Analysis
-
max time kernel
171s -
max time network
204s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:40
Static task
static1
Behavioral task
behavioral1
Sample
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe
Resource
win10-en-20211208
General
-
Target
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe
-
Size
165KB
-
MD5
4dacc5edb44b305ab1f77a33b3e16362
-
SHA1
dd413b4f2e6c4cb8dae4c41d95ef5ae92c1eba50
-
SHA256
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc
-
SHA512
e4140ad7c232f01045de0ebef18d8048d73ef7afe5147f1c744d2b90c1717ac70259afc494a9f708abf7cb89721d784aca19cba7e1f39bcd09834ea80a0e46da
Malware Config
Extracted
C:\us3a1w3uv7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B7594A48B1C47AD
http://decryptor.cc/5B7594A48B1C47AD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResetConnect.tif => \??\c:\users\admin\pictures\ResetConnect.tif.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\RevokeRestore.tiff => \??\c:\users\admin\pictures\RevokeRestore.tiff.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\SubmitOpen.png => \??\c:\users\admin\pictures\SubmitOpen.png.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\users\admin\pictures\OpenCompress.tiff 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\users\admin\pictures\RevokeRestore.tiff 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\MoveComplete.png => \??\c:\users\admin\pictures\MoveComplete.png.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\RegisterUnlock.png => \??\c:\users\admin\pictures\RegisterUnlock.png.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\UndoReceive.tif => \??\c:\users\admin\pictures\UndoReceive.tif.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\WaitOut.crw => \??\c:\users\admin\pictures\WaitOut.crw.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\CompareSkip.tif => \??\c:\users\admin\pictures\CompareSkip.tif.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\DenyRename.crw => \??\c:\users\admin\pictures\DenyRename.crw.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\OpenCompress.tiff => \??\c:\users\admin\pictures\OpenCompress.tiff.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File renamed C:\Users\Admin\Pictures\ReadOut.tif => \??\c:\users\admin\pictures\ReadOut.tif.us3a1w3uv7 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exedescription ioc process File opened (read-only) \??\U: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\V: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\A: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\E: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\H: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\O: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\Q: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\D: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\F: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\G: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\I: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\J: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\T: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\P: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\R: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\Y: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\S: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\W: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\X: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\B: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\K: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\L: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\M: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\N: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened (read-only) \??\Z: 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3733qfp2834.bmp" 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe -
Drops file in Program Files directory 10 IoCs
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exedescription ioc process File created \??\c:\program files\us3a1w3uv7-readme.txt 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\EditSkip.3g2 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\UnblockWait.midi 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\UninstallSubmit.3gp2 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\UnpublishRename.potx 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File created \??\c:\program files (x86)\us3a1w3uv7-readme.txt 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\LimitDeny.wmx 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\RedoDisable.fon 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\SelectExport.TTS 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe File opened for modification \??\c:\program files\SendUninstall.xlsm 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exepowershell.exepid process 3980 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe 3980 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe 1560 powershell.exe 1560 powershell.exe 1560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3980 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeBackupPrivilege 428 vssvc.exe Token: SeRestorePrivilege 428 vssvc.exe Token: SeAuditPrivilege 428 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exedescription pid process target process PID 3980 wrote to memory of 1560 3980 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe powershell.exe PID 3980 wrote to memory of 1560 3980 85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe"C:\Users\Admin\AppData\Local\Temp\85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1560-123-0x00000260BED10000-0x00000260BED32000-memory.dmpFilesize
136KB
-
memory/1560-127-0x00000260BEEC0000-0x00000260BEF36000-memory.dmpFilesize
472KB
-
memory/1560-135-0x00000260A4B70000-0x00000260BCD10000-memory.dmpFilesize
385.6MB
-
memory/1560-136-0x00000260A4B70000-0x00000260BCD10000-memory.dmpFilesize
385.6MB