Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe
Resource
win10-en-20211208
General
-
Target
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe
-
Size
166KB
-
MD5
a975fcb157f5d3cb1f18931d529098c4
-
SHA1
b33ca444868e3864144b1ac5a1b62644cbd70270
-
SHA256
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6
-
SHA512
6982cc58f43e49cd50a8796bdf0cabe74b4411e010224e5a7baa63cd5080bb3b3800b6418ee7a4e0e762fd75f40ebe4e27b3af6e3e86ff5febde34310e139c86
Malware Config
Extracted
C:\w4yms4w-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F98B1C4B943C62B4
http://decryptor.cc/F98B1C4B943C62B4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportTest.png => \??\c:\users\admin\pictures\ExportTest.png.w4yms4w 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File renamed C:\Users\Admin\Pictures\ExportWait.raw => \??\c:\users\admin\pictures\ExportWait.raw.w4yms4w 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File renamed C:\Users\Admin\Pictures\UninstallSelect.tif => \??\c:\users\admin\pictures\UninstallSelect.tif.w4yms4w 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe" 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription ioc process File opened (read-only) \??\N: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\O: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\B: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\I: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\Q: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\R: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\S: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\X: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\Z: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\G: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\E: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\F: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\L: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\M: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\P: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\U: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\V: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\A: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\Y: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\J: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\K: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\T: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\W: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\D: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened (read-only) \??\H: 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sxh2g2z2nfsao.bmp" 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Drops file in Program Files directory 35 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription ioc process File opened for modification \??\c:\program files\BlockDeny.TS 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\DismountRead.ADT 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ExitSubmit.mht 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\HideSwitch.mp4 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\StopDebug.wma 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\UnblockRegister.mpe 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\UnlockProtect.vstx 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\w4yms4w-readme.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File created \??\c:\program files\w4yms4w-readme.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\AddExport.mpe 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\InitializeUndo.TS 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ConvertToUnblock.xht 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\OutRestore.mpeg2 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\PingConvert.TS 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\RevokeMerge.ps1xml 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\SwitchEnable.aiff 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\FormatExit.001 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\SyncSkip.vstx 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\WatchStop.wdp 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File created \??\c:\program files (x86)\w4yms4w-readme.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ConvertToUnpublish.vb 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ShowPing.bmp 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\w4yms4w-readme.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\CompleteRead.wmx 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\EditPing.mp4v 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\EnableEnter.mov 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ImportReset.ttf 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\UseExport.M2T 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\UseTrace.wps 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\ConvertDeny.jfif 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\InitializeHide.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\InstallPublish.wmx 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\PopWrite.bmp 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File opened for modification \??\c:\program files\WaitUpdate.xls 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\w4yms4w-readme.txt 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exepowershell.exepid process 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe 756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe Token: SeTakeOwnershipPrivilege 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exedescription pid process target process PID 1884 wrote to memory of 756 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe powershell.exe PID 1884 wrote to memory of 756 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe powershell.exe PID 1884 wrote to memory of 756 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe powershell.exe PID 1884 wrote to memory of 756 1884 10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe"C:\Users\Admin\AppData\Local\Temp\10d24ce42d973516ebec5abad7d0e927c162ba313244992d398e40716ae10ed6.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1424
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-55-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/756-56-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmpFilesize
11.4MB
-
memory/756-57-0x00000000024D0000-0x00000000024D2000-memory.dmpFilesize
8KB
-
memory/756-59-0x00000000024D4000-0x00000000024D7000-memory.dmpFilesize
12KB
-
memory/756-58-0x00000000024D2000-0x00000000024D4000-memory.dmpFilesize
8KB
-
memory/756-60-0x00000000024DB000-0x00000000024FA000-memory.dmpFilesize
124KB
-
memory/1884-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB