Analysis
-
max time kernel
145s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
Resource
win10-en-20211208
General
-
Target
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
-
Size
209KB
-
MD5
17f28ff5738359d1cf5dde9e2d5c0e26
-
SHA1
1ee43a853f0810e3bac1aac6883bfdbe687a44bb
-
SHA256
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0
-
SHA512
7316b240dd6ba686f612985ce5ba1db12b78c768b9723e88cde365b9933b45239c597c7a52ad10ca9ddaa71814af3a1bba1d8db4edd97c5acaeac79c5c67c21b
Malware Config
Extracted
C:\zlj84x-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA756F90AB309049
http://decryptor.top/DA756F90AB309049
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\InvokeExit.tiff 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\InvokeExit.tiff => \??\c:\users\admin\pictures\InvokeExit.tiff.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\ProtectDeny.raw => \??\c:\users\admin\pictures\ProtectDeny.raw.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\ReadSwitch.crw => \??\c:\users\admin\pictures\ReadSwitch.crw.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\UninstallExpand.tif => \??\c:\users\admin\pictures\UninstallExpand.tif.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\ConvertFromRename.png => \??\c:\users\admin\pictures\ConvertFromRename.png.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\ConvertStop.raw => \??\c:\users\admin\pictures\ConvertStop.raw.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\DisconnectUpdate.raw => \??\c:\users\admin\pictures\DisconnectUpdate.raw.zlj84x 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\music\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\music\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\pictures\sample pictures\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files (x86)\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\links\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\videos\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\videos\sample videos\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\documents\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\recorded tv\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\favorites\links for united states\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\music\sample music\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\recorded tv\sample media\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened (read-only) \??\L: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Y: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Z: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\H: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\I: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\R: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\S: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\T: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\U: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\V: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\D: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\G: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\N: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\J: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\M: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Q: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\W: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\X: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\A: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\F: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\K: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\O: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\P: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\B: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\E: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Drops file in System32 directory 1 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7022249.bmp" 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Drops file in Program Files directory 25 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification \??\c:\program files\AssertUse.tif 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\CompressAssert.iso 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PushOpen.3gp2 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\zlj84x-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SubmitWatch.vdx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SwitchStep.scf 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UpdateFind.dwfx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files\zlj84x-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DisableSearch.3gpp 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DisconnectGrant.ttf 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\MergeUnlock.nfo 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SaveExpand.wpl 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\zlj84x-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UnregisterBlock.pub 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files (x86)\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\zlj84x-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DisableRequest.cr2 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\FindRemove.vdx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\InstallConvertFrom.mp4v 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PushTrace.gif 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ReadPop.doc 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files (x86)\zlj84x-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PingHide.xltm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\WriteUnpublish.cr2 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 620 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exepid process 1260 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1488 vssvc.exe Token: SeRestorePrivilege 1488 vssvc.exe Token: SeAuditPrivilege 1488 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.execmd.exedescription pid process target process PID 1260 wrote to memory of 1224 1260 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 1260 wrote to memory of 1224 1260 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 1260 wrote to memory of 1224 1260 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 1260 wrote to memory of 1224 1260 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 1224 wrote to memory of 620 1224 cmd.exe vssadmin.exe PID 1224 wrote to memory of 620 1224 cmd.exe vssadmin.exe PID 1224 wrote to memory of 620 1224 cmd.exe vssadmin.exe PID 1224 wrote to memory of 620 1224 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe"C:\Users\Admin\AppData\Local\Temp\107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB