Analysis
-
max time kernel
107s -
max time network
107s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
13-04-2020 20:54
Static task
static1
Behavioral task
behavioral1
Sample
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe
Resource
win10v200410
General
-
Target
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe
-
Size
231KB
-
MD5
2fbaf37aad337e407fe8ea80cc3ab763
-
SHA1
098234f0f7a009728f38e91153abc34d87c18795
-
SHA256
3685ce874b1abef3448d4c50ea0371e31a78afbae09287d3ff5d25953091659c
-
SHA512
a1f84ac10370f7a0ce8202a5c9f511faec84f405e4ba1dacd6e7bf851a49a1228b8f70f680c3106982834d326aab3a4f13a86406be65ecc753da486be003450d
Malware Config
Extracted
C:\15u463-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36B564197A3EF9EC
http://decryptor.cc/36B564197A3EF9EC
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 16 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exedescription ioc process File opened for modification \??\c:\program files\DisableUndo.au3 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\JoinClear.pptm 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\SuspendGet.odt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\15u463-readme.txt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File created \??\c:\program files (x86)\15u463-readme.txt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\CompleteUninstall.dotx 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\LimitGrant.snd 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File created \??\c:\program files\microsoft sql server compact edition\15u463-readme.txt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\RegisterUnregister.mpg 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\SaveRepair.emz 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File created \??\c:\program files\15u463-readme.txt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\UpdateUnpublish.xht 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\ConvertToRestore.ttc 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\EnableSync.edrwx 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened for modification \??\c:\program files\SwitchUnprotect.wm 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\15u463-readme.txt 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0ed.bmp" 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeBackupPrivilege 748 vssvc.exe Token: SeRestorePrivilege 748 vssvc.exe Token: SeAuditPrivilege 748 vssvc.exe Token: SeTakeOwnershipPrivilege 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exepowershell.exepid process 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe 824 powershell.exe 824 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exedescription pid process target process PID 2024 wrote to memory of 824 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe powershell.exe PID 2024 wrote to memory of 824 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe powershell.exe PID 2024 wrote to memory of 824 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe powershell.exe PID 2024 wrote to memory of 824 2024 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe powershell.exe -
Discovering connected drives 3 TTPs 6 IoCs
Processes:
3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exepowershell.exedescription ioc process File opened (read-only) \??\A: 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened (read-only) \??\B: 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened (read-only) \??\E: 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened (read-only) \??\F: 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe File opened (read-only) \??\C: powershell.exe File opened (read-only) \??\C: 3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe"C:\Users\Admin\AppData\Local\Temp\3685CE874B1ABEF3448D4C50EA0371E31A78AFBAE09287D3FF5D25953091659C.exe"1⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:824
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:816
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:748