General
Target

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

Filesize

238KB

Completed

24-01-2022 03:03

Task

behavioral1

Score
10/10
MD5

f3b3bb093d9f95fa405947c9be02594d

SHA1

102ea13148647c13ecc20c75cd62f3c17a7bebf2

SHA256

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a

SHA256

8f749837fe4300378d87b398486f15a7cf0bb9753832161c82cf31919b781a496cf29077acd11b4c302e53c49674ca259105a0ec7af93a9b5dd8aab12437286b

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Impact
  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Enumerates connected drives
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\B:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\E:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\G:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\S:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\T:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\F:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\K:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\O:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Q:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\U:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Z:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\I:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\J:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\P:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\R:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\X:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\A:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\H:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\L:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\M:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\N:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\V:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\W:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Y:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1828vssadmin.exe
  • Suspicious behavior: EnumeratesProcesses
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

    Reported IOCs

    pidprocess
    131626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege2028vssvc.exe
    Token: SeRestorePrivilege2028vssvc.exe
    Token: SeAuditPrivilege2028vssvc.exe
  • Suspicious use of WriteProcessMemory
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1316 wrote to memory of 1656131626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1316 wrote to memory of 1656131626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1316 wrote to memory of 1656131626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1316 wrote to memory of 1656131626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1656 wrote to memory of 18281656cmd.exevssadmin.exe
    PID 1656 wrote to memory of 18281656cmd.exevssadmin.exe
    PID 1656 wrote to memory of 18281656cmd.exevssadmin.exe
    PID 1656 wrote to memory of 18281656cmd.exevssadmin.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    "C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe"
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:1828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2028
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1316-55-0x0000000074B21000-0x0000000074B23000-memory.dmp