Analysis
-
max time kernel
167s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe
Resource
win10-en-20211208
General
-
Target
245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe
-
Size
160KB
-
MD5
f92ed77eb41b9e7a0ca17e09f107a9e6
-
SHA1
24982652cead2fa9c47aeb40cb8fbdecd2ee4539
-
SHA256
245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6
-
SHA512
c7a1173385b3cfc9a66139d17a9e9033d49ff5163bc0fb605b5ed65f70ce0826401d49f4cdd8c1bff47cf6f0a3d5a17e1a4b8d0fc74467fd4e56de913f1d6f63
Malware Config
Extracted
C:\ft272-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FA640F790478E8F
http://decryptor.top/8FA640F790478E8F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\HideRevoke.tif => \??\c:\users\admin\pictures\HideRevoke.tif.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\LockUnregister.tiff => \??\c:\users\admin\pictures\LockUnregister.tiff.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\RevokeClear.tif => \??\c:\users\admin\pictures\RevokeClear.tif.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\users\admin\pictures\RegisterResize.tiff 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\ClearRemove.png => \??\c:\users\admin\pictures\ClearRemove.png.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\RegisterResize.tiff => \??\c:\users\admin\pictures\RegisterResize.tiff.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\LockDismount.tiff => \??\c:\users\admin\pictures\LockDismount.tiff.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\users\admin\pictures\LockUnregister.tiff 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\MeasureGet.tiff => \??\c:\users\admin\pictures\MeasureGet.tiff.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\RemoveBlock.raw => \??\c:\users\admin\pictures\RemoveBlock.raw.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\users\admin\pictures\LockDismount.tiff 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\users\admin\pictures\MeasureGet.tiff 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\SelectJoin.raw => \??\c:\users\admin\pictures\SelectJoin.raw.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\EditJoin.png => \??\c:\users\admin\pictures\EditJoin.png.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File renamed C:\Users\Admin\Pictures\PingCompare.tif => \??\c:\users\admin\pictures\PingCompare.tif.ft272 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\P: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\W: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\D: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\B: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\K: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\L: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\X: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\A: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\I: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\J: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\O: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\Q: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\R: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\S: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\T: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\E: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\H: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\M: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\V: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\Z: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\Y: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\F: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\G: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened (read-only) \??\U: 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h4o5.bmp" 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe -
Drops file in Program Files directory 35 IoCs
description ioc Process File opened for modification \??\c:\program files\ReceiveLimit.ini 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\RestartNew.mp4v 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\AssertCompare.rm 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\FindOut.wmv 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\HideCopy.au3 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\SetConvert.pot 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\SkipOpen.midi 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\TraceRequest.xlt 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File created \??\c:\program files\23ed88b0.lock 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\PingWait.vb 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\PopEnable.7z 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\ExpandTest.kix 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\SaveOut.mhtml 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File created \??\c:\program files\ft272-readme.txt 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File created \??\c:\program files (x86)\23ed88b0.lock 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\BackupShow.ADTS 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\PublishUnpublish.ex_ 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\ReceiveConvert.mpeg 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\RequestConfirm.eprtx 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\AddFind.mp2 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\LimitSubmit.zip 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\PingCompare.raw 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File created \??\c:\program files (x86)\ft272-readme.txt 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\PopRequest.csv 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\ReadStep.vdx 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\SwitchRequest.gif 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\GrantAssert.tif 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\JoinStep.html 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\StopUnblock.csv 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\MoveClose.cr2 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\RemoveShow.html 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\AddShow.fon 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\ConvertToUnlock.htm 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\ExportGroup.js 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe File opened for modification \??\c:\program files\RequestInstall.jpeg 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2312 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2404 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe 2404 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1836 vssvc.exe Token: SeRestorePrivilege 1836 vssvc.exe Token: SeAuditPrivilege 1836 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1160 2404 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe 68 PID 2404 wrote to memory of 1160 2404 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe 68 PID 2404 wrote to memory of 1160 2404 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe 68 PID 1160 wrote to memory of 2312 1160 cmd.exe 70 PID 1160 wrote to memory of 2312 1160 cmd.exe 70 PID 1160 wrote to memory of 2312 1160 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2312
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836