Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
Resource
win10-en-20211208
General
-
Target
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
-
Size
122KB
-
MD5
1abeefbab61ac4feca6872eb84ba4be1
-
SHA1
1c6d390d7c59b04adbad25ea87fc64357f6c7d43
-
SHA256
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7
-
SHA512
0643cf3823ccae44aa29ccc4e63364dfea73d8ad95dcde9b5fca440fd713eb30355025c48cc42d6541fa9a4be7f81909e648dac59b0ecbff823438014faffafd
Malware Config
Extracted
C:\550f000z-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/296BDD1B1AE0291E
http://decoder.re/296BDD1B1AE0291E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File renamed C:\Users\Admin\Pictures\RevokeFind.crw => \??\c:\users\admin\pictures\RevokeFind.crw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\UndoNew.tif => \??\c:\users\admin\pictures\UndoNew.tif.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\CheckpointResume.crw => \??\c:\users\admin\pictures\CheckpointResume.crw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\ConvertFromSet.raw => \??\c:\users\admin\pictures\ConvertFromSet.raw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\CopyUndo.crw => \??\c:\users\admin\pictures\CopyUndo.crw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\DisableSplit.crw => \??\c:\users\admin\pictures\DisableSplit.crw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\JoinAdd.raw => \??\c:\users\admin\pictures\JoinAdd.raw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => \??\c:\users\admin\pictures\CheckpointOpen.png.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\CompareImport.raw => \??\c:\users\admin\pictures\CompareImport.raw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\ConvertFromPing.crw => \??\c:\users\admin\pictures\ConvertFromPing.crw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\ReadWatch.raw => \??\c:\users\admin\pictures\ReadWatch.raw.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\SearchMove.png => \??\c:\users\admin\pictures\SearchMove.png.550f000z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bi2LJZNdn9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe" 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File opened (read-only) \??\P: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Q: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Z: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\J: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\S: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\U: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\V: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\H: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\F: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\K: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\L: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\M: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\N: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\O: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\R: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\A: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\D: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\X: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\E: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\G: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\I: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\T: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\W: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Y: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\B: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b8j8kjw30kfua.bmp" 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Drops file in Program Files directory 41 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File created \??\c:\program files (x86)\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\EditInitialize.mov 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\LockSet.cfg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\RestoreHide.iso 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\550f000z-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\550f000z-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\CompareClear.bmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\GroupMount.TTS 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConnectSend.asp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\OutCompress.mpg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\RequestDisable.potx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\RevokeSkip.snd 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\StepUnprotect.wmf 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\TracePublish.ps1xml 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files\550f000z-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\DebugPublish.tiff 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\EditUse.wpl 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\550f000z-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ApproveTrace.WTV 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\AssertCheckpoint.ogg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\BlockRevoke.wma 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConvertBlock.xml 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\DenyCompress.M2T 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\SuspendStop.avi 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConfirmSearch.rtf 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\MeasureJoin.dotx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ReceiveProtect.mp2 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\SendMeasure.search-ms 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\UpdateDebug.dotx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\BlockGrant.dwfx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ExpandUninstall.vssx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\FormatEnable.csv 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ImportPublish.ogg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ResumeTest.mp3 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConvertInstall.mpeg3 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\TestWrite.7z 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\550f000z-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exepid process 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exevssvc.exedescription pid process Token: SeDebugPrivilege 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Token: SeTakeOwnershipPrivilege 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Token: SeBackupPrivilege 876 vssvc.exe Token: SeRestorePrivilege 876 vssvc.exe Token: SeAuditPrivilege 876 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription pid process target process PID 1088 wrote to memory of 332 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe PID 1088 wrote to memory of 332 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe PID 1088 wrote to memory of 332 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe PID 1088 wrote to memory of 332 1088 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe"C:\Users\Admin\AppData\Local\Temp\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:332
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB