Analysis
-
max time kernel
111s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 20:27
Static task
static1
Behavioral task
behavioral1
Sample
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe
Resource
win10v2004-20220414-en
General
-
Target
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe
-
Size
164KB
-
MD5
f684dd75717606501dd434a817ff0876
-
SHA1
06b853e6e9d6cace3736cd37dbc43d9cdf1445d3
-
SHA256
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a
-
SHA512
038445162c66e0c6a88ff8c243af615fb301f6a6f29635ec00b7e8a876a621af8b288f0850a9830c43685bdcdb374b0f17b5694833c4ba06ad19e5a014b8216c
Malware Config
Extracted
C:\y3i0r6dvo2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/274D7349B8D242AC
http://decryptor.top/274D7349B8D242AC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearGroup.tiff => \??\c:\users\admin\pictures\ClearGroup.tiff.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\EnableStep.crw => \??\c:\users\admin\pictures\EnableStep.crw.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\RenameUnpublish.tif => \??\c:\users\admin\pictures\RenameUnpublish.tif.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\UnregisterFormat.png => \??\c:\users\admin\pictures\UnregisterFormat.png.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\users\admin\pictures\ClearGroup.tiff 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\DisableRevoke.raw => \??\c:\users\admin\pictures\DisableRevoke.raw.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\DismountResize.crw => \??\c:\users\admin\pictures\DismountResize.crw.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\RemoveComplete.tiff => \??\c:\users\admin\pictures\RemoveComplete.tiff.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\users\admin\pictures\DenyConvertFrom.tiff 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\users\admin\pictures\RemoveComplete.tiff 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File renamed C:\Users\Admin\Pictures\DenyConvertFrom.tiff => \??\c:\users\admin\pictures\DenyConvertFrom.tiff.y3i0r6dvo2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exedescription ioc process File opened (read-only) \??\M: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\Q: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\R: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\S: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\U: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\A: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\F: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\I: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\P: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\T: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\Z: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\D: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\J: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\L: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\N: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\H: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\K: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\O: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\W: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\X: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\B: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\E: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\G: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\V: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened (read-only) \??\Y: 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dd2el.bmp" 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe -
Drops file in Program Files directory 22 IoCs
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exedescription ioc process File opened for modification \??\c:\program files\ResizeUnprotect.inf 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\UnlockReset.vsdm 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\WriteOpen.vsdx 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ConfirmApprove.wmf 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ConvertFromUpdate.vb 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ResetStart.doc 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\SubmitRegister.xls 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\DisconnectWatch.mid 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\HideGet.mpg 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\MountSkip.mpeg 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\SuspendOpen.asf 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\UnblockRegister.m4v 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\UnlockUnregister.gif 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File created \??\c:\program files\y3i0r6dvo2-readme.txt 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ConvertToStart.emf 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ExitEdit.3gp2 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\GetHide.reg 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\GroupMount.ppsx 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\TraceNew.xps 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File created \??\c:\program files (x86)\y3i0r6dvo2-readme.txt 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\ConfirmHide.i64 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe File opened for modification \??\c:\program files\EnableUnblock.wdp 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exepowershell.exepid process 2388 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe 2388 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe 3504 powershell.exe 3504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3504 powershell.exe Token: SeBackupPrivilege 3068 vssvc.exe Token: SeRestorePrivilege 3068 vssvc.exe Token: SeAuditPrivilege 3068 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exedescription pid process target process PID 2388 wrote to memory of 3504 2388 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe powershell.exe PID 2388 wrote to memory of 3504 2388 1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe"C:\Users\Admin\AppData\Local\Temp\1ea41b12d99ab5a17cb942ff246b0333f298a52cfbcdf412270109519db2054a.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3504-130-0x0000000000000000-mapping.dmp
-
memory/3504-131-0x0000028283E30000-0x0000028283E52000-memory.dmpFilesize
136KB
-
memory/3504-132-0x00007FFABB7E0000-0x00007FFABC2A1000-memory.dmpFilesize
10.8MB
-
memory/3504-133-0x00007FFABB7E0000-0x00007FFABC2A1000-memory.dmpFilesize
10.8MB