Analysis
-
max time kernel
62s -
max time network
41s -
platform
windows7_x64 -
resource
win7 -
submitted
27-07-2020 07:56
Static task
static1
Behavioral task
behavioral1
Sample
3cE8g42z98.exe
Resource
win7
Behavioral task
behavioral2
Sample
3cE8g42z98.exe
Resource
win10v200722
General
-
Target
3cE8g42z98.exe
-
Size
213KB
-
MD5
25a50b573de8f82bf8d5b29386fb94d7
-
SHA1
f9914b360284b987ab21f56aea9f6153fac23b84
-
SHA256
8dbef5f7ffa96759bd395938ed385c8cfe991f96402f900f0a571c844c7fb78d
-
SHA512
33e537f237542dad4c99ffd31f0930de7e932f03a3b6fac8057760a6ec72da2977c211ace603c57c98e2515a14731e8696e9ed06ffd8e71212918f5768e35c99
Malware Config
Extracted
C:\7r57vg2ol-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F3E42D37D77A1BEC
http://decryptor.cc/F3E42D37D77A1BEC
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3cE8g42z98.exepowershell.exepid process 1104 3cE8g42z98.exe 1328 powershell.exe 1328 powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3cE8g42z98.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\241790vf658.bmp" 3cE8g42z98.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
3cE8g42z98.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1104 3cE8g42z98.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeBackupPrivilege 1832 vssvc.exe Token: SeRestorePrivilege 1832 vssvc.exe Token: SeAuditPrivilege 1832 vssvc.exe Token: SeTakeOwnershipPrivilege 1104 3cE8g42z98.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3cE8g42z98.exedescription pid process target process PID 1104 wrote to memory of 1328 1104 3cE8g42z98.exe powershell.exe PID 1104 wrote to memory of 1328 1104 3cE8g42z98.exe powershell.exe PID 1104 wrote to memory of 1328 1104 3cE8g42z98.exe powershell.exe PID 1104 wrote to memory of 1328 1104 3cE8g42z98.exe powershell.exe -
Drops file in Program Files directory 29 IoCs
Processes:
3cE8g42z98.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\7r57vg2ol-readme.txt 3cE8g42z98.exe File opened for modification \??\c:\program files\ProtectConfirm.dxf 3cE8g42z98.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\7r57vg2ol-readme.txt 3cE8g42z98.exe File opened for modification \??\c:\program files\SkipUnpublish.M2V 3cE8g42z98.exe File opened for modification \??\c:\program files\BackupGroup.htm 3cE8g42z98.exe File opened for modification \??\c:\program files\SelectMount.edrwx 3cE8g42z98.exe File opened for modification \??\c:\program files\WaitRevoke.txt 3cE8g42z98.exe File opened for modification \??\c:\program files\CopyConvertTo.avi 3cE8g42z98.exe File opened for modification \??\c:\program files\DisconnectPush.snd 3cE8g42z98.exe File opened for modification \??\c:\program files\ImportTrace.vssx 3cE8g42z98.exe File opened for modification \??\c:\program files\LockDeny.crw 3cE8g42z98.exe File opened for modification \??\c:\program files\StepJoin.dib 3cE8g42z98.exe File opened for modification \??\c:\program files\UnregisterUnlock.potm 3cE8g42z98.exe File opened for modification \??\c:\program files\ExportPublish.docm 3cE8g42z98.exe File opened for modification \??\c:\program files\GroupClear.crw 3cE8g42z98.exe File opened for modification \??\c:\program files\TraceConfirm.vdx 3cE8g42z98.exe File opened for modification \??\c:\program files\UndoAdd.xlsx 3cE8g42z98.exe File opened for modification \??\c:\program files\GetMerge.tif 3cE8g42z98.exe File opened for modification \??\c:\program files\RepairPop.vsdx 3cE8g42z98.exe File opened for modification \??\c:\program files\WatchRevoke.mpeg 3cE8g42z98.exe File opened for modification \??\c:\program files\AssertClose.docx 3cE8g42z98.exe File opened for modification \??\c:\program files\ConvertHide.sql 3cE8g42z98.exe File opened for modification \??\c:\program files\InstallMeasure.vssm 3cE8g42z98.exe File opened for modification \??\c:\program files\LimitShow.vdx 3cE8g42z98.exe File created \??\c:\program files\microsoft sql server compact edition\7r57vg2ol-readme.txt 3cE8g42z98.exe File opened for modification \??\c:\program files\PublishResolve.wm 3cE8g42z98.exe File created \??\c:\program files\7r57vg2ol-readme.txt 3cE8g42z98.exe File created \??\c:\program files (x86)\7r57vg2ol-readme.txt 3cE8g42z98.exe File opened for modification \??\c:\program files\UninstallLimit.emz 3cE8g42z98.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3cE8g42z98.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountRename.tif => \??\c:\users\admin\pictures\MountRename.tif.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\RestartConvert.tif => \??\c:\users\admin\pictures\RestartConvert.tif.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\RestoreSubmit.crw => \??\c:\users\admin\pictures\RestoreSubmit.crw.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\SubmitDisconnect.raw => \??\c:\users\admin\pictures\SubmitDisconnect.raw.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\WriteUnblock.crw => \??\c:\users\admin\pictures\WriteUnblock.crw.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\WriteUninstall.crw => \??\c:\users\admin\pictures\WriteUninstall.crw.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\ImportRead.raw => \??\c:\users\admin\pictures\ImportRead.raw.7r57vg2ol 3cE8g42z98.exe File renamed C:\Users\Admin\Pictures\JoinConnect.tif => \??\c:\users\admin\pictures\JoinConnect.tif.7r57vg2ol 3cE8g42z98.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cE8g42z98.exe"C:\Users\Admin\AppData\Local\Temp\3cE8g42z98.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Modifies extensions of user files
PID:1104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1832