Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    130s
  • resource
    win10v191014
  • submitted
    16-12-2019 10:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

  • Sample

    191216-8bfljdyw2s

  • SHA256

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score
10/10
evasiontrojanransomwaresodinokibi

Malware Config

Extracted

Path

C:\odt\05z6g30p91-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 05z6g30p91 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/BCFA73F317FB2A2B Page will ask you for the key, here it is: 1luXfGTkEwWQEz6sd/8wsYyITv08IJCgV4n63zFszJ1M+vuZ8En6VnJ6fDSbgmzJ j2GneOwL6/kLRl5YuSjIVygCJEGNy4dE7xKLrf8BCoEb/7X3ODd98JqPAsF5+cRm 7TeQKgDXOBbd+gTjjgG9MWNMfylZJqriAHwKuyEILoY8cnWDWzUBEVRoVEJyzQVf +rJP3+qnZwje6c1P5YaTiw3jBcC1ATJ01rjTPrI1QUXtzfou62qFvtsKTcA4wcDO P0wz7n8VtkG92y8UABFWwqNwtOx0jTyQj3nZ0+aW0HgNVAPXU94FNIOT2JViqXyz QZxvKf+ZAnwhWvGL8823XzFwmm2/LkiHo2pMHFQT0kU8sSjD3Wrk7yds++0nVtsw u3baAlrLOqFrekauX5KKYiF2o6twrIkpRM+PooFSW77Ni8bJrYFf92x4PC4y+3A/ wXbqvXSJitZoKteh3zxDtPE0J0OFevbyhjRypK45VLV+XOTCUiwgSUx4pP6lNGD6 oHJCbDZl8EW2a0jCw4+Y6s51De781/9zIngLMIOGiTa27CoT4KGYBbOFJJI4cJ3h QN9eLPYzdikCflruD6PwA7YMskCsjkVpQBm/pTSxN1aWAMzD3z7G8BE+TvEz+ks6 WCtMU5ELznvexxOwN6H7awZXBw/UlF0Q35Dp4fX0D+coLOKK7f2cWuWzG8KUIwOI +58tnJaY4XTyxfE7Ib7X2CbfzMHCZrH0EYzucoqSf1noVduoqX1iUfKEJlUFwJ36 0MJCTqeiv6lUOJirwh1w/rrgRgVmVkBebUSRO+J0BRepQbGUP7V2Y8iOvy/Jnq2q Wej65g2UgggOQGOwlSF1iQY90JoUiwJq808yA33juiEHoMqPmSwC20doAbmlsUsG 972Y/Qu0Uybn1NmwFdPshJEEeosNLVkyANxhwJCn019kBDgZdDbqt/fY2hdAuL/M jL8XN4lrJLkWC73VhVsPVuUDDfcNhkv7RuZC4gMZ7nsqI0HB1VUCXUn+Z+0+Hk4j ORZ/cSBwg+zw+GJh9DqBIOpucHL1bMuaxzUocZe0+H2sGEzjQur3MewsIJH6gZy2 UPj94fsn
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B

http://decryptor.top/BCFA73F317FB2A2B

Signatures

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2109 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Discovering connected drives 3 TTPs 6 IoCs
    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
    "C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:68
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4328
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:4424
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4384
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4304
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:4904
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:4608
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:3516

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4992-0-0x000000000055B000-0x0000000000579000-memory.dmp

              Filesize

              120KB

              Download