Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
Resource
win10-en-20211208
General
-
Target
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
-
Size
179KB
-
MD5
dbfbc199086b40dd57c667844aefd9a9
-
SHA1
22d5bf8051eccff69ffcb3167b939312b9539378
-
SHA256
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce
-
SHA512
363306bca170923bf7a6c47b6531ae7bdc95fde7a4b481635fb55b38298a918757743291a4318b158a389ff36536eb49c3457150d71dce5ee58ead855f62c96e
Malware Config
Extracted
C:\68d82-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/54FEDA1185C95883
http://decryptor.top/54FEDA1185C95883
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandInstall.png => \??\c:\users\admin\pictures\ExpandInstall.png.68d82 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\ExpandReceive.raw => \??\c:\users\admin\pictures\ExpandReceive.raw.68d82 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\UnlockCompress.crw => \??\c:\users\admin\pictures\UnlockCompress.crw.68d82 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\CompareReset.tif => \??\c:\users\admin\pictures\CompareReset.tif.68d82 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\DenyRegister.crw => \??\c:\users\admin\pictures\DenyRegister.crw.68d82 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened (read-only) \??\I: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Q: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\W: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\X: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Z: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\E: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\F: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\G: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\M: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\V: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\D: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\A: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\K: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\L: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\P: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\R: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\T: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\U: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\J: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\N: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\O: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Y: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\B: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\H: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\S: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Drops file in Program Files directory 12 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened for modification \??\c:\program files\StepClear.easmx 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\CheckpointRestore.3gp 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ExitResolve.rtf 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\InstallSplit.wdp 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\LimitHide.gif 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RenameSave.mp2 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\WatchSubmit.ppsx 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files\68d82-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files (x86)\68d82-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\DisableComplete.odt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\UnprotectMerge.mhtml 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\UnregisterSet.ps1xml 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1968 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exepid process 3612 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe 3612 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2108 vssvc.exe Token: SeRestorePrivilege 2108 vssvc.exe Token: SeAuditPrivilege 2108 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.execmd.exedescription pid process target process PID 3612 wrote to memory of 1436 3612 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 3612 wrote to memory of 1436 3612 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 3612 wrote to memory of 1436 3612 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 1436 wrote to memory of 1968 1436 cmd.exe vssadmin.exe PID 1436 wrote to memory of 1968 1436 cmd.exe vssadmin.exe PID 1436 wrote to memory of 1968 1436 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe"C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken