Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

02-12-2019 10:20

191202-k7xrts92dx 10

14-11-2019 15:55

191114-lrhkzccm9n 0

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • Sample

    191114-lrhkzccm9n

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Score
N/A

Malware Config

Extracted

Path

C:\odt\629yumz1.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 629yumz1 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBAFD39AEE599D15 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/BBAFD39AEE599D15 Page will ask you for the key, here it is: XVX2lDsNsXtb3QL5mIOYHzgA2Kqy4h/W48xpNNHdIEfdqiLtCJdv+wkQjkgVZC63 K3M7E/XssfvB98LJ2B2hFY+7oHgFLNyfTx6BNEjeuWlIprOgtvJZTfgE8tXayAWs tFFebweby/UVxnVgp01zqn9aW8fGsEXDMhms+/hHYoCs+g1QLUhFZ9N4nmSjpHm8 z4B7wmLWu/3MuyDvzTnAA7Wel3eWhPz2UCs0kVOjsNQg60RSNfstiUsUFy7Y9ax3 02PL7dXWfINOvppJD+cUP102sD+Lf29QI1c2Vp0j2AfR8sqXJbW+MK/g6VDiQSJi FjkjPbUTTYwr6rQ+icpEV3cqoK5MgbsgTZekicm1UOyCu8fV8WbzdtfSeuZc5MuB vwjFY7+o0SRdRBOGcWiHPWSXjSkxG6EFzxDuAd3MlcLkxQmy2WeX919uE3n1sWzh dE71Vq4k/X4IZ2XD85DglDV0MjN2UoJSgYl+EquirF7/D3glqca5D+3O19ayTQeG 9RHFi187NPxGjxl607QwUFkkIIZ7Pw317sqXZzJKIALyxi1Hs4BeRu6dc/ncHMt5 Ggr0fkWgH/r06mVjSCwPh+YcNvaqEG1oLbm9CrAnplpP8aWHigk9fjET1wjDgN2W e5WWupMbRl8n9c6JikHrIjWCe3cQOdR3b30HZ9QENfKmKeS4M9jVTKfry+ixK5J7 gkJzkhvqWK5LU2gJEur0n3dMubww5/9aaqwjfJqmHV21h4V8D3tJ7fcozjE7kQ1G XboVt6wMQFIjf448lxbbKkkqMO1yKqivyDxJeKEgH0c6HRYMaZMFdo9lrMSRMDgm yqLcKZXjQZXPTtFZ71BV+nsAp6Jkn5ViI8o3qhARKCDCLnMgS9hMeIthKLV4QNie T//PQKjfT0QaEkkehqbGq6Y6cq4Wp6SSDbkGyV6qi9/vD8OLG7dGsBK2BZyqGYhB pl0obeKX2nfQ/jsP821D2mfMb63o06WlsSEzj7LYc0ZPspO3JFJTygqClJpEFpBG pLjGC1Jxm84YnRj/OSJobh0O132bewf39cWTq8vhI+9CQ4VvRT/twPrmvDRrdAb/ US+RYmGqCbo=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBAFD39AEE599D15

http://decryptor.top/BBAFD39AEE599D15

Signatures

  • Discovering connected drives 3 TTPs 1 IoCs
    ransomware
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in system dir 64 IoCs
  • sodinokibi family
    familysodinokibi
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Registry keys used by Sodinokibi family 1 IoCs
    ransomware
  • Uses Volume Shadow Copy Service COM API 13 IoCs
    ransomware
  • Drops Office document 28 IoCs
    dropperexploitermaldoc
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Discovering connected drives
    • Drops file in system dir
    • Suspicious behavior: EnumeratesProcesses
    • Registry keys used by Sodinokibi family
    • Drops Office document
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:4996
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5072
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:5100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1604
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      1⤵
      • Deletes shadow copies
      • Uses Volume Shadow Copy Service COM API
      PID:372
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Uses Volume Shadow Copy Service COM API
      PID:1004
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
        PID:4808
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:4272
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
          1⤵
          • Checks system information in the registry (likely anti-VM)
          PID:4856
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
          • Windows security modification
          PID:2928
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:1544

          Network

          MITRE ATT&CK Enterprise v15

          MITRE ATT&CK Additional techniques

          • T1107
          • T1089

          Replay Monitor

          Loading Replay Monitor...

          Downloads