Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
Resource
win10v2004-en-20220112
General
-
Target
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
-
Size
107KB
-
MD5
40c01e02dd940c2b3ca1466799da68fd
-
SHA1
daa2b8467edff06bf3f8cc926534bc088049a092
-
SHA256
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96
-
SHA512
831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5
Malware Config
Extracted
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
sodinokibi
http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion
http://decryptor.top/913AED0B5FE1497D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\a8hadofi = "C: \\Users\\Admin\\AppData\\Local\\Temp\\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1136 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "1" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\TileWallpaper = "0" b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1508 vssvc.exe Token: SeRestorePrivilege 1508 vssvc.exe Token: SeAuditPrivilege 1508 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.execmd.exedescription pid process target process PID 1520 wrote to memory of 884 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 884 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 884 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 884 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 1696 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 1696 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 1696 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1520 wrote to memory of 1696 1520 b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe cmd.exe PID 1696 wrote to memory of 1136 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 1136 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 1136 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 1136 1696 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”2⤵PID:884
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1836
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt1⤵PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txtMD5
700dea0e7f32ca9ec626045836fa14aa
SHA184b6dc5971f29c01235e1a2044c4ea15a50cef08
SHA256571b9be1a61df21379762af2d340505463e4697983489990fe679d2055d5d7bf
SHA5127c320c44dd6887280768daa5f7598ed1938d12fd8e6a55ea38c26a66fd86a681dc3b599777f7d000c430cadbc8833ad70af6d18989b67ae1dcc4121168d126d9
-
memory/1520-54-0x0000000000860000-0x0000000000880000-memory.dmpFilesize
128KB
-
memory/1520-55-0x0000000074B6E000-0x0000000074B6F000-memory.dmpFilesize
4KB
-
memory/1520-56-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1520-57-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/1836-58-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB