Analysis
-
max time kernel
163s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe
Resource
win10-en-20211208
General
-
Target
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe
-
Size
164KB
-
MD5
327bd8a60fb54aaaba8718c890dda09d
-
SHA1
11dc514565e12025e33668e9f41b99353db4628e
-
SHA256
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294
-
SHA512
23ef833c7873085d8d3867f99ccebbf26244d74d59c977cfc8cf911e80539ce28f209ff9aac7a489147315a4b72f50b54713cce72bc7896e783aa15f818224e9
Malware Config
Extracted
C:\t55fsxuuv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E863746DACC052E1
http://decryptor.top/E863746DACC052E1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddCompress.crw => \??\c:\users\admin\pictures\AddCompress.crw.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File renamed C:\Users\Admin\Pictures\ClearResize.png => \??\c:\users\admin\pictures\ClearResize.png.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File renamed C:\Users\Admin\Pictures\FormatUse.crw => \??\c:\users\admin\pictures\FormatUse.crw.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File renamed C:\Users\Admin\Pictures\RenameUpdate.tif => \??\c:\users\admin\pictures\RenameUpdate.tif.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File renamed C:\Users\Admin\Pictures\SearchRestart.tif => \??\c:\users\admin\pictures\SearchRestart.tif.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File renamed C:\Users\Admin\Pictures\StartOpen.raw => \??\c:\users\admin\pictures\StartOpen.raw.t55fsxuuv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exedescription ioc process File opened (read-only) \??\I: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\L: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\M: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\S: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\D: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\B: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\F: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\N: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\R: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\Y: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\K: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\P: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\Q: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\U: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\W: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\T: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\V: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\A: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\E: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\G: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\H: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\J: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\O: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\X: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened (read-only) \??\Z: 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n3kxvqp5.bmp" 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe -
Drops file in Program Files directory 24 IoCs
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exedescription ioc process File created \??\c:\program files (x86)\t55fsxuuv-readme.txt 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\FormatStep.xsl 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\MoveGrant.bmp 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\OptimizeRedo.midi 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\ResetConnect.TTS 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\UsePing.pub 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\WatchClear.cr2 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\GroupRequest.edrwx 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\RedoDismount.aifc 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\SaveSplit.potx 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\StepGet.wmf 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\TestSwitch.vsdx 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\WaitFormat.reg 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File created \??\c:\program files\t55fsxuuv-readme.txt 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\EnablePush.wmv 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\LockConvertTo.pps 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\OpenExpand.xps 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\TestBackup.wmf 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\UnpublishUndo.odp 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\ConvertToComplete.mp3 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\DenySend.png 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\RestoreUnblock.001 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\SubmitCheckpoint.css 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe File opened for modification \??\c:\program files\UnprotectSplit.xlsm 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exepowershell.exepid process 1988 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe 1988 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe 3364 powershell.exe 3364 powershell.exe 3364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3364 powershell.exe Token: SeBackupPrivilege 1348 vssvc.exe Token: SeRestorePrivilege 1348 vssvc.exe Token: SeAuditPrivilege 1348 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exedescription pid process target process PID 1988 wrote to memory of 3364 1988 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe powershell.exe PID 1988 wrote to memory of 3364 1988 338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe"C:\Users\Admin\AppData\Local\Temp\338e8f24eeb38b5ef67ef662b65d592c816eba94dfaaac856021dac407daf294.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3364-123-0x0000020DDBD40000-0x0000020DDBD62000-memory.dmpFilesize
136KB
-
memory/3364-128-0x0000020DC1A60000-0x0000020DC1A62000-memory.dmpFilesize
8KB
-
memory/3364-129-0x0000020DC1A63000-0x0000020DC1A65000-memory.dmpFilesize
8KB
-
memory/3364-130-0x0000020DDBEF0000-0x0000020DDBF66000-memory.dmpFilesize
472KB