Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
Resource
win10-en-20211208
General
-
Target
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
-
Size
160KB
-
MD5
c20ceab7c093c47be023c81164b544ce
-
SHA1
de182d48bcc37bcbd1a25f22a0fc6619ce96f69b
-
SHA256
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c
-
SHA512
add2c95045cfc9313d03e5b8cc351e90d0d82f2758208f48800db2ad02a39f8f8c60bcf8dce089d5a25e92e9ae2623cb30fc164de384620ce21276d261b32361
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exedescription ioc process File opened (read-only) \??\Y: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\A: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\B: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\T: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\Q: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\V: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\F: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\I: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\P: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\M: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\N: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\O: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\R: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\G: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\J: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\L: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\S: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\U: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\W: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\X: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\Z: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\E: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\H: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\K: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 756 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exepid process 1624 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1280 vssvc.exe Token: SeRestorePrivilege 1280 vssvc.exe Token: SeAuditPrivilege 1280 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.execmd.exedescription pid process target process PID 1624 wrote to memory of 320 1624 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 1624 wrote to memory of 320 1624 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 1624 wrote to memory of 320 1624 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 1624 wrote to memory of 320 1624 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 320 wrote to memory of 756 320 cmd.exe vssadmin.exe PID 320 wrote to memory of 756 320 cmd.exe vssadmin.exe PID 320 wrote to memory of 756 320 cmd.exe vssadmin.exe PID 320 wrote to memory of 756 320 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe"C:\Users\Admin\AppData\Local\Temp\207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB