Analysis
-
max time kernel
144s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 11:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html
Resource
win10v2004-en-20220113
General
-
Target
https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "119" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "3144" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "15" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3073" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "3144" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2573362995" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351774253" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "93" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30941988" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "93" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "119" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "3199" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2558831179" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "3073" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "3199" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208b609b2423d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "171" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2558831179" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "15" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "171" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000003811833cc7d85fb59872ef965833f532d4250b80c36d623ef1255f66317d7274000000000e8000000002000020000000cdaa0a13dc4d144ea4b8590b56f83836d86de7141c7388e941519090d0c6ac7d20000000c249374e7b7e5f0884d0c71976b01f651af73e79d4711f42b0e2a5b455fcb02c40000000238d84c93b39e8b3a66f80db8b540aa74f50418dbd303f905f12e00ff98312b9388d17e0a559280816a74505b978c4f6b0c8c6071b5c3eb2ee7e0c6ed1cfeda4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C3C1F8EB-8F17-11EC-B9A4-72698DC11BE2} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "93" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "145" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30941988" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "145" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "3112" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "67" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3112" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "203" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3199" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "145" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.tutorialjinni.com\ = "203" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tutorialjinni.com\Total = "203" IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1432 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 5036 svchost.exe Token: SeCreatePagefilePrivilege 5036 svchost.exe Token: SeShutdownPrivilege 5036 svchost.exe Token: SeCreatePagefilePrivilege 5036 svchost.exe Token: SeShutdownPrivilege 5036 svchost.exe Token: SeCreatePagefilePrivilege 5036 svchost.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe Token: SeRestorePrivilege 3612 TiWorker.exe Token: SeSecurityPrivilege 3612 TiWorker.exe Token: SeBackupPrivilege 3612 TiWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1432 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1432 iexplore.exe 1432 iexplore.exe 2468 IEXPLORE.EXE 2468 IEXPLORE.EXE 2468 IEXPLORE.EXE 2468 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 1432 wrote to memory of 2468 1432 iexplore.exe IEXPLORE.EXE PID 1432 wrote to memory of 2468 1432 iexplore.exe IEXPLORE.EXE PID 1432 wrote to memory of 2468 1432 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.datMD5
78446247b3a2a4f6592b02cb4faae598
SHA16724c178525ac99398465e6e23543fea6a76c118
SHA2565ac26188c7186ec1b1da787d4e3b31d304bb30eedce72a42d6bd3f41ecf00e09
SHA5129a1c8b87b7150a4d378ab2a1f71256e2d8cd7161e64a93b68dc62c367aaa42905e7ec1abb894d325f2c2675b866c807f277edaf3f272fd4f160935b1cdb44464
-
memory/5036-131-0x0000019B45D80000-0x0000019B45D90000-memory.dmpFilesize
64KB
-
memory/5036-132-0x0000019B46560000-0x0000019B46570000-memory.dmpFilesize
64KB
-
memory/5036-133-0x0000019B49160000-0x0000019B49164000-memory.dmpFilesize
16KB