Analysis
-
max time kernel
75s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win10
General
-
Target
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
-
Size
116KB
-
MD5
90e6ea15ed18005b431e135186d57abf
-
SHA1
d8e126cd0f5f3f214989c3533fd22c7291c44174
-
SHA256
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d
-
SHA512
91690e64b9d39b2b1c0fb7575d75d632f5fbe1dd6c36b935ea2fde1e7bbbfc0e68ba50d73919f4cb2502d7e2b46fe98a3ddcb217b3cb1da77fc290e86031c60d
Malware Config
Extracted
C:\4j13uu89o-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8856FFD5E2C6C8D5
http://decryptor.cc/8856FFD5E2C6C8D5
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exepid process 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe -
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4r4538ph0.bmp" bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeBackupPrivilege 3364 vssvc.exe Token: SeRestorePrivilege 3364 vssvc.exe Token: SeAuditPrivilege 3364 vssvc.exe Token: SeTakeOwnershipPrivilege 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription pid process target process PID 712 wrote to memory of 3008 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe PID 712 wrote to memory of 3008 712 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 19 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File opened for modification \??\c:\program files\RedoLimit.iso bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\UndoSet.au3 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\WatchOut.mpeg3 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\4j13uu89o-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConvertFromGroup.bmp bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\GroupSend.vb bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\JoinGroup.docx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ResumeWatch.css bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RevokeGroup.clr bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\CompleteReset.jpeg bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\CompressCopy.ods bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\StartUnregister.docx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConfirmClear.potm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ExitApprove.jpeg bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RevokeConfirm.reg bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\SwitchExpand.xps bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files (x86)\4j13uu89o-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\AssertSplit.potx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\CompareDisable.vssm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitOpen.png => \??\c:\users\admin\pictures\ExitOpen.png.4j13uu89o bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\GroupDismount.tif => \??\c:\users\admin\pictures\GroupDismount.tif.4j13uu89o bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\FindClear.png => \??\c:\users\admin\pictures\FindClear.png.4j13uu89o bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\SearchCheckpoint.png => \??\c:\users\admin\pictures\SearchCheckpoint.png.4j13uu89o bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\CompareOptimize.png => \??\c:\users\admin\pictures\CompareOptimize.png.4j13uu89o bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Modifies extensions of user files
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3008-0-0x0000000000000000-mapping.dmp