Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
22-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
145ba213336bbb05c09d2bcf198aa3bd.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
145ba213336bbb05c09d2bcf198aa3bd.exe
Resource
win10
General
-
Target
145ba213336bbb05c09d2bcf198aa3bd.exe
-
Size
416KB
-
MD5
145ba213336bbb05c09d2bcf198aa3bd
-
SHA1
517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
-
SHA256
6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
-
SHA512
1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
Malware Config
Extracted
C:\odt\d31985o9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/79BD66702E965ACE
http://decryptor.top/79BD66702E965ACE
Signatures
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
145ba213336bbb05c09d2bcf198aa3bd.exepid process 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe 2896 145ba213336bbb05c09d2bcf198aa3bd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
145ba213336bbb05c09d2bcf198aa3bd.execmd.exedescription pid process target process PID 2896 wrote to memory of 3836 2896 145ba213336bbb05c09d2bcf198aa3bd.exe cmd.exe PID 2896 wrote to memory of 3836 2896 145ba213336bbb05c09d2bcf198aa3bd.exe cmd.exe PID 2896 wrote to memory of 3836 2896 145ba213336bbb05c09d2bcf198aa3bd.exe cmd.exe PID 3836 wrote to memory of 996 3836 cmd.exe vssadmin.exe PID 3836 wrote to memory of 996 3836 cmd.exe vssadmin.exe PID 3836 wrote to memory of 996 3836 cmd.exe vssadmin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 996 vssadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
145ba213336bbb05c09d2bcf198aa3bd.exepid process 2896 145ba213336bbb05c09d2bcf198aa3bd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3832 vssvc.exe Token: SeRestorePrivilege 3832 vssvc.exe Token: SeAuditPrivilege 3832 vssvc.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Windows directory 2108 IoCs
Processes:
145ba213336bbb05c09d2bcf198aa3bd.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_71383c7ced7c7587_memtest.exe.mui_77b8cbcc 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.15063.0_none_68849b6d0ebd999f.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e_comctl32.dll.mui_0da4e682 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652_winsku.dll_6e6c7799 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.15063.0_none_dff11f9f2a050a3f_w32topl.dll_1a0f388b 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.15063.0_none_7ed69818195848c4.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.15063.0_none_6dc3296afdb08731.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_01db4feacaa336b9.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.15063.0_none_314522d34b560919.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_fe9533b44b551ea9.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_810921f84ce2cbc4.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_4921bb9511ea287a_sceregvl.inf_9fe633c0 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_cvgafix.fon_c20a9ed9 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.15063.0_none_967718b9eaf79e2a_winbioext.dll_b698c00f 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_10.0.15063.0_none_90a5466e89ec288b_mrxsmb.sys_cf1a02fc 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.15063.0_none_8dcaa66b34a35c05_winnsi.dll_53ccebf2 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_37f9af358af4f949.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_cd56dce90e2409c7_samlib.dll_caeebf04 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_fwremotesvr.dll_afaa5ea8 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.15063.0_none_7946d91d5ecb8a06_ncrypt.dll_0f36c580 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_b2fa0d00b493b950.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_fc701b8f57f23c7f.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.15063.0_none_7ed69818195848c4_nirmala.ttf_2e14013a 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_d21d37cff862835d_memtest.exe.mui_77b8cbcc 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nb-no_8d1e810c801783ea.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lv-lv_182c8e682a72c4dc_comctl32.dll.mui_0da4e682 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.15063.0_none_775b66db9a440a77.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_en-us_473e623ce5a97e31_appidsvc.dll.mui_6717e231 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_el-gr_8f9125b021f304a0_bootmgfw.efi.mui_a6e78cfa 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_ce3b1a34396db477.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072_vds.exe.mui_2268d934 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.15063.0_none_74e72d87b68106ce_gdi32.dll_1f014d57 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_156aa3a91701e260_wuaueng.dll.mui_297f975d 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_5977f50474c0ba78.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.15063.0_none_a4a4021e107e099a_xmllite.dll_ce078c31 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_62a053e1dd4c4aba.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_2ae4eb43198d1604_bootmgfw.efi.mui_a6e78cfa 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_332a24478e119029_schannel.dll_7364eaa8 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_fb5f79a44d5c1ae9_msimsg.dll.mui_72e8994f 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_9eee956fea195b3b_msimsg.dll.mui_72e8994f 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.15063.0_none_7bfeabd9337d55a1_vdsutil.dll_f2ef43cf 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-ca_f4a5b54d6c6b3700_comctl32.dll.mui_0da4e682 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2_iscsiexe.dll.mui_7d81b1cc 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a_gpuenergydrv.sys_9567f543 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_dciman32.dll_a41dd515 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_1f020fb05f5437ab_combase.dll_a2567a6a 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_c57ff9d901ccef55.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8_setupapi.dll_8d9de2e7 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db_windows.ui.xaml.dll_9c9d9ec9 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d2 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_de4c457aa62b389a.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_6aa64f572618dbd7.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_10.0.15063.0_none_de44366355bc504a.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95.manifest 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_6f2b6a7eee701612_rasdiag.dll.mui_15cb4ec4 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.15063.0_none_43a8144aec22156f_wiarpc.dll_5aecac54 145ba213336bbb05c09d2bcf198aa3bd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_d90ce5ca72c0a37e_bootmgr.efi.mui_be5d0075 145ba213336bbb05c09d2bcf198aa3bd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
145ba213336bbb05c09d2bcf198aa3bd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oi8.bmp" 145ba213336bbb05c09d2bcf198aa3bd.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd.exe"C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in Windows directory
- Sets desktop wallpaper using registry
PID:2896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:996
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3832