Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe
Resource
win10v2004-en-20220112
General
-
Target
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe
-
Size
117KB
-
MD5
92bd5043b057192ea0153c98da1adebf
-
SHA1
0444bb2621ed073ced634e1916204dff5fc6a186
-
SHA256
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301
-
SHA512
3c4c2026d9306cb25699b7dd7d1e6e2e0f97b5f228b49bdfd25e8b4cd68645eb3df2a6a84506b6da1937ab7e1269057ce9ae2e0be68c4c088dd753a733e19170
Malware Config
Extracted
C:\2n2ac-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6B5F437544440C6
http://decryptor.cc/B6B5F437544440C6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResumeEdit.png => \??\c:\users\admin\pictures\ResumeEdit.png.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File renamed C:\Users\Admin\Pictures\UnprotectRevoke.tif => \??\c:\users\admin\pictures\UnprotectRevoke.tif.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\users\admin\pictures\DebugConvert.tiff 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File renamed C:\Users\Admin\Pictures\DebugConvert.tiff => \??\c:\users\admin\pictures\DebugConvert.tiff.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File renamed C:\Users\Admin\Pictures\ExitMeasure.tif => \??\c:\users\admin\pictures\ExitMeasure.tif.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File renamed C:\Users\Admin\Pictures\ExpandPop.raw => \??\c:\users\admin\pictures\ExpandPop.raw.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File renamed C:\Users\Admin\Pictures\PublishReceive.tif => \??\c:\users\admin\pictures\PublishReceive.tif.2n2ac 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exedescription ioc process File opened (read-only) \??\I: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\K: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\O: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\P: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\B: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\E: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\F: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\G: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\J: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\M: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\S: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\U: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\V: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\W: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\Y: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\A: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\L: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\N: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\X: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\Z: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\D: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\H: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\Q: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\R: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened (read-only) \??\T: 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c6396c94i4hm.bmp" 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe -
Drops file in Program Files directory 13 IoCs
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exedescription ioc process File opened for modification \??\c:\program files\ConvertToDeny.ex_ 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\ReadSubmit.aifc 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\SplitRename.mpg 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\SyncUnblock.asp 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\UninstallImport.7z 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\RedoUpdate.pptm 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\StepPush.aifc 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File created \??\c:\program files\2n2ac-readme.txt 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File created \??\c:\program files (x86)\2n2ac-readme.txt 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\EditMount.vbe 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\MeasureRequest.eprtx 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\MeasureStep.asp 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe File opened for modification \??\c:\program files\ProtectRestore.rtf 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exepid process 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exevssvc.exedescription pid process Token: SeDebugPrivilege 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe Token: SeTakeOwnershipPrivilege 3028 117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe Token: SeBackupPrivilege 3932 vssvc.exe Token: SeRestorePrivilege 3932 vssvc.exe Token: SeAuditPrivilege 3932 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe"C:\Users\Admin\AppData\Local\Temp\117f128807504f387d0b8e174ada23238c3556c7284a598ed25790dc2d9b7301.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932