Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-05-2020 14:48
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v200430
Errors
General
-
Target
1.exe
-
Size
234KB
-
MD5
f084eae234967eded358d98d11aed693
-
SHA1
e841d89f5605108f6304d50ebb384aa62ec3ecaa
-
SHA256
adef0855d17dd8dddcb6c4446e58aa9f5508a0453f53dd3feff8d034d692616f
-
SHA512
8d66f0319741f4daad87919a3f48605e7f81a5556009c8575ae0aff95c2ddd78116bdaf74e10509a6f908f45e0155c71eb320274154c7016cbb72a09d5618d59
Malware Config
Extracted
C:\1zac11n-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73F0511197A918F7
http://decryptor.top/73F0511197A918F7
Signatures
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 35 IoCs
Processes:
1.exedescription ioc process File opened for modification \??\c:\program files\SubmitOpen.asp 1.exe File opened for modification \??\c:\program files\WriteConvert.7z 1.exe File opened for modification \??\c:\program files\SplitOpen.wax 1.exe File opened for modification \??\c:\program files\SubmitInstall.ppsx 1.exe File opened for modification \??\c:\program files\UnpublishWait.mhtml 1.exe File opened for modification \??\c:\program files\UseSet.kix 1.exe File opened for modification \??\c:\program files\GetUnpublish.search-ms 1.exe File opened for modification \??\c:\program files\ResizeGrant.ttf 1.exe File opened for modification \??\c:\program files\CheckpointInstall.au3 1.exe File opened for modification \??\c:\program files\PopMeasure.mht 1.exe File opened for modification \??\c:\program files\UninstallSend.wma 1.exe File opened for modification \??\c:\program files\AddReset.xltm 1.exe File opened for modification \??\c:\program files\ApproveCompress.wvx 1.exe File opened for modification \??\c:\program files\ClearResolve.xml 1.exe File opened for modification \??\c:\program files\ShowExport.jfif 1.exe File opened for modification \??\c:\program files\EnterClear.ttc 1.exe File opened for modification \??\c:\program files\JoinMove.vst 1.exe File opened for modification \??\c:\program files\ResizeUpdate.docx 1.exe File opened for modification \??\c:\program files\UninstallStart.xla 1.exe File created \??\c:\program files\1zac11n-readme.txt 1.exe File opened for modification \??\c:\program files\CompareRegister.rtf 1.exe File opened for modification \??\c:\program files\PublishEnable.mov 1.exe File opened for modification \??\c:\program files\RedoWrite.html 1.exe File opened for modification \??\c:\program files\RestoreUse.vst 1.exe File opened for modification \??\c:\program files\UnprotectConvertFrom.3gpp 1.exe File opened for modification \??\c:\program files\ClearAdd.html 1.exe File opened for modification \??\c:\program files\FindRequest.3gp 1.exe File opened for modification \??\c:\program files\ResolveOptimize.wm 1.exe File opened for modification \??\c:\program files\UnblockSet.rar 1.exe File created \??\c:\program files (x86)\1zac11n-readme.txt 1.exe File opened for modification \??\c:\program files\RequestOut.ram 1.exe File opened for modification \??\c:\program files\ResumeLimit.vssx 1.exe File opened for modification \??\c:\program files\UnlockSend.scf 1.exe File opened for modification \??\c:\program files\ApproveReceive.mpeg2 1.exe File opened for modification \??\c:\program files\RepairCheckpoint.rtf 1.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings OpenWith.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3744 powershell.exe Token: SeBackupPrivilege 3304 vssvc.exe Token: SeRestorePrivilege 3304 vssvc.exe Token: SeAuditPrivilege 3304 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1.exedescription pid process target process PID 2556 wrote to memory of 3744 2556 1.exe powershell.exe PID 2556 wrote to memory of 3744 2556 1.exe powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeLogonUI.exepid process 1304 OpenWith.exe 3180 LogonUI.exe 3180 LogonUI.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\799c0zbg82st.bmp" 1.exe -
Modifies Winlogon 2 TTPs 1 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1.exepowershell.exepid process 2556 1.exe 2556 1.exe 3744 powershell.exe 3744 powershell.exe 3744 powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:2556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2868
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3304
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1304
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad6055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Modifies Winlogon
PID:3180