Analysis
-
max time kernel
159s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
Resource
win10-en-20211208
General
-
Target
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe
-
Size
122KB
-
MD5
1abeefbab61ac4feca6872eb84ba4be1
-
SHA1
1c6d390d7c59b04adbad25ea87fc64357f6c7d43
-
SHA256
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7
-
SHA512
0643cf3823ccae44aa29ccc4e63364dfea73d8ad95dcde9b5fca440fd713eb30355025c48cc42d6541fa9a4be7f81909e648dac59b0ecbff823438014faffafd
Malware Config
Extracted
C:\1elv3vsh-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5D7D8275F5F3DA6
http://decoder.re/A5D7D8275F5F3DA6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File renamed C:\Users\Admin\Pictures\LockResume.raw => \??\c:\users\admin\pictures\LockResume.raw.1elv3vsh 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\RequestRestart.raw => \??\c:\users\admin\pictures\RequestRestart.raw.1elv3vsh 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\RestartReset.tif => \??\c:\users\admin\pictures\RestartReset.tif.1elv3vsh 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\UnblockRemove.tif => \??\c:\users\admin\pictures\UnblockRemove.tif.1elv3vsh 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File renamed C:\Users\Admin\Pictures\DebugResolve.tif => \??\c:\users\admin\pictures\DebugResolve.tif.1elv3vsh 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bi2LJZNdn9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe" 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File opened (read-only) \??\E: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\G: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\I: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\J: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\K: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\N: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\R: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\A: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\T: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\U: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\W: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\S: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\L: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\M: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\O: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Q: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Y: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\B: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\H: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\P: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\X: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\Z: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\F: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\D: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened (read-only) \??\V: 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8g8o.bmp" 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Drops file in Program Files directory 26 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription ioc process File opened for modification \??\c:\program files\SkipOpen.mpg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\WatchStart.rle 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\CheckpointSet.mpg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConvertFromConvertTo.mpeg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\NewRemove.3gp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\PingSelect.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\InvokeRestore.mht 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\JoinResume.wps 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\OutConvert.xltx 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\UnprotectSwitch.html 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\1elv3vsh-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConfirmExport.js 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\GetUndo.cr2 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\UnprotectHide.ppsm 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\UnprotectResize.vb 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\WaitAdd.wmv 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files\1elv3vsh-readme.txt 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ConvertFromSave.mov 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\GrantProtect.mpeg3 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\ResolveOpen.mpg 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\SaveBlock.ADT 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File created \??\c:\program files (x86)\tmp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\DismountStart.odp 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\InstallFind.mht 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe File opened for modification \??\c:\program files\RevokeDisable.wm 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Drops file in Windows directory 13 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\3418783148\3128450559.pri netsh.exe File created C:\Windows\rescache\_merged\1974107395\4149693858.pri netsh.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\3533431084.pri netsh.exe File created C:\Windows\rescache\_merged\2878165772\1123312451.pri netsh.exe File created C:\Windows\rescache\_merged\81479705\3092222186.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\828754195.pri netsh.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1202008662.pri netsh.exe File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\423379043\3468251582.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri netsh.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exepid process 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exevssvc.exedescription pid process Token: SeDebugPrivilege 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Token: SeTakeOwnershipPrivilege 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe Token: SeBackupPrivilege 1020 vssvc.exe Token: SeRestorePrivilege 1020 vssvc.exe Token: SeAuditPrivilege 1020 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exedescription pid process target process PID 3592 wrote to memory of 4212 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe PID 3592 wrote to memory of 4212 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe PID 3592 wrote to memory of 4212 3592 23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe"C:\Users\Admin\AppData\Local\Temp\23dfac36eb9bd2e433dfd9c456cbfe944b01628d922228a143f326356225a5d7.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Drops file in Windows directory
PID:4212
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020