Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
10-08-2020 12:23
Static task
static1
Behavioral task
behavioral1
Sample
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe
Resource
win7
Behavioral task
behavioral2
Sample
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe
Resource
win10v200722
General
-
Target
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe
-
Size
115KB
-
MD5
d3808c0b73390ac85758fa35fa7f7f3a
-
SHA1
c8bc0c32a7155e547773d1df419915e5bfffcf2f
-
SHA256
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9
-
SHA512
10daf9b0030a8ef49e9a2f69ae0f7b489e1e1a35ac374f20f26859669924c9b0d079da94f6152e0d517b3e63aa1d215197f571196331e6a2b1df19b888cc7fb2
Malware Config
Extracted
C:\6ew8a99-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/183B54E3404D5CCD
http://decryptor.cc/183B54E3404D5CCD
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exepowershell.exepid process 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exedescription pid process target process PID 496 wrote to memory of 1116 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe powershell.exe PID 496 wrote to memory of 1116 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe powershell.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 30 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exedescription ioc process File opened for modification \??\c:\program files\ResumeUpdate.snd 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\SendSearch.snd 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\SetUninstall.ogg 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ShowMount.ppsx 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\UndoRepair.kix 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\AssertPing.3gpp 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ClearTest.mp4v 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\NewImport.xlsb 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\PopRequest.midi 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\RestoreGroup.html 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\SplitDeny.mov 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File created \??\c:\program files (x86)\6ew8a99-readme.txt 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\DismountConfirm.ps1xml 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\MoveConvertFrom.mp2 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\RenameRedo.au 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\RestoreSet.AAC 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ConvertFromComplete.htm 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\MergeCompress.wvx 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\OpenMerge.docx 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\RevokeRestore.cfg 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\StopPop.jpeg 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\CloseGroup.vsx 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ResumeSwitch.crw 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\WriteStep.mov 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File created \??\c:\program files\6ew8a99-readme.txt 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ConvertFromConvert.vbs 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\LockWrite.ram 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\DisconnectBackup.mpeg 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\GrantApprove.ram 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\program files\ReadAssert.au3 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterConvertFrom.tiff => \??\c:\users\admin\pictures\EnterConvertFrom.tiff.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\MountSkip.raw => \??\c:\users\admin\pictures\MountSkip.raw.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\SyncRestart.tif => \??\c:\users\admin\pictures\SyncRestart.tif.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\SyncRemove.png => \??\c:\users\admin\pictures\SyncRemove.png.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\SyncInstall.crw => \??\c:\users\admin\pictures\SyncInstall.crw.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File opened for modification \??\c:\users\admin\pictures\EnterConvertFrom.tiff 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\JoinOut.raw => \??\c:\users\admin\pictures\JoinOut.raw.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\RepairAssert.raw => \??\c:\users\admin\pictures\RepairAssert.raw.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\SaveEnter.png => \??\c:\users\admin\pictures\SaveEnter.png.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe File renamed C:\Users\Admin\Pictures\RevokeUse.png => \??\c:\users\admin\pictures\RevokeUse.png.6ew8a99 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeBackupPrivilege 2268 vssvc.exe Token: SeRestorePrivilege 2268 vssvc.exe Token: SeAuditPrivilege 2268 vssvc.exe Token: SeTakeOwnershipPrivilege 496 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe -
Drops startup file 1 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\6ew8a99-readme.txt 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q12.bmp" 34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe"C:\Users\Admin\AppData\Local\Temp\34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Sets desktop wallpaper using registry
PID:496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:724
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#125 S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-26303127421⤵PID:3532