Analysis
-
max time kernel
163s -
max time network
174s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:14
Static task
static1
Behavioral task
behavioral1
Sample
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe
Resource
win10-en-20211208
General
-
Target
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe
-
Size
164KB
-
MD5
ba03ba79cc94a3987b0a479431a335e1
-
SHA1
1f61e3b72171e8328b698e1ae6c7e2f6d507d200
-
SHA256
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c
-
SHA512
15fb435a013b95879fd5950418ead840098f1e496f8b5df7966ae2814850a21364302200ed7043d6d028f05d930c083e4f191e78e971bc9af49394f229cbebf5
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exedescription ioc process File opened (read-only) \??\G: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\S: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\Y: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\A: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\F: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\H: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\I: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\B: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\L: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\P: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\V: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\W: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\Z: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\E: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\K: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\M: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\N: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\O: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\Q: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\R: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\T: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\J: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\X: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe File opened (read-only) \??\U: b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4352 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exepid process 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4404 vssvc.exe Token: SeRestorePrivilege 4404 vssvc.exe Token: SeAuditPrivilege 4404 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.execmd.exedescription pid process target process PID 3668 wrote to memory of 4288 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe cmd.exe PID 3668 wrote to memory of 4288 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe cmd.exe PID 3668 wrote to memory of 4288 3668 b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe cmd.exe PID 4288 wrote to memory of 4352 4288 cmd.exe vssadmin.exe PID 4288 wrote to memory of 4352 4288 cmd.exe vssadmin.exe PID 4288 wrote to memory of 4352 4288 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe"C:\Users\Admin\AppData\Local\Temp\b82a70c7c55ef2b951666b320adcb684a66fb6c1ebe24b56d2cc51edca510f3c.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3668-118-0x0000000002140000-0x0000000002163000-memory.dmpFilesize
140KB
-
memory/3668-119-0x0000000002140000-0x0000000002163000-memory.dmpFilesize
140KB
-
memory/3668-120-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/3668-121-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/3668-122-0x00000000021E0000-0x00000000021E6000-memory.dmpFilesize
24KB