Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 13:44
Static task
static1
Behavioral task
behavioral1
Sample
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe
Resource
win10v2004-20220414-en
General
-
Target
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe
-
Size
165KB
-
MD5
74d80021ed5a26b41e1d88e72585c39e
-
SHA1
5dc7989d79e1528a5d7b03ca26a6eaa13bd73b2c
-
SHA256
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1
-
SHA512
234b2779ee25837df002d73b7bdbb2e62fc5dddcd192922aa83ca2d5902e224a6ba835d6ee3def479a5c74b9a662aefc8c5528731ba1306e58ee467fc1fcc0bf
Malware Config
Extracted
C:\99u9lh-help.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8F165A2860446145
http://decryptor.top/8F165A2860446145
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ShowHide.tiff 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File renamed C:\Users\Admin\Pictures\GrantShow.png => \??\c:\users\admin\pictures\GrantShow.png.99u9lh 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File renamed C:\Users\Admin\Pictures\ShowHide.tiff => \??\c:\users\admin\pictures\ShowHide.tiff.99u9lh 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exedescription ioc process File opened (read-only) \??\J: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\K: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\O: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\Q: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\S: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\T: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\V: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\B: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\X: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\Y: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\D: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\W: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\M: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\H: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\P: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\R: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\U: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\F: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\E: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\G: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\I: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\L: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\N: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\Z: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened (read-only) \??\A: 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1ty.bmp" 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe -
Drops file in Program Files directory 20 IoCs
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exedescription ioc process File opened for modification \??\c:\program files\CompressPush.gif 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\LockOptimize.DVR-MS 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\SwitchConvertTo.xltx 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File created \??\c:\program files (x86)\99u9lh-help.txt 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\CheckpointRedo.wps 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\GrantConvertFrom.mp2v 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\JoinDismount.svgz 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\UnpublishUpdate.wav 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File created \??\c:\program files\99u9lh-help.txt 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\DenyClear.csv 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\EnablePing.wpl 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\ExpandCompress.html 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\PopExit.svgz 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\RepairCheckpoint.wma 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\RestartSubmit.dwg 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\ApproveRepair.tmp 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\ConfirmNew.clr 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\DisableStart.eps 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\ReceiveGrant.rle 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe File opened for modification \??\c:\program files\ReceiveRedo.dib 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exepowershell.exepid process 4396 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe 4396 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe 4900 powershell.exe 4900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4900 powershell.exe Token: SeBackupPrivilege 4192 vssvc.exe Token: SeRestorePrivilege 4192 vssvc.exe Token: SeAuditPrivilege 4192 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exedescription pid process target process PID 4396 wrote to memory of 4900 4396 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe powershell.exe PID 4396 wrote to memory of 4900 4396 2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe"C:\Users\Admin\AppData\Local\Temp\2dc6832dc29aa83dcc6d0a6b2d1c9a17636fc4467845ef4c8ebd34738a8677f1.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4900-130-0x0000000000000000-mapping.dmp
-
memory/4900-131-0x00000267B5310000-0x00000267B5332000-memory.dmpFilesize
136KB
-
memory/4900-132-0x00007FFEC5290000-0x00007FFEC5D51000-memory.dmpFilesize
10.8MB
-
memory/4900-133-0x00007FFEC5290000-0x00007FFEC5D51000-memory.dmpFilesize
10.8MB