Analysis

  • max time kernel
    140s
  • resource
    win10v191014
  • submitted
    16-12-2019 10:55

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Sample

    191216-4rcmytrrka

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Malware Config

Extracted

Path

C:\odt\0c82fz.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 0c82fz extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9071BEAE98BFF0B5 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/9071BEAE98BFF0B5 Page will ask you for the key, here it is: e9sQ0AC6dLlu9XCkIJ3uqyP84i4Nq659fDiTSzUBcI3zh9GLggkQSRJw97HFyigA ImRyJK0Kfs+jDWQ7qdp5wGh2w08vt/181VmYnf5LSbM9zgjchVdXfZ/GuSGimKw7 AaBCPU8ynYn/o8CoeVBhc44Io5TyuDWZ2kl+V4PtXGpQiCmzfvyAkjAD9+/3vtBo LKOu4+sK1I8bvwFALFEmLdECoTJ+sDLb1LVn+h8iFGwcwPaa2Xt82R3gjm7PmRl+ DOpIS3yKF/ji/nR85uQgdfOg+KIGG22+JGOhK+GNsqaf+WwQyuJPw/+4Q22+Ev7W o0LEO3gauJzv0jsrxshwDjpTnK5pH6ZI5Q5Ykmn7oVmri6L493P5uEiBMkplgZcT 66/Ohws7HocRdpHnevIqN7j/7YSKVzsvn6bUr894XQHqx/dXDoqTd/2xMVwVMBA3 YOeH+9hrPbqkx/rv1o+cqZXZ5hFUtfeeJqkrIALfF6DVyi7KzOAFowgBjH5L89CZ i1U1qXwPhUeEB6UImmBB53nR1FI2H1BEIiUolBuuK5kP9BpxH4znvuItMCZmNlIL MuZhZpMc8mtb9yMAg/8GnggpU1WOL+rpn4evJtzy67yK/Ioi0eXzhCYP5C6hhpp6 Zw5hqlIdXy6FjgIhIU8fdIdJMa0BZt+9HGKRIMIfxDkNLMwhi4zhUG/hUao34PON tkgKkxpht8S/JjYVHUwdW9lvFwY4bd8X+/v0zJp8vOnPmylsJVyada+ZXX/0d27v 4msX4T5uPYecfoALX7DSCzQuu/Q6pGpZks/HHwwUGA+fMgMYewce6pKQ9lwlW91F 487tO32cYN7tzL928FHnw/uPRyHq/806IKmHdGjmIT3i692aLgY9qitL63dpim8F jwG/9Vz5TBEEnIfrASRVg3ftO2cBjNFAd+GwzH5RYjeF1JXoyGuTMDgrggZUPMD7 rfnIarRFge2x1YFnKs2WK9XXtfCIUtSXxf5TZjfXrKkjbnPC6Ca+e/ptXt23js8D dLmfZ2pW+YEgf4qaMYrMpRhH5VNEBnGVjY1VpPyRVIknL3cj9W5kwtY30rUFJIX/ 5X3l8zTBg+U=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9071BEAE98BFF0B5

http://decryptor.top/9071BEAE98BFF0B5

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 2 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Drops file in Windows directory 2109 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Discovering connected drives 3 TTPs 6 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    • Discovering connected drives
    PID:4944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:1692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:4388
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4720
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4284
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:512
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
          1⤵
            PID:4820
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k unistacksvcgroup
            1⤵
              PID:4572

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Defense Evasion

            Modify Registry

            3
            T1112

            Disabling Security Tools

            1
            T1089

            Install Root Certificate

            1
            T1130

            File Deletion

            1
            T1107

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            2
            T1082

            Peripheral Device Discovery

            1
            T1120

            Impact

            Defacement

            1
            T1491

            Inhibit System Recovery

            1
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4720-0-0x000002725BAE0000-0x000002725BAE1000-memory.dmp
              Filesize

              4KB