Analysis
-
max time kernel
158s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:01
Static task
static1
Behavioral task
behavioral1
Sample
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe
Resource
win10-en-20211208
General
-
Target
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe
-
Size
158KB
-
MD5
8c8b72bad792fb2ea336a13c9d52406b
-
SHA1
61eb8fd25b9f7a5e5881e304cbc2be883b99f3d0
-
SHA256
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea
-
SHA512
89dc661fdbfb0a1ebd8f8d32a6ce765dd43837a74b1b07157b5d7eba0135f6bf04335ce8d4cbb97d94b07a7cb9ab9f9803ad80c98de403172eed0ac22391ec47
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exedescription ioc process File opened (read-only) \??\B: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\E: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\K: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\N: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\T: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\I: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\S: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\W: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\X: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\Q: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\R: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\U: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\A: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\F: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\G: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\J: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\M: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\V: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\Y: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\Z: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\H: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\L: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\O: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe File opened (read-only) \??\P: cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1964 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exepid process 2760 cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe 2760 cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2952 vssvc.exe Token: SeRestorePrivilege 2952 vssvc.exe Token: SeAuditPrivilege 2952 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.execmd.exedescription pid process target process PID 2760 wrote to memory of 692 2760 cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe cmd.exe PID 2760 wrote to memory of 692 2760 cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe cmd.exe PID 2760 wrote to memory of 692 2760 cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe cmd.exe PID 692 wrote to memory of 1964 692 cmd.exe vssadmin.exe PID 692 wrote to memory of 1964 692 cmd.exe vssadmin.exe PID 692 wrote to memory of 1964 692 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe"C:\Users\Admin\AppData\Local\Temp\cfd9eb2b582284c46b74c8d12f851ff2fc4a4fe0b2fb08563d7e6a3d29a233ea.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken