Analysis
-
max time kernel
150s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe
Resource
win10-en-20211208
General
-
Target
151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe
-
Size
161KB
-
MD5
39e312e75a9ba302dc0617f958458522
-
SHA1
eab1865868367c11e0d0c5e8732295089bb277d6
-
SHA256
151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6
-
SHA512
275544339fbad34e4ad44b3223f2268adf4c0e46d9bdfd3a64704de5821b58944cc44bf83797090c93c8e484378f7bea199bbb50cb2eab16ad7899952cda56e8
Malware Config
Extracted
C:\5j6vm-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8730FAB1410035B8
http://decryptor.top/8730FAB1410035B8
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertUndo.raw => \??\c:\users\admin\pictures\ConvertUndo.raw.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\ExitDisable.tiff => \??\c:\users\admin\pictures\ExitDisable.tiff.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\GetConvert.raw => \??\c:\users\admin\pictures\GetConvert.raw.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\users\admin\pictures\ExitDisable.tiff 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\ClearUnblock.tif => \??\c:\users\admin\pictures\ClearUnblock.tif.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\ConvertFromWatch.tif => \??\c:\users\admin\pictures\ConvertFromWatch.tif.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\RevokeShow.crw => \??\c:\users\admin\pictures\RevokeShow.crw.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\UnregisterUninstall.raw => \??\c:\users\admin\pictures\UnregisterUninstall.raw.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File renamed C:\Users\Admin\Pictures\UnblockRead.crw => \??\c:\users\admin\pictures\UnblockRead.crw.5j6vm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\E: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\N: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\S: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\M: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\T: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\W: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\Y: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\D: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\B: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\G: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\L: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\P: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\Q: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\Z: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\H: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\K: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\O: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\J: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\R: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\V: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\X: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\A: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\F: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened (read-only) \??\I: 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33ozpc46.bmp" 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification \??\c:\program files\ClosePublish.vsx 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\GrantRequest.au3 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\MergeUse.MTS 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\RedoNew.vbe 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\UnregisterOut.wmv 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File created \??\c:\program files\5j6vm-readme.txt 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\AddConfirm.TTS 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\InvokeMount.xsl 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\OutGroup.jpg 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\PingDismount.txt 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\SaveCompress.mht 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ImportClose.001 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ReceiveResolve.bmp 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\StopBlock.asf 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File created \??\c:\program files (x86)\5j6vm-readme.txt 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ApproveProtect.asp 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\EditExit.docx 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\InvokeEnable.xml 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ProtectConvertFrom.DVR 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\StepAssert.xsl 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ApproveMeasure.wps 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ExpandGet.mpe 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\MountShow.pcx 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\PingUnpublish.xlsm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\SuspendEnter.ttc 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File created \??\c:\program files\a19a44f4.lock 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File created \??\c:\program files (x86)\a19a44f4.lock 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\CompareClear.ini 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\ClearGrant.dotm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\EditGrant.dotm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\InitializeSubmit.wmv 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\LockSuspend.rm 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\RestartTrace.jpeg 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe File opened for modification \??\c:\program files\StepOpen.i64 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4016 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 824 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe 824 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3424 vssvc.exe Token: SeRestorePrivilege 3424 vssvc.exe Token: SeAuditPrivilege 3424 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 824 wrote to memory of 1232 824 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe 69 PID 824 wrote to memory of 1232 824 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe 69 PID 824 wrote to memory of 1232 824 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe 69 PID 1232 wrote to memory of 4016 1232 cmd.exe 71 PID 1232 wrote to memory of 4016 1232 cmd.exe 71 PID 1232 wrote to memory of 4016 1232 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4016
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424