Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 20:44
Behavioral task
behavioral1
Sample
malware_005D0000.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
malware_005D0000.exe
Resource
win10v2004-20241007-en
General
-
Target
malware_005D0000.exe
-
Size
164KB
-
MD5
890a58f200dfff23165df9e1b088e58f
-
SHA1
74e3d82f7ee81109e150dc41112cf95b3a4b5307
-
SHA256
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
-
SHA512
2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
-
SSDEEP
3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9
Malware Config
Extracted
C:\Users\5uh58-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/390AF667A234E006
http://decryptor.top/390AF667A234E006
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation malware_005D0000.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: malware_005D0000.exe File opened (read-only) \??\I: malware_005D0000.exe File opened (read-only) \??\L: malware_005D0000.exe File opened (read-only) \??\O: malware_005D0000.exe File opened (read-only) \??\Q: malware_005D0000.exe File opened (read-only) \??\T: malware_005D0000.exe File opened (read-only) \??\X: malware_005D0000.exe File opened (read-only) \??\A: malware_005D0000.exe File opened (read-only) \??\H: malware_005D0000.exe File opened (read-only) \??\K: malware_005D0000.exe File opened (read-only) \??\W: malware_005D0000.exe File opened (read-only) \??\J: malware_005D0000.exe File opened (read-only) \??\R: malware_005D0000.exe File opened (read-only) \??\S: malware_005D0000.exe File opened (read-only) \??\V: malware_005D0000.exe File opened (read-only) \??\D: malware_005D0000.exe File opened (read-only) \??\F: malware_005D0000.exe File opened (read-only) \??\Z: malware_005D0000.exe File opened (read-only) \??\B: malware_005D0000.exe File opened (read-only) \??\G: malware_005D0000.exe File opened (read-only) \??\M: malware_005D0000.exe File opened (read-only) \??\N: malware_005D0000.exe File opened (read-only) \??\P: malware_005D0000.exe File opened (read-only) \??\U: malware_005D0000.exe File opened (read-only) \??\Y: malware_005D0000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y145l0.bmp" malware_005D0000.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification \??\c:\program files\RequestExport.emf malware_005D0000.exe File opened for modification \??\c:\program files\ResetWait.nfo malware_005D0000.exe File opened for modification \??\c:\program files\UndoUnprotect.xht malware_005D0000.exe File created \??\c:\program files\5uh58-readme.txt malware_005D0000.exe File created \??\c:\program files (x86)\d60dff40.lock malware_005D0000.exe File opened for modification \??\c:\program files\CloseUnblock.tif malware_005D0000.exe File opened for modification \??\c:\program files\CloseUnregister.wmv malware_005D0000.exe File opened for modification \??\c:\program files\ConnectConvert.vssm malware_005D0000.exe File opened for modification \??\c:\program files\InitializePop.edrwx malware_005D0000.exe File opened for modification \??\c:\program files\ResetRead.rar malware_005D0000.exe File opened for modification \??\c:\program files\RevokeCompare.temp malware_005D0000.exe File opened for modification \??\c:\program files\SelectSet.mp4 malware_005D0000.exe File opened for modification \??\c:\program files\UnregisterJoin.M2T malware_005D0000.exe File created \??\c:\program files (x86)\5uh58-readme.txt malware_005D0000.exe File opened for modification \??\c:\program files\ExitUnlock.xla malware_005D0000.exe File opened for modification \??\c:\program files\SuspendMeasure.vsdx malware_005D0000.exe File opened for modification \??\c:\program files\EditRevoke.ogg malware_005D0000.exe File opened for modification \??\c:\program files\RestoreGroup.dxf malware_005D0000.exe File opened for modification \??\c:\program files\SetLimit.reg malware_005D0000.exe File opened for modification \??\c:\program files\TraceUnlock.odt malware_005D0000.exe File opened for modification \??\c:\program files\ConvertToDebug.ADTS malware_005D0000.exe File opened for modification \??\c:\program files\MountTrace.reg malware_005D0000.exe File opened for modification \??\c:\program files\StopComplete.ogg malware_005D0000.exe File opened for modification \??\c:\program files\UninstallMount.ttf malware_005D0000.exe File opened for modification \??\c:\program files\PublishUninstall.php malware_005D0000.exe File opened for modification \??\c:\program files\RequestPublish.wps malware_005D0000.exe File created \??\c:\program files\d60dff40.lock malware_005D0000.exe File opened for modification \??\c:\program files\ExportDismount.mpeg malware_005D0000.exe File opened for modification \??\c:\program files\ResetSave.vsdx malware_005D0000.exe File opened for modification \??\c:\program files\DismountGroup.cr2 malware_005D0000.exe File opened for modification \??\c:\program files\RevokeEnter.mpv2 malware_005D0000.exe File opened for modification \??\c:\program files\UpdateDismount.htm malware_005D0000.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_509c290d28f760ee_sdbinst.exe.mui_258ad624 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pt-br_366538e4f4fe7289.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_it-it_09805d42c133e875_wudfpf.sys.mui_f61e9e86 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_userdeviceregistration.ngc.dll.mui_d2c6ca95 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fr-ca_43eaf76475822ccb.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiarpc.dll_5aecac54 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.264_qps-ploc_5fe0c6cc0fbfcd94.