Analysis
-
max time kernel
169s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:03
Static task
static1
Behavioral task
behavioral1
Sample
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
Resource
win10-en-20211208
General
-
Target
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
-
Size
318KB
-
MD5
8c9ef16fc701a75b0e33039c191947c8
-
SHA1
109a44f91ca28d84b7e617fc4f2b9cb8b017c582
-
SHA256
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa
-
SHA512
0382c27b6cf8dda0daae15ee4c5e7f18969b4574157ad5ce4d3bed6807bba46bc4a2c51772afb5708f34056afc36034c737ce36b231296a77f4d2d1d729046ee
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exedescription ioc process File opened (read-only) \??\N: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\W: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Y: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\A: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\L: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\G: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Q: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\E: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\F: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\J: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\K: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\P: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\S: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\V: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Z: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\B: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\H: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\O: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\R: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\T: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\U: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\X: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\I: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\M: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1428 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exepid process 3064 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe 3064 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1380 vssvc.exe Token: SeRestorePrivilege 1380 vssvc.exe Token: SeAuditPrivilege 1380 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.execmd.exedescription pid process target process PID 3064 wrote to memory of 3484 3064 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 3064 wrote to memory of 3484 3064 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 3064 wrote to memory of 3484 3064 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 3484 wrote to memory of 1428 3484 cmd.exe vssadmin.exe PID 3484 wrote to memory of 1428 3484 cmd.exe vssadmin.exe PID 3484 wrote to memory of 1428 3484 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe"C:\Users\Admin\AppData\Local\Temp\cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken