Overview

overview

6

Static

static

URLScan

urlscan

1

https://www.tutorial...

windows7_x64

6

https://www.tutorial...

windows10-2004_x64

6

Resubmissions

16-02-2022 11:01

220216-m4kpbsbfb3 6

15-02-2022 20:37

220215-zeb24shhh7 10

Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16-02-2022 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.tutorialjinni.com/sodinokibi-ransomware-sample-download.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2468
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5036
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.dat
    MD5

    78446247b3a2a4f6592b02cb4faae598

    SHA1

    6724c178525ac99398465e6e23543fea6a76c118

    SHA256

    5ac26188c7186ec1b1da787d4e3b31d304bb30eedce72a42d6bd3f41ecf00e09

    SHA512

    9a1c8b87b7150a4d378ab2a1f71256e2d8cd7161e64a93b68dc62c367aaa42905e7ec1abb894d325f2c2675b866c807f277edaf3f272fd4f160935b1cdb44464

    Download Submit
  • memory/5036-131-0x0000019B45D80000-0x0000019B45D90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5036-132-0x0000019B46560000-0x0000019B46570000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5036-133-0x0000019B49160000-0x0000019B49164000-memory.dmp
    Filesize

    16KB

    Download