Analysis
-
max time kernel
173s -
max time network
189s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
Resource
win10-en-20211208
General
-
Target
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
-
Size
164KB
-
MD5
f745cbd7dfd4a27653b477836737dbd1
-
SHA1
8a078b872b61b7b5de9dc34993331249702d3d7a
-
SHA256
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae
-
SHA512
5d66559b96697ad415ed10af0cbce4fe0c448aaf062a12ab6c64349482880695fceac509335f3d7a9eabd951b176391c4025c067a201d62887b129dc0f519488
Malware Config
Extracted
C:\z49aex-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/08CECABB6A8117AC
http://decryptor.top/08CECABB6A8117AC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareExpand.png => \??\c:\users\admin\pictures\CompareExpand.png.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\ResumeDismount.tif => \??\c:\users\admin\pictures\ResumeDismount.tif.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\SavePop.tif => \??\c:\users\admin\pictures\SavePop.tif.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\SetSuspend.raw => \??\c:\users\admin\pictures\SetSuspend.raw.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\SendMeasure.crw => \??\c:\users\admin\pictures\SendMeasure.crw.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\users\admin\pictures\UnregisterMount.tiff c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\MountPop.crw => \??\c:\users\admin\pictures\MountPop.crw.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\PingConvert.tif => \??\c:\users\admin\pictures\PingConvert.tif.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\UnregisterMount.tiff => \??\c:\users\admin\pictures\UnregisterMount.tiff.z49aex c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File opened (read-only) \??\D: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\F: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\H: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\I: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\L: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\S: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\T: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\X: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Z: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\A: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\E: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\M: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\P: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\R: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\U: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Y: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\B: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Q: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\V: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\W: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\G: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\J: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\K: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\N: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\O: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6meft0s1.bmp" c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Drops file in Program Files directory 18 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File opened for modification \??\c:\program files\ConvertFromUnpublish.3g2 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\CopyEdit.png c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\SendDisconnect.dot c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\StepSuspend.ods c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\SwitchConvertTo.svgz c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\ConvertFromExpand.mhtml c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\OutLock.au3 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\SearchApprove.reg c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\StopGrant.vdx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\UninstallConvertFrom.rle c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\GrantInvoke.asp c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files\z49aex-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\ConvertToClose.tif c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\FormatUnprotect.pcx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\FormatUpdate.rtf c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\SetSkip.png c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\TraceSend.au3 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files (x86)\z49aex-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3852 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exepid process 1200 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe 1200 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 956 vssvc.exe Token: SeRestorePrivilege 956 vssvc.exe Token: SeAuditPrivilege 956 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.execmd.exedescription pid process target process PID 1200 wrote to memory of 680 1200 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1200 wrote to memory of 680 1200 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1200 wrote to memory of 680 1200 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 680 wrote to memory of 3852 680 cmd.exe vssadmin.exe PID 680 wrote to memory of 3852 680 cmd.exe vssadmin.exe PID 680 wrote to memory of 3852 680 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3852
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956