Analysis
-
max time kernel
148s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 03:09
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
561KB
-
MD5
ea5d24b9bdfb7ea892b4ff16bc2c9d42
-
SHA1
40717d8266cf429ddc7df3a29248ef3bc8678a44
-
SHA256
6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a
-
SHA512
fef1c194135b4341da580de14d66d1cfb5b0207f5c57aa8bedb5f2f677c1dc913fb450a89de424d093da8a60c422af4aa4f189a95aa825e6e7c84e28b859f547
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
new.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation new.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
new.exedescription ioc process File opened (read-only) \??\G: new.exe File opened (read-only) \??\I: new.exe File opened (read-only) \??\O: new.exe File opened (read-only) \??\Q: new.exe File opened (read-only) \??\T: new.exe File opened (read-only) \??\X: new.exe File opened (read-only) \??\F: new.exe File opened (read-only) \??\H: new.exe File opened (read-only) \??\M: new.exe File opened (read-only) \??\R: new.exe File opened (read-only) \??\S: new.exe File opened (read-only) \??\W: new.exe File opened (read-only) \??\J: new.exe File opened (read-only) \??\N: new.exe File opened (read-only) \??\V: new.exe File opened (read-only) \??\Y: new.exe File opened (read-only) \??\A: new.exe File opened (read-only) \??\B: new.exe File opened (read-only) \??\E: new.exe File opened (read-only) \??\K: new.exe File opened (read-only) \??\L: new.exe File opened (read-only) \??\P: new.exe File opened (read-only) \??\U: new.exe File opened (read-only) \??\Z: new.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4144 2092 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new.exepid process 2120 new.exe 2120 new.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
new.exedescription pid process target process PID 2120 wrote to memory of 1436 2120 new.exe cmd.exe PID 2120 wrote to memory of 1436 2120 new.exe cmd.exe PID 2120 wrote to memory of 1436 2120 new.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 2092 -ip 20921⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2092 -s 11281⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1436-130-0x0000000000000000-mapping.dmp