Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
10017b236bf3...d6.exe
windows10-2004-x64
1005676f2007...fb.exe
windows7-x64
305676f2007...fb.exe
windows10-2004-x64
70a025116a8...57.exe
windows7-x64
80a025116a8...57.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
31.exe
windows7-x64
81.exe
windows10-2004-x64
818674bbd9a...38.exe
windows7-x64
818674bbd9a...38.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3234901adb1...b2.exe
windows7-x64
10234901adb1...b2.exe
windows10-2004-x64
102ae06537d1...b6.exe
windows7-x64
82ae06537d1...b6.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
32c02c65090...91.exe
windows7-x64
72c02c65090...91.exe
windows10-2004-x64
73.exe
windows7-x64
103.exe
windows10-2004-x64
10329b3ddbf1...f9.exe
windows7-x64
10329b3ddbf1...f9.exe
windows10-2004-x64
10336fe6e8bc...de.exe
windows7-x64
8336fe6e8bc...de.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
34bd31921c8...be.exe
windows7-x64
84bd31921c8...be.exe
windows10-2004-x64
8Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 13:46
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win10v2004-20241007-en
General
-
Target
3.exe
-
Size
157KB
-
MD5
4bd82da426f6b59e08b40044adb5a3d2
-
SHA1
097db21cb36c15979730a775ac6bad1240d75275
-
SHA256
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
-
SHA512
77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630
-
SSDEEP
3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM
Malware Config
Extracted
C:\Users\Default\23n373-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8172E5319B91F962
http://decryptor.top/8172E5319B91F962
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 3.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 3.exe File opened (read-only) \??\X: 3.exe File opened (read-only) \??\F: 3.exe File opened (read-only) \??\V: 3.exe File opened (read-only) \??\B: 3.exe File opened (read-only) \??\H: 3.exe File opened (read-only) \??\L: 3.exe File opened (read-only) \??\N: 3.exe File opened (read-only) \??\Q: 3.exe File opened (read-only) \??\T: 3.exe File opened (read-only) \??\Y: 3.exe File opened (read-only) \??\A: 3.exe File opened (read-only) \??\G: 3.exe File opened (read-only) \??\M: 3.exe File opened (read-only) \??\R: 3.exe File opened (read-only) \??\S: 3.exe File opened (read-only) \??\U: 3.exe File opened (read-only) \??\W: 3.exe File opened (read-only) \??\Z: 3.exe File opened (read-only) \??\E: 3.exe File opened (read-only) \??\I: 3.exe File opened (read-only) \??\J: 3.exe File opened (read-only) \??\K: 3.exe File opened (read-only) \??\P: 3.exe File opened (read-only) \??\D: 3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w4q4z3267agn4.bmp" 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1568 3.exe 1568 3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1812 1568 3.exe 90 PID 1568 wrote to memory of 1812 1568 3.exe 90 PID 1568 wrote to memory of 1812 1568 3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:1812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD51d84ca040f6b73f720071ea3b3c4823d
SHA10961b292fdaeab2f9dbc7304ffb0c1841be5df92
SHA256bf6256441ccd1d666dd6982dec31df8503a168f18c52b78dbf0191499f73a635
SHA512b063882bf3db35c1c20b553ad45a2067baa66599340a60ffea5f8cb5165731a2b185f2f1c1251aa5f05220e2ae7103f5d09de2d9e3c8c15900d0e95e34a32123