Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 02:02
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
941KB
-
MD5
708bf86b696629ad04fb3ed46232b8a8
-
SHA1
4ad1a2030f928cdbc75a4e10eeb6689cbe5ca2c1
-
SHA256
06028df498075f962ef0f594b8a27abd90cc19edf02fe78b6aa6e977a93850f9
-
SHA512
6d4b69c77c1ac794d5ff82c175665ef789af5af1be5a3f81c5a1d494e81335e0908998e5c78da5c727abb71631de6c7276eefcdd5298c7d7f1b917c771979228
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
new.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation new.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
new.exedescription ioc process File opened (read-only) \??\X: new.exe File opened (read-only) \??\Z: new.exe File opened (read-only) \??\A: new.exe File opened (read-only) \??\F: new.exe File opened (read-only) \??\G: new.exe File opened (read-only) \??\O: new.exe File opened (read-only) \??\V: new.exe File opened (read-only) \??\L: new.exe File opened (read-only) \??\N: new.exe File opened (read-only) \??\P: new.exe File opened (read-only) \??\B: new.exe File opened (read-only) \??\E: new.exe File opened (read-only) \??\H: new.exe File opened (read-only) \??\J: new.exe File opened (read-only) \??\K: new.exe File opened (read-only) \??\U: new.exe File opened (read-only) \??\Y: new.exe File opened (read-only) \??\M: new.exe File opened (read-only) \??\Q: new.exe File opened (read-only) \??\R: new.exe File opened (read-only) \??\I: new.exe File opened (read-only) \??\S: new.exe File opened (read-only) \??\T: new.exe File opened (read-only) \??\W: new.exe -
Drops file in Windows directory 64 IoCs
Processes:
new.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_it-it_bc383e9a8755fadf.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hu-hu_b554802d4a83e6fc.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_en-us_7cd59418f708faf0_wudfpf.sys.mui_f61e9e86 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_abf2f270a2e2fdd5_rasautou.exe.mui_55686a97 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3e1a1833a5494f75_srpapi.dll.mui_2693a558 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.546_none_3a4f6516d93a4779_imm32.dll_53c2ab30 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_rtm.dll.mui_55e4e990 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80850.fon_2e7bdf2f new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_c00d07e45f7b48b1_bootmgr.exe.mui_c434701f new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_kmddsp.tsp_c999e400 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_7bd241ac79147d55_bootmgr.exe.mui_c434701f new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_10.0.19041.1_none_0fd2c5ae0a7cd53b_netbios.sys_6f23c4df new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_8ab455d5934af9be_windows.ui.xaml.controls.dll_4c861b99 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd076cb21a41edb1_volmgrx.sys.mui_b0c205d7 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.19041.207_none_3c300852ab214f81.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_80b4fbf2a39aea5a_winlogon.exe.mui_3280fc46 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_setupapi.mof_8d9de59f new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_76775b16ccf4c886_memtest.exe.mui_77b8cbcc new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_725e78755886a3f4.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msobjs.dll_052c8a60 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_25d6f2766f7cf9c2_storagehealth.adml_00c6b7b3 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_wiarpc.dll.mui_0c913b87 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_bg-bg_dd016b0b9ea8d750.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.19041.1_none_3bcc397d635fe6c8.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nl-nl_de526fb546773452_msimsg.dll.mui_72e8994f new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_de-de_0528803147204d22.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.19041.1_none_a1c3d9420e6939cc.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_de-de_d3e4be20082aef2b.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_apps.inf_0b7d7d89 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_a65df33be4649fa7_dsreg.dll.mui_5d9efc7e new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_da-dk_8eac972b9796148b.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_638e961dd6edabb1_trustedsignalcredprov.dll.mui_5edc427b new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_uk-ua_00edb9ea93827738_comctl32.dll.mui_0da4e682 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b2a2923fc0594488_mswsock.dll.mui_d7c2a730 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_he-il_47e71de5429c9e8d.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.264_none_44ecb7e259b46a0a.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_fb1b92cca7311236_combase.dll.mui_6db10b33 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564_sbservicetrigger.dll_b5ff30d2 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_mofd.dll.mui_793ef98d new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpsvc.dll.mui_0c160ac2 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_21b80f3a6591f527_mofd.dll.mui_793ef98d new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe_comctl32.dll.mui_0da4e682 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.19041.1266_none_727d8ac8ed2b3e80.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7_atl.dll_0c7220db new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_it-it_f55158e81544d580_iscsicli.exe.mui_64c0a23c new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_wmiapsrv.exe.mui_b1567840 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_b193c3d6386ad9e5.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5_efssvc.dll.mui_03cc4e41 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_e86919b4bac0ee7b.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.546_none_9623bac4eb215e13_mpr.dll_e8c35b01 new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_lv-lv_354120845477e45d_comctl32.dll.mui_0da4e682 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.546_none_0fdfc09722e8c30a_ndproxy.sys_4a9480d5 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fc045c385de0a407_dnsrslvr.dll.mui_1e1a1ed1 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_b4205a674b468594_comctl32.dll.mui_0da4e682 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_5c4b115fa6f864cd.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.1_none_60f873a5caaf6704.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_j8514oem.fon_cf1af1d6 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsicli.exe.mui_64c0a23c new.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new.exepid process 4064 new.exe 4064 new.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
new.exedescription pid process target process PID 4064 wrote to memory of 3096 4064 new.exe cmd.exe PID 4064 wrote to memory of 3096 4064 new.exe cmd.exe PID 4064 wrote to memory of 3096 4064 new.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3096-130-0x0000000000000000-mapping.dmp