Overview

overview

10

Static

static

10

139a7d6656...48.exe

windows7_x64

10

139a7d6656...48.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7v200217
  • submitted
    09-03-2020 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Size

    157KB

  • MD5

    b488bdeeaeda94a273e4746db0082841

  • SHA1

    5dac89d5ecc2794b3fc084416a78c965c2be0d2a

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • SHA512

    2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score
10/10
ransomwareevasionspywaretrojansodinokibipersistence

Malware Config

Extracted

Path

C:\Recovery\i7bsz6dkt9.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got i7bsz6dkt9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/581889A04001A92A Page will ask you for the key, here it is: 2lbJ6KFBGJKJNHbGXuUljGMb7IVDa4YavjFrIHnpSVr71b9KOVh7fGDrAZKsHBMn Vav6UZ4LaFm1yduWaee5whswDFjl4SUInTECxllXZq32X24EK6WoLpXgEe93eoD6 G77lK+8NTrI867b8eI8WrDYwpjjVvh0TADqAXLzwsJpdYIOzG2z9QGxfbUeVmCXg qvsrBvWI3R/WMWNg+hvJKpCKp7Kh6feYgNLNc4PY4varkELCuTe3MdKQqqedS0lE ZpVABVJSsEDXXPLEbWoUAQ4kmeqA6QtUxZkN+AocAgkzuaiUltXlbt7pLTBcD4k4 PxUq4FExZv0NIAXeZ4W/rpya3+t1D2MEC5SDfrfgC+ltykhvgR0yZgNX6K46+Qo6 nJdVfl23ZGTl4eTbovd1kAqx6J3e5MOr9+z1pEnnQLlvvRJAw7R0PhsdazHOOAMD JWC01yB9Ml4fFmvdKBMQ5OQZinwSddxbFrG3hHp9SepEqNBC+JOQLu7EiwLa1uj6 BvIfg5xAfWKdagUCSpmbU53qNyhkKAmZ504r0AiYcN6nr4PFjkCCl+RLq4ymVR9i R76m+XVi+xmi8PX5tcrUlszAaMRU28lVbri4DzGhQWDCO64kQPCI2A6kqcfDHx2G uCfr3/EGNMkBOKALZZcmezlkNZZXuOjgDIgYV6Ojys3E8iZ5ebDYsIs9m/eJkint eLhkq6si228mpxFfhj+coDOp4Ktp4ShVV0DYwLnpRpPUQP3ksvUKE8VL1yJ8jdvX wqEA/F+2W19PlHdO1K4n67uDFjYBIZsrlQSGjp7aHm768W4dDR5l3NejPKpJ6EVi JmVGkqMqjKAyskhi/Q5TPQ1ssRZSTfqyWlrTsW+e8v7XVCTvak6ZDfl4ZUNjt32H s8vsg20O3YRFsSeB5b3NxAv5LyuYw2s2FmcNc5XMGJy3E0oA4OnGCB3z53f8pMl0 MFdDlaUyyqx00nJwAVE8dakthl4iTbztj2LDHX7RHkeHvNUN0XFUO9tn/fHFuuEe TRXuKkSbSWLdf3gtNVyT5+L+rjOgxRmX3IiGuiFbXNA55uzwnY7uO2OM0HezzWFF Yei5DoxtUFQVpCCkyX59AwzeqsBYy+AZ
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/581889A04001A92A

http://decryptor.top/581889A04001A92A

Signatures

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops file in Windows directory 3276 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Discovering connected drives 3 TTPs 5 IoCs
    ransomware
  • Modifies service 2 TTPs 4 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Modifies system certificate store
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Sets desktop wallpaper using registry
    • Discovering connected drives
    PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1876
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

3
T1112

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads