Analysis
-
max time kernel
156s -
max time network
204s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:21
Static task
static1
Behavioral task
behavioral1
Sample
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe
Resource
win10-en-20211208
General
-
Target
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe
-
Size
160KB
-
MD5
4c49ed010405b8ce42a75645ce67aeed
-
SHA1
17b88fc34d4da0a21dab19fcb8a112f256550f80
-
SHA256
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39
-
SHA512
b1e1d1bf90b76a61072d4d73fd8ce1ce0afa9f831c51ef7e2857c82a5bbca7c22b027a0e288cbf0f73cb872d81ff9edec3f74d4c9cab77fbb63f54d4bee704df
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exedescription ioc process File opened (read-only) \??\F: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\K: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\N: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\P: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\R: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\G: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\I: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\J: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\M: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\O: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\U: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\W: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\B: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\L: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\Q: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\S: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\T: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\X: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\Y: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\A: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\E: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\H: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\V: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe File opened (read-only) \??\Z: aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4668 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exepid process 3692 aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe 3692 aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4592 vssvc.exe Token: SeRestorePrivilege 4592 vssvc.exe Token: SeAuditPrivilege 4592 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.execmd.exedescription pid process target process PID 3692 wrote to memory of 4636 3692 aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe cmd.exe PID 3692 wrote to memory of 4636 3692 aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe cmd.exe PID 3692 wrote to memory of 4636 3692 aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe cmd.exe PID 4636 wrote to memory of 4668 4636 cmd.exe vssadmin.exe PID 4636 wrote to memory of 4668 4636 cmd.exe vssadmin.exe PID 4636 wrote to memory of 4668 4636 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe"C:\Users\Admin\AppData\Local\Temp\aad3f0a2dfc2bfce8da3523cc4a4a302d44415eb14da8586c10b09752b249c39.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken