Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

04-12-2019 13:21

191204-vcj2bx45de 10

02-12-2019 16:56

191202-4g8res8d2s 10

Analysis

  • max time kernel
    149s
  • resource
    win10v191014
  • submitted
    04-12-2019 13:21

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Sample

    191204-vcj2bx45de

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Score
10/10
ransomwaresodinokibievasiontrojanspyware

Malware Config

Extracted

Path

C:\odt\2td919.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 2td919 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1C5D8262147BDE4C Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/1C5D8262147BDE4C Page will ask you for the key, here it is: JGO26xMFmCBYXQD+Kh72jUTgxVSF7mH2ICiJ3owbSA6tKXtPcc4sh4q7oaXk6iRY NjbN6yzFmHo4Aw9kk1fWE3iJDV1EngYGhVvajZoqOOsbzhKmnBtIrHdYT5Vb2blU fj9mHs1EI4cPuvwb9MH5QBMxLbxttVpsIJUqVjHpLL/BSaSPL5/iKsE5JiGyl8/G I5visLM4JglAjbaI5hPZv/Sl4RvGUsIQvZ4dfGrbofz0awzvnTMVuvuhEShjTKlG Ol0RmQg6JoBwG07WcjWqBFn1kD7T7Wzy8uRWwx/RRPQGAkiiAlj/3d+TjkMqGPV6 xDPuLNX9RDLS8qf3UNk3aDFRD0GdNj4ld+hatdhGVYd5CUYKDNiLerZJ0+s8EFCe xTYhzuDS7liHKGzUuwrPQI9M24GIWKPvrtNOzX2cQuZaARQ7oX7bpSoaZWiGXYEd vqfQKKKSOGkGhcKoQLDFQ3y5g8Sh/uXP0XvOZ3DhQdq8ibsNk+0N8kdjf/Hz5wNp 2IUkDaTw4nW9zv/3E50qY2qY0kp6S5zrn9CR4//LDJaYeiuwt5xyoN2rM4vhuL5+ z/IcoIqsoFsaPyLA0WSannFqsN108LvcYVMKcYwxsXaH57bIcWc2iByPPqcnAb1b 5OT08sPbd06P2RytOcNyUF04By+UZpi8u8ag+UOIlVQIrIFc1MD9+UXE1OWk6i3D kmx0rAdV3kxz6waF24gti3U5Z9lTWecUOxcmjmnBXZZTUJUSKV0zeLJVl7vpC81X pVTwxv5yyQuYpd1EX34EtBoajUEG6166jtMMilc0OnlXAMrIXYobpxBM03w+GJCD 3hBKCzN55FPrMpZyTVN0msDImMoJjEI1oOO0mbcXC5GAYTkLey7GMgrl1tyYjhby LR7x6dPHIppSYqlKrG7UexX6xKs6t6b0Qy1CXn3egQxFxkSHz4RZ5T83JhMzPdje 8+L2Zzb8HFuiMLY/iHpOL2wN/DGt5beUwJheFPcm+3fTn2qd6DO0DBXwPwmqP6bJ +lXpZa28O9vYjeDcs7Ju3ABJRZtFsdA5V3OQO3SbhoaADK8H+Bj4iOHTTOna61cS Sb2SIuk74Bc=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1C5D8262147BDE4C

http://decryptor.top/1C5D8262147BDE4C

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Discovering connected drives 3 TTPs 6 IoCs
    ransomware
  • Drops file in Windows directory 2109 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Discovering connected drives
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:1480
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:4984
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4256
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4636
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4296
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:3484
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
            PID:4508
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k unistacksvcgroup
            1⤵
              PID:3328

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads