Analysis
-
max time kernel
70s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
30-07-2020 16:07
Static task
static1
Behavioral task
behavioral1
Sample
lg.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
lg.bin.exe
Resource
win10
General
-
Target
lg.bin.exe
-
Size
290KB
-
MD5
5f58902825d15d59528f98faf43b86c3
-
SHA1
f09e5e72b433d11a32efe2e5d63db0bc7b8def59
-
SHA256
140f831ddd180861481c9531aa6859c56503e77d29d00439c1e71c5b93e01e1a
-
SHA512
5aae01c51f026e7382bf20117e81cc06a975f561370e7f9170b02bc83e329cc1737d82cf721f3901cf4c2c9180423bdaf6a375a109d05e9ca164c7c08970a3c6
Malware Config
Extracted
C:\88fw8-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9CAEB518F653B061
http://decryptor.cc/9CAEB518F653B061
Signatures
-
Drops file in Program Files directory 21 IoCs
Processes:
lg.bin.exedescription ioc process File opened for modification \??\c:\program files\ReadOptimize.ADT lg.bin.exe File opened for modification \??\c:\program files\SkipPublish.TS lg.bin.exe File opened for modification \??\c:\program files\SuspendSkip.reg lg.bin.exe File created \??\c:\program files (x86)\88fw8-readme.txt lg.bin.exe File opened for modification \??\c:\program files\EditUnprotect.midi lg.bin.exe File opened for modification \??\c:\program files\GroupProtect.mpp lg.bin.exe File opened for modification \??\c:\program files\LockReset.docx lg.bin.exe File opened for modification \??\c:\program files\OpenTrace.png lg.bin.exe File opened for modification \??\c:\program files\UnregisterSave.m1v lg.bin.exe File opened for modification \??\c:\program files\ConnectExpand.odt lg.bin.exe File opened for modification \??\c:\program files\InstallInvoke.odt lg.bin.exe File opened for modification \??\c:\program files\SyncStep.mht lg.bin.exe File opened for modification \??\c:\program files\UndoRedo.M2T lg.bin.exe File opened for modification \??\c:\program files\UnpublishDisable.mpeg2 lg.bin.exe File created \??\c:\program files\88fw8-readme.txt lg.bin.exe File opened for modification \??\c:\program files\MountRestart.mpeg3 lg.bin.exe File opened for modification \??\c:\program files\TestTrace.aifc lg.bin.exe File opened for modification \??\c:\program files\FormatWatch.tif lg.bin.exe File opened for modification \??\c:\program files\InitializeGet.ods lg.bin.exe File opened for modification \??\c:\program files\LimitSubmit.pptx lg.bin.exe File opened for modification \??\c:\program files\UpdateRepair.js lg.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
lg.bin.exepowershell.exepid process 3100 lg.bin.exe 3100 lg.bin.exe 3324 powershell.exe 3324 powershell.exe 3324 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
lg.bin.exedescription pid process target process PID 3100 wrote to memory of 3324 3100 lg.bin.exe powershell.exe PID 3100 wrote to memory of 3324 3100 lg.bin.exe powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lg.bin.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\NewTrace.tiff lg.bin.exe File renamed C:\Users\Admin\Pictures\ApproveSplit.tif => \??\c:\users\admin\pictures\ApproveSplit.tif.88fw8 lg.bin.exe File renamed C:\Users\Admin\Pictures\EditSync.tif => \??\c:\users\admin\pictures\EditSync.tif.88fw8 lg.bin.exe File renamed C:\Users\Admin\Pictures\NewTrace.tiff => \??\c:\users\admin\pictures\NewTrace.tiff.88fw8 lg.bin.exe File renamed C:\Users\Admin\Pictures\ResumeGrant.raw => \??\c:\users\admin\pictures\ResumeGrant.raw.88fw8 lg.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
lg.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2a14x.bmp" lg.bin.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
lg.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3100 lg.bin.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeBackupPrivilege 2268 vssvc.exe Token: SeRestorePrivilege 2268 vssvc.exe Token: SeAuditPrivilege 2268 vssvc.exe Token: SeTakeOwnershipPrivilege 3100 lg.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lg.bin.exe"C:\Users\Admin\AppData\Local\Temp\lg.bin.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:3100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3600
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2268