Analysis
-
max time kernel
99s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 19:28
Static task
static1
Behavioral task
behavioral1
Sample
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe
Resource
win10v2004-20230220-en
General
-
Target
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe
-
Size
120KB
-
MD5
af94ccb62f97700115a219c4b7626d22
-
SHA1
bb67edcfe4e5b6fe09ee96e5b8ace7a4cfe39eb7
-
SHA256
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c
-
SHA512
08c05f8dc98aba168734732d043c3e403f531522e0ec0ec64484d15375f353aa23f9654852ad2c54a3e6b2a9344f4ffb553cac24455f62bb65b55800e311c12a
-
SSDEEP
1536:J8A4krBJLarHZZd/M4PI8iwplAXpzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2C:+/LPrlAZZE0cOzbwMflEBPo
Malware Config
Extracted
C:\Recovery\ln31s97-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E045541A8BF9748E
http://decoder.re/E045541A8BF9748E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointEnable.tiff => \??\c:\users\admin\pictures\CheckpointEnable.tiff.ln31s97 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File renamed C:\Users\Admin\Pictures\RegisterUndo.tif => \??\c:\users\admin\pictures\RegisterUndo.tif.ln31s97 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File renamed C:\Users\Admin\Pictures\ShowDismount.png => \??\c:\users\admin\pictures\ShowDismount.png.ln31s97 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\users\admin\pictures\CheckpointEnable.tiff 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aDTFUAIa7j = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe" 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exedescription ioc process File opened (read-only) \??\W: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\D: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\G: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\M: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\K: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\N: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\R: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\T: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\U: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\V: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\A: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\F: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\H: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\J: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\Q: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\Y: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\Z: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\B: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\E: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\O: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\P: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\S: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\X: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\I: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened (read-only) \??\L: 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fhek31e.bmp" 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Drops file in Program Files directory 21 IoCs
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exedescription ioc process File created \??\c:\program files\ln31s97-readme.txt 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\FindMount.php 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\InstallCheckpoint.3gpp 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ReceiveConnect.rm 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\WaitInstall.au3 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\StepUse.php 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File created \??\c:\program files (x86)\ln31s97-readme.txt 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ImportCheckpoint.wmv 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\RenameLimit.wmf 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\SendReceive.zip 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\SkipSelect.jpg 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\UnlockResume.iso 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ClearGet.vstx 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ConvertDebug.crw 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ConvertFromProtect.xht 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\PopUndo.wmx 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\RestartUnblock.asp 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\NewStop.kix 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\RestartBlock.mp4v 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\RevokeUnprotect.temp 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe File opened for modification \??\c:\program files\ShowSync.xml 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exepid process 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exevssvc.exedescription pid process Token: SeDebugPrivilege 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe Token: SeTakeOwnershipPrivilege 3592 2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe Token: SeBackupPrivilege 4540 vssvc.exe Token: SeRestorePrivilege 4540 vssvc.exe Token: SeAuditPrivilege 4540 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe"C:\Users\Admin\AppData\Local\Temp\2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\ln31s97-readme.txtFilesize
7KB
MD53c8f5103996c6ffe76ea079f01b68dd5
SHA145a996bafe4960c793081bb3e99cf4a69f6e1ec7
SHA2562ac69fe8a46c6d29df65b99209a9c8fa410104fdd74527febce0e5eb6c68333e
SHA512e47b8b9759b3bfdfe76d0b415e6ea231611d5eec431b3c7f082aef484a7cdc61ef7a8f09537059e6cd838eba0bd13b49c25101196a82446762092867f164268c