Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
06-05-2020 20:33
Static task
static1
Behavioral task
behavioral1
Sample
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Resource
win10v200430
General
-
Target
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
-
Size
115KB
-
MD5
63a945da1a63a8e56e8220c4ccf7fd0c
-
SHA1
a99cf1a2426edeac97c789d0a4b7d38606d7aa45
-
SHA256
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
-
SHA512
34006d84587ea90e243ebe0dd6bde8bd502ed688001a412898cd4e4c16a5de5788a9fa4c53d3ea79e4307adaa74496e05b205bf9717ac833db976551b1a7c89c
Malware Config
Extracted
C:\5h048-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BC069A7E158C2157
http://decryptor.cc/BC069A7E158C2157
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\o4jcu9.bmp" ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeBackupPrivilege 2880 vssvc.exe Token: SeRestorePrivilege 2880 vssvc.exe Token: SeAuditPrivilege 2880 vssvc.exe Token: SeTakeOwnershipPrivilege 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe -
Suspicious behavior: EnumeratesProcesses 77 IoCs
Processes:
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exepowershell.exepid process 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1804 powershell.exe 1804 powershell.exe 1804 powershell.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exedescription pid process target process PID 1492 wrote to memory of 1804 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe powershell.exe PID 1492 wrote to memory of 1804 1492 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe powershell.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exedescription ioc process File created \??\c:\program files (x86)\5h048-readme.txt ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\GroupEnable.asf ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\MoveRedo.kix ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\ShowNew.wav ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\UpdateUnpublish.rtf ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\ResolveHide.tif ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\UnprotectUnregister.avi ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\AddReceive.vsw ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\BlockStop.mpeg2 ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\ClearProtect.M2V ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\SelectRestart.potm ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File created \??\c:\program files\5h048-readme.txt ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\RestoreOut.jpe ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe File opened for modification \??\c:\program files\SelectDismount.jpeg ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2880