Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 14:46
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20220414-en
General
-
Target
sample.exe
-
Size
164KB
-
MD5
588efcb1febe347a30e5884ca3f57a4d
-
SHA1
4ab8d669eff1d76e5626a26afd500dee2432b5cc
-
SHA256
f4afe7132798deb7f231018b513af2284ed549d3e14b46e8b1190b4b9c1b5f18
-
SHA512
7eb6535160daae7ad2ed455e1826a006efe478c968a08c09b28ff826c26bf9fb36341af8753f1fbfb8dd48201fa1b8911e7ff8e1dbbdc213d8b2c56f267090f7
Malware Config
Extracted
C:\4f65cp-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EFE31817E0162291
http://decryptor.top/EFE31817E0162291
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmCheckpoint.png => \??\c:\users\admin\pictures\ConfirmCheckpoint.png.4f65cp sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sample.exedescription ioc process File opened (read-only) \??\A: sample.exe File opened (read-only) \??\K: sample.exe File opened (read-only) \??\P: sample.exe File opened (read-only) \??\R: sample.exe File opened (read-only) \??\U: sample.exe File opened (read-only) \??\B: sample.exe File opened (read-only) \??\G: sample.exe File opened (read-only) \??\J: sample.exe File opened (read-only) \??\L: sample.exe File opened (read-only) \??\M: sample.exe File opened (read-only) \??\W: sample.exe File opened (read-only) \??\Y: sample.exe File opened (read-only) \??\D: sample.exe File opened (read-only) \??\F: sample.exe File opened (read-only) \??\H: sample.exe File opened (read-only) \??\I: sample.exe File opened (read-only) \??\Q: sample.exe File opened (read-only) \??\S: sample.exe File opened (read-only) \??\X: sample.exe File opened (read-only) \??\Z: sample.exe File opened (read-only) \??\E: sample.exe File opened (read-only) \??\N: sample.exe File opened (read-only) \??\O: sample.exe File opened (read-only) \??\T: sample.exe File opened (read-only) \??\V: sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f7u.bmp" sample.exe -
Drops file in Program Files directory 11 IoCs
Processes:
sample.exedescription ioc process File created \??\c:\program files\4f65cp-readme.txt sample.exe File opened for modification \??\c:\program files\LockRemove.png sample.exe File opened for modification \??\c:\program files\PopPing.mov sample.exe File opened for modification \??\c:\program files\SplitUndo.mpeg sample.exe File opened for modification \??\c:\program files\TraceReceive.mpeg sample.exe File created \??\c:\program files (x86)\4f65cp-readme.txt sample.exe File opened for modification \??\c:\program files\CompressCompare.inf sample.exe File opened for modification \??\c:\program files\EnterApprove.html sample.exe File opened for modification \??\c:\program files\GrantReceive.vssm sample.exe File opened for modification \??\c:\program files\MergeSave.clr sample.exe File opened for modification \??\c:\program files\StopCompare.shtml sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
sample.exepowershell.exepid process 2812 sample.exe 2812 sample.exe 3660 powershell.exe 3660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3660 powershell.exe Token: SeBackupPrivilege 400 vssvc.exe Token: SeRestorePrivilege 400 vssvc.exe Token: SeAuditPrivilege 400 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
sample.exedescription pid process target process PID 2812 wrote to memory of 3660 2812 sample.exe powershell.exe PID 2812 wrote to memory of 3660 2812 sample.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3660-130-0x0000000000000000-mapping.dmp
-
memory/3660-131-0x000001AC3A760000-0x000001AC3A782000-memory.dmpFilesize
136KB
-
memory/3660-132-0x00007FFB10EB0000-0x00007FFB11971000-memory.dmpFilesize
10.8MB
-
memory/3660-133-0x00007FFB10EB0000-0x00007FFB11971000-memory.dmpFilesize
10.8MB
-
memory/3660-134-0x00007FFB10EB0000-0x00007FFB11971000-memory.dmpFilesize
10.8MB