Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 20:32
Static task
static1
Behavioral task
behavioral1
Sample
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
Resource
win10v2004-en-20220112
General
-
Target
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe
-
Size
141KB
-
MD5
c4eeb2e764bae1439b6c4aa6b2606090
-
SHA1
054cf83042d1ede13a5d11c5213db0f34c27e43f
-
SHA256
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864
-
SHA512
35adecfba86f260bcc49a33c1abfcf32aff3271ff09a579c9c3cec6bbdc36d608d39ea0edb93755f193d12aed8a11aa94b243511839920d679769b62cd2e7eb3
Malware Config
Extracted
C:\jj29231b0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB606EAE99CCD40B
http://decryptor.cc/CB606EAE99CCD40B
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File renamed C:\Users\Admin\Pictures\UseProtect.raw => \??\c:\users\admin\pictures\UseProtect.raw.jj29231b0 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\MountExit.raw => \??\c:\users\admin\pictures\MountExit.raw.jj29231b0 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\ReceiveExport.png => \??\c:\users\admin\pictures\ReceiveExport.png.jj29231b0 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\SplitLock.raw => \??\c:\users\admin\pictures\SplitLock.raw.jj29231b0 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File renamed C:\Users\Admin\Pictures\UninstallRestore.raw => \??\c:\users\admin\pictures\UninstallRestore.raw.jj29231b0 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1E8NAmhfRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe" 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File opened (read-only) \??\M: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\V: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\E: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\F: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\G: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\K: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\R: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\S: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\W: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Z: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\A: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\H: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\N: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\P: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\B: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\T: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Q: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\U: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\X: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\Y: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\I: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\J: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\L: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\O: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened (read-only) \??\D: 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\r79cvgo109x.bmp" 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Drops file in Program Files directory 31 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exedescription ioc process File opened for modification \??\c:\program files\InitializeConvert.contact 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\JoinPop.temp 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\SubmitRepair.TTS 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\UpdateBackup.vssm 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\BlockSuspend.svg 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\HideUnpublish.htm 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\DenyInvoke.TTS 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ImportSave.mid 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ResolveReset.js 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ConvertToWait.wmv 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\CopySubmit.kix 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\NewDisconnect.mp2v 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ResolveRead.aifc 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\StepCopy.mht 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ConvertFromClose.vdx 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\GetGrant.7z 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\GetConvertFrom.docm 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\MeasureClose.reg 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ResetRestart.au3 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ResizeSelect.vssx 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ConvertSwitch.DVR-MS 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\DenyMove.xlsb 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\StopOptimize.html 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\WriteSearch.vbe 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\FormatLimit.mp2 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\SendCheckpoint.avi 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ExpandUndo.wma 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\RevokeEdit.rm 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ApproveConfirm.xlsm 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\ConvertToOut.ini 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe File opened for modification \??\c:\program files\UnblockFind.3gpp 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exepid process 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exevssvc.exedescription pid process Token: SeDebugPrivilege 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Token: SeTakeOwnershipPrivilege 816 1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe Token: SeBackupPrivilege 2344 vssvc.exe Token: SeRestorePrivilege 2344 vssvc.exe Token: SeAuditPrivilege 2344 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe"C:\Users\Admin\AppData\Local\Temp\1eb4df21d3ca977bbee0f7a87b5569235a517e3577d31a9e796c630796994864.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344