Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe
Resource
win10v2004-20220414-en
General
-
Target
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe
-
Size
179KB
-
MD5
b471b0c915a5762839b76a5a31e74841
-
SHA1
650aa1e536e8082479cbf956d38881260c05868b
-
SHA256
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9
-
SHA512
8e12ff4eca0e638673b15a8c2de9fd696c093316051fb31571f02c2739cf69e6dc3037368e9006371b0c85eba532a7b46cbc402be7e9624866cbbcc2dacf376c
Malware Config
Extracted
C:\39shjl02-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24E90B50D1F826E1
http://decryptor.top/24E90B50D1F826E1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindRedo.tif => \??\c:\users\admin\pictures\FindRedo.tif.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File renamed C:\Users\Admin\Pictures\JoinApprove.raw => \??\c:\users\admin\pictures\JoinApprove.raw.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File renamed C:\Users\Admin\Pictures\MoveGroup.tif => \??\c:\users\admin\pictures\MoveGroup.tif.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File renamed C:\Users\Admin\Pictures\SendSelect.png => \??\c:\users\admin\pictures\SendSelect.png.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File renamed C:\Users\Admin\Pictures\ShowRestore.png => \??\c:\users\admin\pictures\ShowRestore.png.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File renamed C:\Users\Admin\Pictures\TestConfirm.png => \??\c:\users\admin\pictures\TestConfirm.png.39shjl02 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sNpEShi30R = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe" 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription ioc process File opened (read-only) \??\A: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\K: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\T: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\E: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\H: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\O: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\Q: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\R: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\S: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\U: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\V: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\W: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\X: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\Y: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\Z: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\G: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\J: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\L: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\M: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\D: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\B: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\F: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\I: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\N: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened (read-only) \??\P: 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e17lyzz73.bmp" 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe -
Drops file in Program Files directory 25 IoCs
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription ioc process File opened for modification \??\c:\program files\UnpublishSave.mpeg3 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File created \??\c:\program files (x86)\39shjl02-readme.txt 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\JoinAdd.potx 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\NewUnlock.xlsb 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\PingSwitch.rmi 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\PublishUse.txt 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\UseStep.dwg 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\UseSwitch.xlsm 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\WatchComplete.htm 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\ApproveSubmit.tiff 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\FormatInvoke.i64 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\FormatTest.ttc 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\OutMeasure.jpg 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\StopUninstall.mhtml 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\ProtectShow.txt 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\SelectExport.WTV 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\SelectRedo.cfg 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\CompareCompress.nfo 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\DismountReset.midi 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\DismountUnregister.mp3 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\EnableGrant.js 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\EnablePush.search-ms 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\UnblockTest.dotx 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File created \??\c:\program files\39shjl02-readme.txt 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe File opened for modification \??\c:\program files\UndoUnpublish.js 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exepowershell.exepid process 4060 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe 4060 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe 4592 powershell.exe 4592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4592 powershell.exe Token: SeBackupPrivilege 4832 vssvc.exe Token: SeRestorePrivilege 4832 vssvc.exe Token: SeAuditPrivilege 4832 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exedescription pid process target process PID 4060 wrote to memory of 4592 4060 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe powershell.exe PID 4060 wrote to memory of 4592 4060 19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe"C:\Users\Admin\AppData\Local\Temp\19cd4deb02d2b5abaeed2ea37ed255ddc078c3a054317b7c4c7430ce7526e2a9.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4592-130-0x0000000000000000-mapping.dmp
-
memory/4592-131-0x0000022E45D00000-0x0000022E45D22000-memory.dmpFilesize
136KB
-
memory/4592-132-0x00007FFCA7A60000-0x00007FFCA8521000-memory.dmpFilesize
10.8MB
-
memory/4592-133-0x00007FFCA7A60000-0x00007FFCA8521000-memory.dmpFilesize
10.8MB