Analysis
-
max time kernel
4294191s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
05-03-2022 20:32
Static task
static1
Behavioral task
behavioral1
Sample
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
Resource
win10v2004-en-20220112
General
-
Target
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
-
Size
141KB
-
MD5
c4eeb2e764bae1439b6c4aa6b2606090
-
SHA1
054cf83042d1ede13a5d11c5213db0f34c27e43f
-
SHA256
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864
-
SHA512
35adecfba86f260bcc49a33c1abfcf32aff3271ff09a579c9c3cec6bbdc36d608d39ea0edb93755f193d12aed8a11aa94b243511839920d679769b62cd2e7eb3
Malware Config
Extracted
C:\2t2u2bv9l-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/68D7573E39A1966E
http://decryptor.cc/68D7573E39A1966E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisableConfirm.png => \??\c:\users\admin\pictures\DisableConfirm.png.2t2u2bv9l 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\ImportExport.png => \??\c:\users\admin\pictures\ImportExport.png.2t2u2bv9l 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\MoveResume.raw => \??\c:\users\admin\pictures\MoveResume.raw.2t2u2bv9l 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\RegisterSuspend.tif => \??\c:\users\admin\pictures\RegisterSuspend.tif.2t2u2bv9l 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\ConvertFromUnlock.raw => \??\c:\users\admin\pictures\ConvertFromUnlock.raw.2t2u2bv9l 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1E8NAmhfRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe" 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File opened (read-only) \??\N: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\R: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\D: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\H: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\J: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\K: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\L: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Y: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\E: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\M: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\P: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\V: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\T: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\U: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\W: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\A: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\B: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\I: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Q: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\X: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Z: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\F: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\G: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\O: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\S: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Drops file in System32 directory 1 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fc0yh81602.bmp" 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Drops file in Program Files directory 25 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File opened for modification \??\c:\program files\InstallCompress.scf 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\PushHide.mp2v 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\UndoAdd.rle 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\CompareSend.tiff 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ConfirmSuspend.css 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\DenyEnable.midi 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\UpdateJoin.pps 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\UpdateUnprotect.asx 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\2t2u2bv9l-readme.txt 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\MergeFormat.avi 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ProtectInstall.docx 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ResumeTest.xml 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ShowWrite.3gp 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\StopApprove.xsl 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ClearSync.tiff 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\CopyWatch.xps 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ExitCopy.scf 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\StopConnect.search-ms 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\SaveDisconnect.mpeg 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\SuspendTrace.docx 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\2t2u2bv9l-readme.txt 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\2t2u2bv9l-readme.txt 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\DisableClose.nfo 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\MergeRegister.reg 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\RemoveClose.ttf 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exepid process 1128 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe 1128 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exevssvc.exedescription pid process Token: SeDebugPrivilege 1128 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Token: SeTakeOwnershipPrivilege 1128 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Token: SeBackupPrivilege 1160 vssvc.exe Token: SeRestorePrivilege 1160 vssvc.exe Token: SeAuditPrivilege 1160 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe"C:\Users\Admin\AppData\Local\Temp\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB