Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

02-12-2019 10:20

191202-k7xrts92dx 10

14-11-2019 15:55

191114-lrhkzccm9n 0

Analysis

  • max time kernel
    150s
  • resource
    win10v191014
  • submitted
    02-12-2019 10:20

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Sample

    191202-k7xrts92dx

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Score
10/10
ransomwareevasiontrojanspywaresodinokibi

Malware Config

Extracted

Path

C:\odt\b268804en.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got b268804en extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A621BAAA9957D5D1 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/A621BAAA9957D5D1 Page will ask you for the key, here it is: RzGRpmC8Y4O4ZCAXD20Yq3H+mnIjFayEsCbhCWkpjxarE2izIwsGQ4rQkkdwphS9 Qf9X89JatffDkeSQe0sMIlA+wCKfDSJejHvXnu+GVxXI4fAerQrnm3mRbmMMlWtV Je+X3G5y/onxu7xLNVhk4duZITaOpwoaObulWG2wYXaBId7Ay9sIdFfxUvrTtai7 VI+X8jc5Njf3nM5dqh6aMkswq6IAteVz8wdcygsj6bK4mIePJdPaT1yb+XTKJTnb 5DJq5CfZWUA8WRolcXxT/IwkdGTOf2B5DS3y7HSkesRcQtLmrbUBKavTB+Dswsei 1gzkalt94WMPMe1eAdRFa3imogSmVjCle+w6shqWp+Qw/t4M2IGvIGbnVDrkmJGM xprkmO6cw97qTQ8Lemf8ntdtaICaNkM5itaGN881XQjnP0lUgCTA5w8Ygb62NIog T3slHaOnxtGuNInhP+p+0mDTWspRzGClJ3kTLrx+Fo35Y3Bktn3yY5cEZRWSxtr7 7TBkvAOwGtWOrHNBUIeq9FKa/DtczHlBYthNOWiVGBSDoZshzsLtosCBlBpLTl+a yYCT6xEYDkVBb4SLdkXCTNy2FLDOHhyahEIKDZQwmFi0D0zmrrxpOyV9XKCEdxqJ xKvGGrNyjG8QenylUd0OvuEGe4tfgAKbzy5ysTmpclwJSJq25JMLfO42+GANSr05 MgdTWDKudIBP6gZJDYMIFZ4DfI+kJDiCTDX/+s3NM7hrAbVZy3RyN9kFzPrW2dH5 1SI2uCWTZQkyItULHZ5+QbrmIypBbAC7DQIjftTAkcRSWBkTSwlTndaoZjcR1ms4 O0EPFxHflMCI4G6ZubFauQSjW1vDFF+ZGYzBjfuEAnjE4mvZxdLDqBHlE70S+XRA 82yhKZxel9+7aux55ts6s8EBTcA9bnIM9yaHxiNAau7x1tFtUWp70ONvqxZHUG/U 4kDs25YaPFAIecNcF8FAocEdOAQuKzRmtvkQOzbEHm3ckM1VwBKUjz0q++HJb/wT tjgiQBzmVUjZAwi4xtnHYK8d5ONNHdmEO6uHZ9JgiY+7/BFeJb7ljE6Pwq9riJnv 5G1pPOYYZHk=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A621BAAA9957D5D1

http://decryptor.top/A621BAAA9957D5D1

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Discovering connected drives 3 TTPs 6 IoCs
    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2109 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Discovering connected drives
    • Drops file in Windows directory
    PID:4920
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:1920
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:5020
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4352
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:3944
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:2364
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:440
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:716

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads