Analysis
-
max time kernel
143s -
max time network
86s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
29-07-2020 14:06
Static task
static1
Behavioral task
behavioral1
Sample
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe
Resource
win10
General
-
Target
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe
-
Size
116KB
-
MD5
3f5b1cc5a66314eb6074c0f72bbd07ab
-
SHA1
c26640133adc2d465855248043b971c0f7c77843
-
SHA256
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016
-
SHA512
e1a5f7e452bde40d84aa757fd60a4bb4ca3efffac36e19bba56f97143b2666538d7873249b6f54706905f5de1036e76d2a48917acc92e719e9ebc13808e40fab
Malware Config
Extracted
C:\304ll-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7110839F576A78BB
http://decryptor.cc/7110839F576A78BB
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exepowershell.exepid process 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe 732 powershell.exe 732 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exedescription pid process target process PID 1680 wrote to memory of 732 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe powershell.exe PID 1680 wrote to memory of 732 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe powershell.exe PID 1680 wrote to memory of 732 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe powershell.exe PID 1680 wrote to memory of 732 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe powershell.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\GrantRedo.tiff => \??\c:\users\admin\pictures\GrantRedo.tiff.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\LockMove.png => \??\c:\users\admin\pictures\LockMove.png.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\OutCompare.png => \??\c:\users\admin\pictures\OutCompare.png.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\ReadRestore.tiff => \??\c:\users\admin\pictures\ReadRestore.tiff.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishConvertFrom.crw => \??\c:\users\admin\pictures\UnpublishConvertFrom.crw.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\users\admin\pictures\AddRename.tiff d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\AddRename.tiff => \??\c:\users\admin\pictures\AddRename.tiff.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\users\admin\pictures\LockResume.tiff d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishFormat.tif => \??\c:\users\admin\pictures\UnpublishFormat.tif.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\users\admin\pictures\GrantRedo.tiff d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\users\admin\pictures\ReadRestore.tiff d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File renamed C:\Users\Admin\Pictures\LockResume.tiff => \??\c:\users\admin\pictures\LockResume.tiff.304ll d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe Token: SeDebugPrivilege 732 powershell.exe Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe Token: SeTakeOwnershipPrivilege 1680 d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3lg7qp.bmp" d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 13 IoCs
Processes:
d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exedescription ioc process File created \??\c:\program files\microsoft sql server compact edition\304ll-readme.txt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\ReadMount.m1v d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\ResolveMeasure.ram d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\TestExport.mht d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\304ll-readme.txt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File created \??\c:\program files (x86)\304ll-readme.txt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\EnterInitialize.xsl d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\GroupDisable.odt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\PushWrite.otf d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\304ll-readme.txt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File created \??\c:\program files\304ll-readme.txt d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\MountCompress.easmx d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe File opened for modification \??\c:\program files\OutUnprotect.php d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe"C:\Users\Admin\AppData\Local\Temp\d064cc1d0d70ce88dce14f6d33689c5f2622026ae3f6601fa7f0724a36624016.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1744
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1968