Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe
Resource
win10-en-20211208
General
-
Target
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe
-
Size
161KB
-
MD5
91cb56f49b8ab508066623ce2eff9f6f
-
SHA1
8e4bb045593eb19fb72d756349215e060b05c019
-
SHA256
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c
-
SHA512
eec032f97a96b82e6e981cc46843eabf20cdd7c132c89db3102eb1613940fd89d2a1ec04d57be2fadd9e32b46b5153f6221cb19c71f51c47956e55bd2e6e5a24
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exedescription ioc process File opened (read-only) \??\J: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\K: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\N: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\X: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\B: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\E: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\W: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\Y: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\F: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\U: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\M: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\O: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\P: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\Q: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\S: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\V: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\A: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\H: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\L: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\R: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\T: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\Z: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\G: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe File opened (read-only) \??\I: d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3724 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exepid process 2692 d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe 2692 d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3904 vssvc.exe Token: SeRestorePrivilege 3904 vssvc.exe Token: SeAuditPrivilege 3904 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.execmd.exedescription pid process target process PID 2692 wrote to memory of 1940 2692 d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe cmd.exe PID 2692 wrote to memory of 1940 2692 d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe cmd.exe PID 2692 wrote to memory of 1940 2692 d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe cmd.exe PID 1940 wrote to memory of 3724 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 3724 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 3724 1940 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe"C:\Users\Admin\AppData\Local\Temp\d4e108e8c6fcc46b796a4f38c7734343aa4a84eb75277bebc212383b69493e3c.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3724
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904