Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
31-05-2022 01:15
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
189KB
-
MD5
dd5865ef1d0c647a7d73c6d5ea11cd0b
-
SHA1
4b93dcb6cced53118f972e84a69355da98adeda7
-
SHA256
bac39c44a1510bb472f8e306f4b46421302444c521711eebc2b9244068a8df72
-
SHA512
fd053d24599247b709536beefdc4d0dfd5ff33835391d3b4819f2162c808cc57ffcdac970cc387b57d4556d23dc4b8b2273060de8fcecc7392fcbf873dbc837c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
new.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation new.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
new.exedescription ioc process File opened (read-only) \??\G: new.exe File opened (read-only) \??\L: new.exe File opened (read-only) \??\N: new.exe File opened (read-only) \??\W: new.exe File opened (read-only) \??\A: new.exe File opened (read-only) \??\Y: new.exe File opened (read-only) \??\K: new.exe File opened (read-only) \??\E: new.exe File opened (read-only) \??\F: new.exe File opened (read-only) \??\H: new.exe File opened (read-only) \??\P: new.exe File opened (read-only) \??\U: new.exe File opened (read-only) \??\X: new.exe File opened (read-only) \??\Z: new.exe File opened (read-only) \??\B: new.exe File opened (read-only) \??\J: new.exe File opened (read-only) \??\M: new.exe File opened (read-only) \??\O: new.exe File opened (read-only) \??\Q: new.exe File opened (read-only) \??\R: new.exe File opened (read-only) \??\S: new.exe File opened (read-only) \??\T: new.exe File opened (read-only) \??\I: new.exe File opened (read-only) \??\V: new.exe -
Drops file in Windows directory 64 IoCs
Processes:
new.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.19041.1266_none_81db67969fabe5c6.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f5e30ee8b348f36.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-etw-ese_31bf3856ad364e35_10.0.19041.1_none_8fa08a745a1a81a2_etweseproviderresources.dll_f21e8ea7 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_cc60cf52118b76e2_memtest.efi.mui_71e15c22 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_19e50489d0787aec_bootmgr.efi.mui_be5d0075 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_es-es_2c55246d83884e93.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.906_none_697cd7dad1ab7e2e_usermgr.dll_015952d1 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1288_none_7a49f980f48daa96_dwmcore.dll_523baf47 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fixt.fon_f6726a58 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_msmpeng.exe_2f1c6923 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.264_none_5c643b8f866d5e2b.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_40c79c50b42ec552.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.19041.488_none_77ac529b46dc3a08_rasl2tp.sys_d69e0fa7 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da_rasmigplugin.dll_7ee2aa40 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos737.fon_8de20802 new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_8af479c5386ed751_bootmgr.exe.mui_c434701f new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_51f6670d7297a2d2_memtest.efi.mui_71e15c22 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.207_none_0527f99c13420d2f.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.19041.1237_none_5f00842b9149cc7c_tdx.sys_d0cc4fd9 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpapi.dll.mui_ef0a9748 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.746_none_11e04cec24452336_dwm.exe_04cf416e new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.battery.ppkg_90037481 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0_scfilter.sys_87d261f5 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.1_none_3ef7d405e850df76.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81_ntoskrnl.exe_0fb0ab79 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.1_none_878832244c2bbd32.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.867_none_b4e9fc09cfcbdd7c_axinstui.exe_eba3b15b new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.546_none_a5535ccb0430ada2.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7ce61c7d809eedfd_storagehealth.adml_00c6b7b3 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d_netiomig.dll_917b9a36 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97ded4f562f4e50a.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48_lsass.exe_682060de new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_785d60c10b52e5f3.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_9bf49926b22e3d9a.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1288_none_a61ec92f9e248eae_kernelbase.dll_7f3dc5f6 new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.1023_none_167a0dedb3a3167c.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sr-..-rs_4bed07716ee5b93f.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_02d56f028cfc5e3f.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d74bd5437b437cf1_bootmgr.efi.mui_be5d0075 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese.resources_31bf3856ad364e35_10.0.19041.1_en-us_aa43e6777eda8f90.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a_srpapi.dll.mui_2693a558 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scarddlg.dll.mui_300ae9df new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_6e1b81482baf9a17.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_edd4f3bf115270f1.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_cs-cz_e1f032fad674dbed.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1081_none_314b50cb6e47ee49_winbio.dll_7228629e new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-es_34945f448871668f_bootmgr.efi.mui_be5d0075 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_10.0.19041.1_none_1cdf560fd553ffa5.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_en-us_d572d73fc54e8110.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_cfc21f8d801be317.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.19041.264_none_70a447772a188950.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_73e5bd029f7ac27a.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_6e154087aa2e1290.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_be1670627d88fc7f.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a05534499914e28b_rpcepmap.dll.mui_349798e1 new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_14089ec954fee325_kmddsp.tsp.mui_80ddeedb new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9dd9712c9cddd429.manifest new.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_a7fd6f88bbbece6f_comctl32.dll.mui_0da4e682 new.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new.exepid process 4260 new.exe 4260 new.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
new.exedescription pid process target process PID 4260 wrote to memory of 380 4260 new.exe cmd.exe PID 4260 wrote to memory of 380 4260 new.exe cmd.exe PID 4260 wrote to memory of 380 4260 new.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/380-130-0x0000000000000000-mapping.dmp