Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    150s
  • resource
    win10v191014
  • submitted
    10-12-2019 16:21

Sharing

Copy URL
Twitter E-mail

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Sample

    191210-ne9dsbbgj2

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Score
10/10
ransomwaresodinokibievasiontrojan

Malware Config

Extracted

Path

C:\odt\ia7txw90.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got ia7txw90 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FE0C29C537756C48 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/FE0C29C537756C48 Page will ask you for the key, here it is: Un9lMg+UnPQuM1Ap54fW8uZRJ9UQ71S9x5k36psZ4SwbMf7SyaU37/b53hxoRU0i F+NUpDAa2MIkjT9qWuAX0XadXCbzrjjDN+fOhHbdAv3rxuMDF4pOmkO8Xt/OT9bP figkCsrp6ymQXXvUWYh8CtRJaPTSuMutG/sbMP3s+rG/l5kuMNZx8Ir9c60soGVa 0njlTAG6aOIv1W7eoKQOLVXmVI9rd3PB+HK56GjAO5aBQveO74KKwORDicMoLKIh 8EleYTA/ACRZHgD9T+1sioY/hVbVYt5Tz2Dz9wGT848uivogmWIXnLT6CncS50wG asreU2DMsOM1jmDI/Ue9RLIYF2+phIur+1QinjwslIBendYtGmShkn21Etj0lZzI F9zzxo3VoIbSvRRK9oA/gEGBcFEepu5Qsk7VUxkWG/zPRAvnDP3pdPUFIvGa1mP4 h5Jos2avNZgUbBI5XfCfcpMn72WEWX3SmYULHHHXWzsjOIAJ7Dp64Dy0m8Zlf5fn HYzDuzZlSilVyxBr52Hzjm18nTjirSych5uYXMwQMtlxzThr+zZ4B1TUqAcPb7TK nlAWJoJtNvjqVhanLn5jT/9mZTK9erBIbWTmZoYP7cS8tK3ezN/pVAq66RZ7q4IX o0myhgih5G6qi9XwAwGoGJaVkyrt++nw+lIAoceQatrgshpx/YSOkMlfG89d2wik bIf16RhREtNGFS4ljbBeWE+6nsm3pAfqpgHaZT0yZrwVENyrQzmF6vozFap7FY2G CmTMWFYpCAOKJtntrJ9hD8fEH5A8cSmRC3HiOcqBL/jAVnN1nKcpsBqKhQj6Wo3N Gie1SR/3Tc9CRYEHeXG2bDeHaeXyLE0/BZKANC182eTbk1Ionhl0jBegZLM+HqJC bKq1Uuhqcip+xBpMj4Y3JipEVaErNRsO5JlaYYSquG8eJi7jxdbzgIZxJkfU7O5Z pQgi6TAIA7P6DDaBl0HOREyJpzwYugy5puHoRZfCwpYSceRDqRz8BUvFt5NTRHJg 9iemA1lvFFsjGFqoksSvr0851NWXyfiPKL5ucNxV1guo67BQq4hkB7yYl/7293L0 mQv0PnomUbY=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FE0C29C537756C48

http://decryptor.top/FE0C29C537756C48

Signatures

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2109 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Discovering connected drives 3 TTPs 6 IoCs
    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Discovering connected drives
    PID:4960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:4424
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:5072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4688
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4628
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:4252
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:4148
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:5104

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads