Analysis
-
max time kernel
153s -
max time network
176s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:50
Static task
static1
Behavioral task
behavioral1
Sample
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe
Resource
win10-en-20211208
General
-
Target
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe
-
Size
207KB
-
MD5
151ae10c5420285797f5204d4b3c9666
-
SHA1
13e33b4228975bac515d68513f9688f9278875b7
-
SHA256
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15
-
SHA512
041d9bba9d0f92364204d8fab856bf9cf09240d94c6372003eac21bce31a3924ba3512413e6c27762bb798ae3908be5060ce104ff40206eaf85d15def8efd907
Malware Config
Extracted
C:\976a6gt-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F76D1875731C2BBD
http://decryptor.top/F76D1875731C2BBD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exedescription ioc process File renamed C:\Users\Admin\Pictures\SavePop.tif => \??\c:\users\admin\pictures\SavePop.tif.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\users\admin\pictures\UnregisterMount.tiff 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\MountPop.crw => \??\c:\users\admin\pictures\MountPop.crw.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\ResumeDismount.tif => \??\c:\users\admin\pictures\ResumeDismount.tif.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\SendMeasure.crw => \??\c:\users\admin\pictures\SendMeasure.crw.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\UnregisterMount.tiff => \??\c:\users\admin\pictures\UnregisterMount.tiff.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\CompareExpand.png => \??\c:\users\admin\pictures\CompareExpand.png.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\PingConvert.tif => \??\c:\users\admin\pictures\PingConvert.tif.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File renamed C:\Users\Admin\Pictures\SetSuspend.raw => \??\c:\users\admin\pictures\SetSuspend.raw.976a6gt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exedescription ioc process File opened (read-only) \??\V: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\E: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\F: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\G: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\H: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\J: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\L: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\O: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\X: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\D: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\N: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\T: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\W: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\A: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\P: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\R: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\S: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\U: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\Z: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\B: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\I: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\K: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\M: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\Q: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened (read-only) \??\Y: 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\425ztzb6f351.bmp" 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe -
Drops file in Program Files directory 19 IoCs
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exedescription ioc process File opened for modification \??\c:\program files\GrantInvoke.asp 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\OutLock.au3 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\StepSuspend.ods 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\StopRepair.MOD 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File created \??\c:\program files\976a6gt-readme.txt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File created \??\c:\program files (x86)\976a6gt-readme.txt 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\FormatUpdate.rtf 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\SendDisconnect.dot 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\SetSkip.png 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\UninstallConvertFrom.rle 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\TraceSend.au3 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\FormatUnprotect.pcx 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\SearchApprove.reg 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\StopGrant.vdx 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\CopyEdit.png 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\SwitchConvertTo.svgz 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\ConvertFromExpand.mhtml 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\ConvertFromUnpublish.3g2 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe File opened for modification \??\c:\program files\ConvertToClose.tif 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exepowershell.exepid process 3484 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe 3484 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe 1192 powershell.exe 1192 powershell.exe 1192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1192 powershell.exe Token: SeBackupPrivilege 1972 vssvc.exe Token: SeRestorePrivilege 1972 vssvc.exe Token: SeAuditPrivilege 1972 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exedescription pid process target process PID 3484 wrote to memory of 1192 3484 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe powershell.exe PID 3484 wrote to memory of 1192 3484 7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe"C:\Users\Admin\AppData\Local\Temp\7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-123-0x0000012E276C0000-0x0000012E276E2000-memory.dmpFilesize
136KB
-
memory/1192-128-0x0000012E436B0000-0x0000012E43726000-memory.dmpFilesize
472KB
-
memory/1192-129-0x0000012E29430000-0x0000012E29432000-memory.dmpFilesize
8KB
-
memory/1192-130-0x0000012E29433000-0x0000012E29435000-memory.dmpFilesize
8KB