Analysis
-
max time kernel
158s -
max time network
186s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:21
Static task
static1
Behavioral task
behavioral1
Sample
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe
Resource
win10-en-20211208
General
-
Target
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe
-
Size
157KB
-
MD5
38cb49969742420b4e2e95e480381dc5
-
SHA1
ddd0ad81d38cf1087c8905937547cda9458085cb
-
SHA256
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1
-
SHA512
28736a9622627dbded980bde3a9994dd410cdf358d54333bb154db84662ee5df87e1c8a7b9d1a5d845dad74aa706a3b1848ca45dd826df53ffb6f7daedc9a49d
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exedescription ioc process File opened (read-only) \??\J: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\N: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\Y: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\B: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\H: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\M: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\U: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\Z: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\E: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\K: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\L: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\O: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\P: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\Q: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\W: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\F: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\G: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\R: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\S: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\T: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\V: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\X: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\A: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe File opened (read-only) \??\I: aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3124 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exepid process 2732 aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe 2732 aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3360 vssvc.exe Token: SeRestorePrivilege 3360 vssvc.exe Token: SeAuditPrivilege 3360 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.execmd.exedescription pid process target process PID 2732 wrote to memory of 2592 2732 aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe cmd.exe PID 2732 wrote to memory of 2592 2732 aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe cmd.exe PID 2732 wrote to memory of 2592 2732 aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe cmd.exe PID 2592 wrote to memory of 3124 2592 cmd.exe vssadmin.exe PID 2592 wrote to memory of 3124 2592 cmd.exe vssadmin.exe PID 2592 wrote to memory of 3124 2592 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe"C:\Users\Admin\AppData\Local\Temp\aaa87a7dea32059d3db813bdec307042c5961ba1b52e8b1e2fd3a599fe731eb1.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken