Analysis
-
max time kernel
172s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
Resource
win10-en-20211208
General
-
Target
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe
-
Size
209KB
-
MD5
17f28ff5738359d1cf5dde9e2d5c0e26
-
SHA1
1ee43a853f0810e3bac1aac6883bfdbe687a44bb
-
SHA256
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0
-
SHA512
7316b240dd6ba686f612985ce5ba1db12b78c768b9723e88cde365b9933b45239c597c7a52ad10ca9ddaa71814af3a1bba1d8db4edd97c5acaeac79c5c67c21b
Malware Config
Extracted
C:\l5sm417w2y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/03483872E0C95C38
http://decryptor.top/03483872E0C95C38
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResumeConfirm.png => \??\c:\users\admin\pictures\ResumeConfirm.png.l5sm417w2y 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\SplitBackup.png => \??\c:\users\admin\pictures\SplitBackup.png.l5sm417w2y 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File renamed C:\Users\Admin\Pictures\TraceLimit.raw => \??\c:\users\admin\pictures\TraceLimit.raw.l5sm417w2y 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Drops desktop.ini file(s) 13 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification \??\c:\users\admin\favorites\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\music\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\public\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files (x86)\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\users\admin\links\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened (read-only) \??\L: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\M: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\S: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\T: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\G: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\K: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\P: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\X: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\R: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\W: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Y: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\B: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\E: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\H: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\I: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\N: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Z: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\U: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\V: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\A: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\F: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\J: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\O: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened (read-only) \??\Q: 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Drops file in Program Files directory 35 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exedescription ioc process File opened for modification \??\c:\program files\RemovePing.rm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResetSwitch.css 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResolveResume.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\RevokeUnprotect.asp 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SuspendDismount.xls 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UninstallPing.TS 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\OpenDismount.xltx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PingCompare.mp3 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\WriteRedo.xla 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UnpublishRepair.potm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\WatchAdd.vsdx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\RequestCompare.otf 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResetDisconnect.pptm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResolveReceive.ppsm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UnblockUnprotect.dxf 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files (x86)\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\CopyReset.xlsb 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PublishAdd.vssm 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DisconnectClose.cr2 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResolveMove.ex_ 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SyncCheckpoint.ADTS 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files (x86)\l5sm417w2y-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\desktop.ini 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\UnprotectRestart.ttf 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\WatchProtect.m4a 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DebugRegister.rar 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\DenyRead.tiff 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\JoinDebug.xlsx 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File created \??\c:\program files\l5sm417w2y-readme.txt 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\ResetMove.xlsb 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\WatchApprove.ps1xml 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SearchExpand.mht 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\SendWait.WTV 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\PingRevoke.png 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe File opened for modification \??\c:\program files\RequestClear.mp4 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1056 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exepid process 3584 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe 3584 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1244 vssvc.exe Token: SeRestorePrivilege 1244 vssvc.exe Token: SeAuditPrivilege 1244 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.execmd.exedescription pid process target process PID 3584 wrote to memory of 4056 3584 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 3584 wrote to memory of 4056 3584 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 3584 wrote to memory of 4056 3584 107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe cmd.exe PID 4056 wrote to memory of 1056 4056 cmd.exe vssadmin.exe PID 4056 wrote to memory of 1056 4056 cmd.exe vssadmin.exe PID 4056 wrote to memory of 1056 4056 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe"C:\Users\Admin\AppData\Local\Temp\107904e6f26cb044ad348e25b94837bbf87f2607bd04308b8ffdcee01cc8a3e0.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken