Analysis
-
max time kernel
170s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe
Resource
win10-en-20211208
General
-
Target
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe
-
Size
212KB
-
MD5
c3c62f924e4e354680d5f516da901ad3
-
SHA1
265cb778142e3b11f00321858a7f27bdc9e93a81
-
SHA256
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f
-
SHA512
cbf776eb0dc16c73e47d2144a42d488dbdfa560989c1361cf32767407dd2165ff7f33b71ce8c72bab790df1efd10f7a0775a2eaf97558707584d92572194dab2
Malware Config
Extracted
C:\40qe5-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/55D488C2C7934F6D
http://decryptor.top/55D488C2C7934F6D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 7 IoCs
Processes:
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exedescription ioc process File opened for modification \??\c:\users\admin\contacts\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\users\admin\documents\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files (x86)\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\users\public\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exedescription ioc process File opened (read-only) \??\M: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\P: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\R: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\H: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\K: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\L: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\Q: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\V: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\Z: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\A: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\N: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\O: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\E: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\U: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\Y: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\I: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\J: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\S: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\T: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\W: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\B: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\F: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\G: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened (read-only) \??\X: c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe -
Drops file in Program Files directory 27 IoCs
Processes:
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exedescription ioc process File opened for modification \??\c:\program files\WaitWatch.mpeg c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\FindSend.rle c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\MountUpdate.aifc c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files (x86)\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ApproveFind.xlsm c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ResetDeny.3gpp c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\SendUnlock.wm c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\InstallSwitch.rm c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\RevokeConvert.aif c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\UseTest.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\PopMerge.asf c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\UnblockConvert.7z c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File created \??\c:\program files (x86)\40qe5-readme.txt c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ResizeFind.xlt c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\RegisterTrace.midi c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ResetGet.mp4 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\WriteMeasure.docx c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File created \??\c:\program files\40qe5-readme.txt c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ExpandComplete.3g2 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ReceiveHide.dwfx c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\UninstallUpdate.ps1xml c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\UnprotectDismount.au c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\WaitBlock.js c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\ConvertExport.wm c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\RevokeRepair.sql c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\TestUse.xlt c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe File opened for modification \??\c:\program files\desktop.ini c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3656 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exepid process 420 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe 420 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1000 vssvc.exe Token: SeRestorePrivilege 1000 vssvc.exe Token: SeAuditPrivilege 1000 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.execmd.exedescription pid process target process PID 420 wrote to memory of 3028 420 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe cmd.exe PID 420 wrote to memory of 3028 420 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe cmd.exe PID 420 wrote to memory of 3028 420 c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe cmd.exe PID 3028 wrote to memory of 3656 3028 cmd.exe vssadmin.exe PID 3028 wrote to memory of 3656 3028 cmd.exe vssadmin.exe PID 3028 wrote to memory of 3656 3028 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe"C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken