Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2024 19:12
Behavioral task
behavioral1
Sample
some_malicious_file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
some_malicious_file.exe
Resource
win10v2004-20231222-en
General
-
Target
some_malicious_file.exe
-
Size
164KB
-
MD5
890a58f200dfff23165df9e1b088e58f
-
SHA1
74e3d82f7ee81109e150dc41112cf95b3a4b5307
-
SHA256
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
-
SHA512
2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
-
SSDEEP
3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9
Malware Config
Extracted
C:\Recovery\r3yaxpb1j-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F517BBA86B81F7F4
http://decryptor.top/F517BBA86B81F7F4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
some_malicious_file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation some_malicious_file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
some_malicious_file.exedescription ioc process File opened (read-only) \??\H: some_malicious_file.exe File opened (read-only) \??\X: some_malicious_file.exe File opened (read-only) \??\F: some_malicious_file.exe File opened (read-only) \??\A: some_malicious_file.exe File opened (read-only) \??\Y: some_malicious_file.exe File opened (read-only) \??\L: some_malicious_file.exe File opened (read-only) \??\Q: some_malicious_file.exe File opened (read-only) \??\S: some_malicious_file.exe File opened (read-only) \??\T: some_malicious_file.exe File opened (read-only) \??\V: some_malicious_file.exe File opened (read-only) \??\E: some_malicious_file.exe File opened (read-only) \??\M: some_malicious_file.exe File opened (read-only) \??\O: some_malicious_file.exe File opened (read-only) \??\J: some_malicious_file.exe File opened (read-only) \??\R: some_malicious_file.exe File opened (read-only) \??\U: some_malicious_file.exe File opened (read-only) \??\N: some_malicious_file.exe File opened (read-only) \??\P: some_malicious_file.exe File opened (read-only) \??\W: some_malicious_file.exe File opened (read-only) \??\Z: some_malicious_file.exe File opened (read-only) \??\B: some_malicious_file.exe File opened (read-only) \??\G: some_malicious_file.exe File opened (read-only) \??\D: some_malicious_file.exe File opened (read-only) \??\I: some_malicious_file.exe File opened (read-only) \??\K: some_malicious_file.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
some_malicious_file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84o.bmp" some_malicious_file.exe -
Drops file in Program Files directory 36 IoCs
Processes:
some_malicious_file.exedescription ioc process File opened for modification \??\c:\program files\DebugProtect.sql some_malicious_file.exe File opened for modification \??\c:\program files\PushHide.ppt some_malicious_file.exe File opened for modification \??\c:\program files\RegisterReceive.mpp some_malicious_file.exe File opened for modification \??\c:\program files\MountRepair.xps some_malicious_file.exe File opened for modification \??\c:\program files\UnblockWatch.contact some_malicious_file.exe File created \??\c:\program files\r3yaxpb1j-readme.txt some_malicious_file.exe File opened for modification \??\c:\program files\BlockPublish.otf some_malicious_file.exe File opened for modification \??\c:\program files\ConvertFromDebug.ram some_malicious_file.exe File opened for modification \??\c:\program files\FormatDeny.bmp some_malicious_file.exe File opened for modification \??\c:\program files\ExitMount.7z some_malicious_file.exe File opened for modification \??\c:\program files\PingAssert.vsdm some_malicious_file.exe File opened for modification \??\c:\program files\SelectConvertTo.html some_malicious_file.exe File created \??\c:\program files (x86)\d60dff40.lock some_malicious_file.exe File opened for modification \??\c:\program files\ConvertFromExit.vsx some_malicious_file.exe File opened for modification \??\c:\program files\ConvertFromTest.TTS some_malicious_file.exe File opened for modification \??\c:\program files\EditWrite.ods some_malicious_file.exe File opened for modification \??\c:\program files\TraceStart.mid some_malicious_file.exe File opened for modification \??\c:\program files\UninstallRevoke.xht some_malicious_file.exe File opened for modification \??\c:\program files\BackupUnblock.m1v some_malicious_file.exe File opened for modification \??\c:\program files\ConnectRedo.mpeg some_malicious_file.exe File opened for modification \??\c:\program files\FindMove.svgz some_malicious_file.exe File opened for modification \??\c:\program files\MeasureFind.doc some_malicious_file.exe File opened for modification \??\c:\program files\ResizeOptimize.3gp2 some_malicious_file.exe File opened for modification \??\c:\program files\ResolveCopy.ADTS some_malicious_file.exe File opened for modification \??\c:\program files\RestartTest.m1v some_malicious_file.exe File opened for modification \??\c:\program files\SaveConvert.xlsb some_malicious_file.exe File opened for modification \??\c:\program files\HideLimit.asx some_malicious_file.exe File opened for modification \??\c:\program files\PingRemove.vstm some_malicious_file.exe File opened for modification \??\c:\program files\StopSubmit.m4a some_malicious_file.exe File opened for modification \??\c:\program files\SkipEnter.midi some_malicious_file.exe File created \??\c:\program files\d60dff40.lock some_malicious_file.exe File created \??\c:\program files (x86)\r3yaxpb1j-readme.txt some_malicious_file.exe File opened for modification \??\c:\program files\ConnectSelect.docm some_malicious_file.exe File opened for modification \??\c:\program files\CopyHide.dot some_malicious_file.exe File opened for modification \??\c:\program files\GrantUnlock.easmx some_malicious_file.exe File opened for modification \??\c:\program files\RequestExport.mid some_malicious_file.exe -
Drops file in Windows directory 64 IoCs
Processes:
some_malicious_file.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_6cda64e42a699cd0.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_40c79c50b42ec552_partmgr.sys.mui_b800c491 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1081_none_314b50cb6e47ee49.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sv-se_8e0ddc60c5dec4a0.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b1cca2dfdafc581c.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_10.0.19041.928_none_0863e8efe63839e6.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_winmgmtr.dll.mui_741bfb68 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.19041.1_none_cd10a2abb7791646.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_en-us_ae19562a35fe58e7.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgasys.fon_5d8bebb4 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.19041.1_none_217aa39bb332ab57_ngcksp.dll_a56a189a some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_it-it_f55158e81544d580_iscsicli.exe.mui_64c0a23c some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_b281bba039a7e747.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui_31bf3856ad364e35_10.0.19041.1_none_12c29d7ca1405b69.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_73bc4b6cb4f35f70_profsvc.dll.mui_32482e9e some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv_31bf3856ad364e35_10.0.19041.1_none_5863a83061dcb77c_mpsdrv.sys_77874865 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_f67040d980990d3f.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.546_none_5cab63307361e177_kbdus.dll_c99f1a3f some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_6b65f79c2d70b55d.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_cefcfcd89d8d8a93_wuceffects.dll_0c15b7d5 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80866.fon_608491c0 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c271277db84bbc43.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.207_none_0527f99c13420d2f.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_de-de_00c609c5ceeb0835_scdeviceenum.dll.mui_815e7662 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_dfd2bf9c3ee522ce.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_uk-ua_d2fb094eabcbecdd.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_1d051ec1ce6962bb.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_dsreg.dll.mui_5d9efc7e some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_it-it_571c151ca8ffeaed_samsrv.dll.mui_32250491 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga860.fon_07129997 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_nl-nl_4843455ad9f31bfa.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_th-th_9d3487b5c119fc22.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_0703274c38013b60_bootmgfw.efi.mui_a6e78cfa some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_10.0.19041.1_none_92f3cf8625865d67_volmgrx.sys_f02896c6 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_en-us_f55c02126ffbdd03.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a556ef58df281f17_efssvc.dll.mui_03cc4e41 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_f2c99b30decb81ab_mountmgr.sys.mui_71b54a25 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_en-us_7d22aa39e59cfe75.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_en-us_d572d73fc54e8110.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_it-it_df63cdbfa0630f4f_sppsvc.exe.mui_40875a72 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cff7aaf340ea7179.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_it-it_2b54e1edba361efa_fidocredprov.dll.mui_4ca89266 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692_bcrypt.dll_e2f091ac some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_de-de_542227990f3fe3b2.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.153_none_d123ff5fb624ee15.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_en-us_7cd59418f708faf0_wudfplatform.dll.mui_d815d31a some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_de-de_157d8b1ac43d0595.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_f840d1e088d281f3_clipsvc.dll.mui_18823613 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_de-de_ab07071d714e7ecb_wevtsvc.dll.mui_f41bf7b7 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8099ce7794a5ae0d.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.546_none_3f9a019e45575878.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d9d86028f54c50.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.19041.906_none_9e2a4a3c38b724ef_comdlg32.dll_b1ffde97 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_4f4ffbe799f4762e.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_lpk.dll_ebdc1de9 some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_de146f6286602c80.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_02d41c75ec2f1710.manifest some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_10.0.19041.1_none_846cdc31fb668b8c_ebrima.ttf_8897b9ba some_malicious_file.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest some_malicious_file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
some_malicious_file.exepid process 1724 some_malicious_file.exe 1724 some_malicious_file.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
some_malicious_file.exedescription pid process target process PID 1724 wrote to memory of 116 1724 some_malicious_file.exe cmd.exe PID 1724 wrote to memory of 116 1724 some_malicious_file.exe cmd.exe PID 1724 wrote to memory of 116 1724 some_malicious_file.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe"C:\Users\Admin\AppData\Local\Temp\some_malicious_file.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\r3yaxpb1j-readme.txtFilesize
6KB
MD59118d0183aa6be484558aef72986d2b5
SHA12f877371510cfcca19240cace332b0c66a0758d3
SHA256571a5f669718b37df974b59b97b67f97f329a1b55d4becf072b0bdc8b1433d12
SHA512656b919aebc01f8fa86e5c4c0e59a20ba6b46812e321e99f37c61dc6610edbd673e5d5a111b2f69d79a95661f928be96fc01ecf8c6dd8f9098188b62bb343421