Overview

overview

10

Static

static

10

new.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.exe

  • Size

    561KB

  • MD5

    ea5d24b9bdfb7ea892b4ff16bc2c9d42

  • SHA1

    40717d8266cf429ddc7df3a29248ef3bc8678a44

  • SHA256

    6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a

  • SHA512

    fef1c194135b4341da580de14d66d1cfb5b0207f5c57aa8bedb5f2f677c1dc913fb450a89de424d093da8a60c422af4aa4f189a95aa825e6e7c84e28b859f547

Score
10/10
sodinokibiransomware

Malware Config

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new.exe
    "C:\Users\Admin\AppData\Local\Temp\new.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1436
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 444 -p 2092 -ip 2092
      1⤵
        PID:4828
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2092 -s 1128
        1⤵
        • Program crash
        PID:4144

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1436-130-0x0000000000000000-mapping.dmp
        Download