created C:\Windows\rescache\_merged\2878165772\1123312451.pri netsh.exe File created C:\Windows\rescache\_merged\81479705\3092222186.pri netsh.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri netsh.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1202008662.pri netsh.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exepid process 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exevssvc.exedescription pid process Token: SeDebugPrivilege 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe Token: SeTakeOwnershipPrivilege 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exedescription pid process target process PID 4116 wrote to memory of 4020 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe netsh.exe PID 4116 wrote to memory of 4020 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe netsh.exe PID 4116 wrote to memory of 4020 4116 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe"C:\Users\Admin\AppData\Local\Temp\8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken