Analysis
-
max time kernel
46s -
max time network
40s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:23
Static task
static1
Behavioral task
behavioral1
Sample
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
Resource
win10-en-20211208
General
-
Target
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
-
Size
238KB
-
MD5
f3b3bb093d9f95fa405947c9be02594d
-
SHA1
102ea13148647c13ecc20c75cd62f3c17a7bebf2
-
SHA256
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a
-
SHA512
8f749837fe4300378d87b398486f15a7cf0bb9753832161c82cf31919b781a496cf29077acd11b4c302e53c49674ca259105a0ec7af93a9b5dd8aab12437286b
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exedescription ioc process File opened (read-only) \??\B: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\E: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\G: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\S: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\T: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\F: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\K: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\O: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\Q: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\U: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\Z: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\I: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\J: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\P: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\R: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\X: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\A: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\H: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\L: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\M: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\N: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\V: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\W: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe File opened (read-only) \??\Y: 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1828 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exepid process 1316 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exedescription pid process target process PID 1316 wrote to memory of 1656 1316 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe cmd.exe PID 1316 wrote to memory of 1656 1316 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe cmd.exe PID 1316 wrote to memory of 1656 1316 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe cmd.exe PID 1316 wrote to memory of 1656 1316 26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe cmd.exe PID 1656 wrote to memory of 1828 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1828 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1828 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1828 1656 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe"C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1316-55-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB