Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:11
Static task
static1
Behavioral task
behavioral1
Sample
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe
Resource
win10-en-20211208
General
-
Target
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe
-
Size
194KB
-
MD5
ba1136cf85156398770ca6adf24d82e2
-
SHA1
3f595e2b7128a4313ab7114a126633255c2d4b22
-
SHA256
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238
-
SHA512
015150d20dc4e267abdc0a7b26661c8e3abd5e894d3120301abdffea3c09f999482681c95fcabf488115889127daf17a8edfeea720fbfa5a2a68b0a1a60fe894
Malware Config
Extracted
C:\97ts838cd7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/967D6DA612FB86CF
http://decryptor.top/967D6DA612FB86CF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\StartUndo.tiff 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\StartUndo.tiff => \??\c:\users\admin\pictures\StartUndo.tiff.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\UndoRepair.raw => \??\c:\users\admin\pictures\UndoRepair.raw.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\pictures\MeasureDebug.tiff 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\InitializeSet.raw => \??\c:\users\admin\pictures\InitializeSet.raw.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\SetRegister.raw => \??\c:\users\admin\pictures\SetRegister.raw.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\SkipPing.tiff => \??\c:\users\admin\pictures\SkipPing.tiff.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\GrantAssert.crw => \??\c:\users\admin\pictures\GrantAssert.crw.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\GroupOut.png => \??\c:\users\admin\pictures\GroupOut.png.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => \??\c:\users\admin\pictures\MeasureDebug.tiff.97ts838cd7 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\pictures\SkipPing.tiff 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process File opened for modification \??\c:\users\public\music\sample music\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\pictures\sample pictures\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\videos\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\videos\sample videos\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files (x86)\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\recorded tv\sample media\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\documents\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\links\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\music\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\recorded tv\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\music\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\admin\favorites\links for united states\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\users\public\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process File opened (read-only) \??\L: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\N: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\O: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\Q: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\Z: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\E: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\R: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\S: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\T: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\Y: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\P: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\X: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\B: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\G: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\I: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\J: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\M: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\V: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\W: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\D: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\A: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\F: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\H: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\K: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened (read-only) \??\U: 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Drops file in System32 directory 1 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ok0t.bmp" 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Drops file in Program Files directory 23 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exedescription ioc process File opened for modification \??\c:\program files\RegisterImport.mht 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File created \??\c:\program files\97ts838cd7-readme.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File created \??\c:\program files (x86)\97ts838cd7-readme.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\BackupEnable.snd 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\DenyAssert.ttc 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\DismountInvoke.otf 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\ExpandPop.dotm 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\SwitchGrant.xlsb 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\TestInstall.WTV 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\FormatApprove.html 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\SetPublish.cr2 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\97ts838cd7-readme.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\97ts838cd7-readme.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\ImportBlock.vdx 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\OpenStep.3gp 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\RemoveProtect.vssm 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files (x86)\desktop.ini 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\ExpandWrite.xltx 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\HideBackup.aif 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\InitializeUpdate.tmp 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File opened for modification \??\c:\program files\ResetCheckpoint.wmx 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\97ts838cd7-readme.txt 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1856 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exepid process 1660 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1076 vssvc.exe Token: SeRestorePrivilege 1076 vssvc.exe Token: SeAuditPrivilege 1076 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.execmd.exedescription pid process target process PID 1660 wrote to memory of 292 1660 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe cmd.exe PID 1660 wrote to memory of 292 1660 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe cmd.exe PID 1660 wrote to memory of 292 1660 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe cmd.exe PID 1660 wrote to memory of 292 1660 45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe cmd.exe PID 292 wrote to memory of 1856 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 1856 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 1856 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 1856 292 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe"C:\Users\Admin\AppData\Local\Temp\45d1cd7c15c76f54baf8c96b2ce8ac246d856f3609cdccb264965336d5f1e238.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB