Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:09
Static task
static1
Behavioral task
behavioral1
Sample
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe
Resource
win10-en-20211208
General
-
Target
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe
-
Size
164KB
-
MD5
96b14c03ea5bb2e3f554f378a2d913aa
-
SHA1
7cb414191f445d1bd8ef54e99b4b033b80f61075
-
SHA256
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333
-
SHA512
76633a9a18e9cc40ba76754ad547cf048935c127e6646a0d288d82909ac42cd811826aaa33d764f1d3a3ea42b672267aeb09f9a2b065549ffc29028357ccfea9
Malware Config
Extracted
C:\407r7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CD7BE6E731F1DBFF
http://decryptor.top/CD7BE6E731F1DBFF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitExport.tiff => \??\c:\users\admin\pictures\WaitExport.tiff.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File renamed C:\Users\Admin\Pictures\RedoMeasure.tiff => \??\c:\users\admin\pictures\RedoMeasure.tiff.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\users\admin\pictures\RedoMeasure.tiff 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\users\admin\pictures\WaitExport.tiff 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File renamed C:\Users\Admin\Pictures\CopyShow.crw => \??\c:\users\admin\pictures\CopyShow.crw.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File renamed C:\Users\Admin\Pictures\GetStop.png => \??\c:\users\admin\pictures\GetStop.png.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File renamed C:\Users\Admin\Pictures\GrantResolve.tif => \??\c:\users\admin\pictures\GrantResolve.tif.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File renamed C:\Users\Admin\Pictures\SendSearch.png => \??\c:\users\admin\pictures\SendSearch.png.407r7 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exedescription ioc process File opened (read-only) \??\A: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\E: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\F: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\G: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\H: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\M: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\T: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\U: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\V: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\X: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\D: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\J: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\L: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\N: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\Q: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\R: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\O: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\P: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\Y: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\B: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\I: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\K: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\S: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\W: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened (read-only) \??\Z: 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7k9z0fj.bmp" 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe -
Drops file in Program Files directory 13 IoCs
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exedescription ioc process File opened for modification \??\c:\program files\CompleteDisable.otf 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\ConvertApprove.sql 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\ExpandNew.doc 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\GroupCopy.js 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\LimitSplit.rmi 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\LimitSuspend.dib 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File created \??\c:\program files (x86)\407r7-readme.txt 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\AssertRename.wmx 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\RestartLock.dib 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\RedoConfirm.vdx 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\ShowMerge.ps1xml 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File created \??\c:\program files\407r7-readme.txt 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe File opened for modification \??\c:\program files\OptimizeUnlock.3gp 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exepowershell.exepid process 3712 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe 3712 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe 3340 powershell.exe 3340 powershell.exe 3340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3340 powershell.exe Token: SeBackupPrivilege 2544 vssvc.exe Token: SeRestorePrivilege 2544 vssvc.exe Token: SeAuditPrivilege 2544 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exedescription pid process target process PID 3712 wrote to memory of 3340 3712 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe powershell.exe PID 3712 wrote to memory of 3340 3712 4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe"C:\Users\Admin\AppData\Local\Temp\4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3340-120-0x000001ACEFDC0000-0x000001ACEFDE2000-memory.dmpFilesize
136KB
-
memory/3340-124-0x000001ACF0A00000-0x000001ACF0A76000-memory.dmpFilesize
472KB
-
memory/3340-132-0x000001ACD7D50000-0x000001ACEFE40000-memory.dmpFilesize
384.9MB
-
memory/3340-133-0x000001ACD7D50000-0x000001ACEFE40000-memory.dmpFilesize
384.9MB