Analysis
-
max time kernel
120s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe
Resource
win10-en-20211208
General
-
Target
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe
-
Size
161KB
-
MD5
b80cbbee9676aa8c647066a2e97e1d0f
-
SHA1
d0aad84d055b90a05a62319255830d55e03777ba
-
SHA256
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d
-
SHA512
75529d67f6ed75eed241342832dede9f17825dce4d20a0ea5178ad329e6b1c594d4364a3899050d3df7b14e9b507f7be5dc08c455c883015f89e6d58488c31b8
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exedescription ioc process File opened (read-only) \??\R: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\Y: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\F: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\N: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\Q: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\H: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\P: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\E: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\I: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\L: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\O: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\S: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\T: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\A: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\B: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\X: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\Z: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\U: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\W: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\K: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\M: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\V: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\G: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe File opened (read-only) \??\J: a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2676 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exepid process 3476 a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe 3476 a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3684 vssvc.exe Token: SeRestorePrivilege 3684 vssvc.exe Token: SeAuditPrivilege 3684 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.execmd.exedescription pid process target process PID 3476 wrote to memory of 3140 3476 a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe cmd.exe PID 3476 wrote to memory of 3140 3476 a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe cmd.exe PID 3476 wrote to memory of 3140 3476 a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe cmd.exe PID 3140 wrote to memory of 2676 3140 cmd.exe vssadmin.exe PID 3140 wrote to memory of 2676 3140 cmd.exe vssadmin.exe PID 3140 wrote to memory of 2676 3140 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe"C:\Users\Admin\AppData\Local\Temp\a3f077a4c29c522d9d70e3b22778c5a07239b6949562b37617e5ac913843076d.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2676
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684