Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe
Resource
win10v2004-en-20220112
General
-
Target
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe
-
Size
118KB
-
MD5
0cf6dc8500639f66a7ac56c5a6b36b57
-
SHA1
45f93a774ceaad53f93c3ee560adb37ce50c3440
-
SHA256
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c
-
SHA512
039e385df79aaf80b3f7be864aad228698288c4960bc80538177d88ea475c4ba7f46324ea49da077e6e6a6ecfab42683ae14f8bf02c36ab3b21aba6eb7f549d0
Malware Config
Extracted
C:\ot86281-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8969E138D8FFE7B
http://decryptor.cc/E8969E138D8FFE7B
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingReceive.raw => \??\c:\users\admin\pictures\PingReceive.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\users\admin\pictures\ResolveReceive.tiff cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\ResolveReceive.tiff => \??\c:\users\admin\pictures\ResolveReceive.tiff.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\users\admin\pictures\BlockResolve.tiff cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\BlockResolve.tiff => \??\c:\users\admin\pictures\BlockResolve.tiff.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\users\admin\pictures\FormatSearch.tiff cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\GroupTest.raw => \??\c:\users\admin\pictures\GroupTest.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\UnregisterBlock.raw => \??\c:\users\admin\pictures\UnregisterBlock.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\FindCompress.raw => \??\c:\users\admin\pictures\FindCompress.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\FormatSearch.tiff => \??\c:\users\admin\pictures\FormatSearch.tiff.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\PingExit.raw => \??\c:\users\admin\pictures\PingExit.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File renamed C:\Users\Admin\Pictures\StartResize.raw => \??\c:\users\admin\pictures\StartResize.raw.ot86281 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pC9JjJxkVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe" cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exedescription ioc process File opened (read-only) \??\E: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\G: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\O: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\Q: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\S: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\Y: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\D: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\Z: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\F: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\J: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\K: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\L: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\R: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\V: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\W: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\A: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\N: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\T: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\X: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\B: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\H: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\I: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\M: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\P: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened (read-only) \??\U: cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ejr6jq053d5v.bmp" cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Drops file in Program Files directory 18 IoCs
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exedescription ioc process File opened for modification \??\c:\program files\ConvertCheckpoint.shtml cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\ExportRestore.wmf cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\GroupImport.3g2 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\WriteExit.xlsm cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\ClearStop.gif cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\SplitSuspend.xlsb cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\SwitchComplete.wmv cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\AddExit.wmx cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\BackupConvertTo.html cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\DenyWatch.mhtml cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\FindRedo.easmx cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\SuspendOpen.bmp cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\DenyUnlock.css cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\ExitUninstall.3gp2 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\ExpandUnpublish.wmv cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\GrantSplit.mhtml cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\MergeReceive.xltm cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe File opened for modification \??\c:\program files\OutMount.ogg cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exepid process 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exevssvc.exedescription pid process Token: SeDebugPrivilege 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe Token: SeTakeOwnershipPrivilege 3876 cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe Token: SeBackupPrivilege 3888 vssvc.exe Token: SeRestorePrivilege 3888 vssvc.exe Token: SeAuditPrivilege 3888 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe"C:\Users\Admin\AppData\Local\Temp\cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2140
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888