Analysis
-
max time kernel
146s -
max time network
60s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200722
General
-
Target
ransomware.exe
-
Size
116KB
-
MD5
b86ad4241b01376b3924a380f6f4c934
-
SHA1
10682d08a18715a79ee23b58fdb6ee44c4e28c61
-
SHA256
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
-
SHA512
54fd19cfc37255e7ddf3456d1a2989558522cf58e5eee6ca916c19542921fe3ba4e7a431a35e0e1edbfc37c5651d392e7c3c54eb408754c0488021b16fdf92c9
Malware Config
Extracted
C:\7b65d-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/335E1A9A78A6847A
http://decryptor.cc/335E1A9A78A6847A
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectDeny.tif => \??\c:\users\admin\pictures\SelectDeny.tif.7b65d ransomware.exe File renamed C:\Users\Admin\Pictures\UnprotectUnregister.raw => \??\c:\users\admin\pictures\UnprotectUnregister.raw.7b65d ransomware.exe File opened for modification \??\c:\users\admin\pictures\ConnectRename.tiff ransomware.exe File opened for modification \??\c:\users\admin\pictures\EditOut.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\EditOut.tiff => \??\c:\users\admin\pictures\EditOut.tiff.7b65d ransomware.exe File renamed C:\Users\Admin\Pictures\InitializeInvoke.crw => \??\c:\users\admin\pictures\InitializeInvoke.crw.7b65d ransomware.exe File renamed C:\Users\Admin\Pictures\LimitExpand.tiff => \??\c:\users\admin\pictures\LimitExpand.tiff.7b65d ransomware.exe File opened for modification \??\c:\users\admin\pictures\LimitExpand.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\ConnectRename.tiff => \??\c:\users\admin\pictures\ConnectRename.tiff.7b65d ransomware.exe File renamed C:\Users\Admin\Pictures\ExportEnter.raw => \??\c:\users\admin\pictures\ExportEnter.raw.7b65d ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1imlmwm0y.bmp" ransomware.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ransomware.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 508 ransomware.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeBackupPrivilege 2164 vssvc.exe Token: SeRestorePrivilege 2164 vssvc.exe Token: SeAuditPrivilege 2164 vssvc.exe Token: SeTakeOwnershipPrivilege 508 ransomware.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ransomware.exepowershell.exepid process 508 ransomware.exe 508 ransomware.exe 756 powershell.exe 756 powershell.exe 756 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ransomware.exedescription pid process target process PID 508 wrote to memory of 756 508 ransomware.exe powershell.exe PID 508 wrote to memory of 756 508 ransomware.exe powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 16 IoCs
Processes:
ransomware.exedescription ioc process File opened for modification \??\c:\program files\EditRename.kix ransomware.exe File opened for modification \??\c:\program files\EnterMount.vsx ransomware.exe File opened for modification \??\c:\program files\ReceiveStep.tif ransomware.exe File opened for modification \??\c:\program files\UnpublishConvertTo.svgz ransomware.exe File created \??\c:\program files (x86)\7b65d-readme.txt ransomware.exe File opened for modification \??\c:\program files\GetResize.eps ransomware.exe File opened for modification \??\c:\program files\ProtectExpand.docm ransomware.exe File opened for modification \??\c:\program files\RestartClose.xml ransomware.exe File opened for modification \??\c:\program files\SelectExport.pptx ransomware.exe File opened for modification \??\c:\program files\ConnectRegister.html ransomware.exe File opened for modification \??\c:\program files\DisableFormat.i64 ransomware.exe File opened for modification \??\c:\program files\RemoveUse.snd ransomware.exe File opened for modification \??\c:\program files\SaveSkip.pptx ransomware.exe File created \??\c:\program files\7b65d-readme.txt ransomware.exe File opened for modification \??\c:\program files\RevokeDisconnect.midi ransomware.exe File opened for modification \??\c:\program files\SetShow.xht ransomware.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:756
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:856
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2164