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1_none_5668fec1a41d6ac1.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_c05026eaafcf5a72_memtest.exe.mui_77b8cbcc malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_de-de_8bd82c67996c6925_bootmgfw.efi.mui_a6e78cfa malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-es_34945f448871668f_bootmgfw.efi.mui_a6e78cfa malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgas874.fon_57846913 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.19041.1151_none_ce259344dd35ac79.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.19041.1_none_13e0a2d70bde69d7.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80852.fon_608992fb malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_es-es_9e7575a7f032231a_fidocredprov.dll.mui_4ca89266 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0_certprop.dll_0b11a6d7 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiatrace.dll_dfb4e972 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a12ed8363e5ee46c_gpsvc.dll.mui_0c160ac2 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.546_none_cb01ee53d6697641_wshqos.dll_f1749d15 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa_scardsvr.dll.mui_5f6fb64f malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.1_none_171d07e1a7b66413.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6fb6e6e49393acae.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1_none_afcabf88440c71c5.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_mofd.dll.mui_793ef98d malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_lv-lv_4233ec731487e2dc.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.546_none_48d6c53e575a9a81_dggpext.dll_0c91d307 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_dciman32.dll_a41dd515 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.19041.1_none_3eeeb9b5ca0761f9_fvecerts.dll_cca35228 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.19041.1288_none_233dec521bed18a8_win32kbase.sys_cb97ed72 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_6b65f79c2d70b55d.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ja-jp_ed3ea94a706110ba.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f94194299c1afcc8.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_70c254192b5ba65d_userdeviceregistration.ngc.dll.mui_d2c6ca95 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_dab1b6fa435d154d.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_applockercsp.dll_771a831b malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.746_none_35adfa9d5cea0bbc_dui70.dll_5f097b0b malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f67aaff953259297.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fix.fon_dc96978e malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi-onecore_31bf3856ad364e35_10.0.19041.844_none_e413cef1d5bfa747_profapi.dll_d55ae499 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_984baa246cdd2b6c.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6_ntlmshared.dll_d7ed706e malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_46f2a11d47bb9cf8.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1_none_daa70f4df4b13b5c.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll.mun_6e49d10e malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c_applockercsp.dll_771a831b malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1266_none_2b4b7ff44edc4a8b_wevtapi.dll_df064540 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.1_none_635f5636d096a7e7.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_db8a38e9e99bc04d_wldap32.dll_09c99dc1 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.19041.1_none_b537ffbd18185517.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_456f73b36cb7b8b5.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.19041.1202_none_de8b08e5f31655d7.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_8fead816ef2105a4.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_23d331484ec165c2_dsregtask.dll.mui_5e1b9353 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_b59136bc7aa040e6_comctl32.dll.mui_0da4e682 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app775.fon_dec57409 malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.19041.1202_none_301d5c0e1bd4c77b.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4.manifest malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapres.dll.mui_c1b8803f malware_005D0000.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_ec1b96874c384b44.manifest malware_005D0000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malware_005D0000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2340 malware_005D0000.exe 2340 malware_005D0000.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2340 wrote to memory of 3404 2340 malware_005D0000.exe 82 PID 2340 wrote to memory of 3404 2340 malware_005D0000.exe 82 PID 2340 wrote to memory of 3404 2340 malware_005D0000.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"C:\Users\Admin\AppData\Local\Temp\malware_005D0000.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:3404
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD559ea7fdd4633e50fdfe0ce7b775654a0
SHA1509f8a16445e32f9341c8aa3edccdb7fceec9814
SHA256dcf5edf8eba37cc7111b62b9a992ec8e097fc3bf6875a93ef5ed06a4aa50b1c5
SHA51259ad3f42bf691ebbd4d28db16e9fa56624342e277c376a5ba6ff734a58c54f19271c369a90c2c76804f4c3f49f505f78459a676e8b7ea9f0abeaba3dd22f2607