Analysis
-
max time kernel
122s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:33
Static task
static1
Behavioral task
behavioral1
Sample
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
Resource
win10-en-20211208
General
-
Target
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
-
Size
3.3MB
-
MD5
576fcb4d6324df3c549d2c5d5d4af022
-
SHA1
5724577c1776fe704f70271927d5101acb5e3c4a
-
SHA256
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794
-
SHA512
abcecb6cec254281b55f025de7a2f37967dc81009f87ac7ca532af76232806276314c0420f5aa90bfa75c7149e78ecc521b44e6a21f8c4dc9eeb66820ff34e93
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exedescription ioc process File opened (read-only) \??\J: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\O: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\P: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\H: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\G: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\K: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\M: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\Q: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\T: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\U: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\X: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\B: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\Z: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\Y: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\L: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\R: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\V: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\F: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\E: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\I: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\N: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\S: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\W: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe File opened (read-only) \??\A: 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2852 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exepid process 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1828 vssvc.exe Token: SeRestorePrivilege 1828 vssvc.exe Token: SeAuditPrivilege 1828 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.execmd.exedescription pid process target process PID 2636 wrote to memory of 3380 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe cmd.exe PID 2636 wrote to memory of 3380 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe cmd.exe PID 2636 wrote to memory of 3380 2636 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe cmd.exe PID 3380 wrote to memory of 2852 3380 cmd.exe vssadmin.exe PID 3380 wrote to memory of 2852 3380 cmd.exe vssadmin.exe PID 3380 wrote to memory of 2852 3380 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe"C:\Users\Admin\AppData\Local\Temp\0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken