Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 02:39
Static task
static1
Behavioral task
behavioral1
Sample
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe
Resource
win10v2004-en-20220112
General
-
Target
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe
-
Size
144KB
-
MD5
9254d56183941456f7fc42c142bd873b
-
SHA1
cdac2f4e0f1c9f9051a1b27294859f5f1012cc47
-
SHA256
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4
-
SHA512
f9d0b35e6418bb528a9377b10d35860e1eafa040f92517f6a2910c5692fe385712ff03bc2bfa44068dcf251589cf82665fc8dea2e63a1bd51ba7d49b672bef2e
Malware Config
Extracted
C:\g7yv5s8-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F7E124AFDF70CC9E
http://decryptor.cc/F7E124AFDF70CC9E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportPublish.crw => \??\c:\users\admin\pictures\ImportPublish.crw.g7yv5s8 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File renamed C:\Users\Admin\Pictures\RestoreEnter.crw => \??\c:\users\admin\pictures\RestoreEnter.crw.g7yv5s8 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pC9JjJxkVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe" 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exedescription ioc process File opened (read-only) \??\B: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\J: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\O: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\T: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\X: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\D: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\R: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\A: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\E: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\F: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\H: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\M: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\P: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\Q: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\U: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\Y: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\G: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\I: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\K: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\N: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\S: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\V: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\W: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\L: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened (read-only) \??\Z: 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\629vu.bmp" 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Drops file in Program Files directory 16 IoCs
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exedescription ioc process File opened for modification \??\c:\program files\UnregisterRepair.eps 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\WatchUse.potm 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\FindMove.emf 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\GrantPop.search-ms 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\NewFormat.3gp 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\SelectConvert.M2T 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\SubmitMove.wav 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\InitializeOpen.jpg 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\RemoveSet.pptx 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\UndoRevoke.xsl 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\RemoveMove.mid 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\RestoreAssert.au3 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\TraceMove.inf 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\SetEdit.wmx 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\SkipSwitch.png 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe File opened for modification \??\c:\program files\UseRemove.docx 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exepid process 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exevssvc.exedescription pid process Token: SeDebugPrivilege 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe Token: SeTakeOwnershipPrivilege 3168 3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe Token: SeBackupPrivilege 3268 vssvc.exe Token: SeRestorePrivilege 3268 vssvc.exe Token: SeAuditPrivilege 3268 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe"C:\Users\Admin\AppData\Local\Temp\3c94fe84b95b27c219b932786ee23f5c4e0aad658455ce119741656b03ab4bb4.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268