Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-08-2020 13:01
Static task
static1
Behavioral task
behavioral1
Sample
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe
Resource
win10v200722
General
-
Target
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe
-
Size
116KB
-
MD5
6f478788c9bf905bad3371598255fe71
-
SHA1
137db4ccf35660ab2b7e44b29755b363a93736d6
-
SHA256
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71
-
SHA512
29633d24fbe3bc50d08827bb2d9ec0b48cf4895ce9387412f04458ac283540c0bbd710e71d61a3385fa3590f31fab41f316e88b8e4994811fbf1e6930e805085
Malware Config
Extracted
C:\z2z8459ig-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2122EC22BD4D0BB7
http://decryptor.cc/2122EC22BD4D0BB7
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountEdit.tiff => \??\c:\users\admin\pictures\MountEdit.tiff.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\ReadSkip.tif => \??\c:\users\admin\pictures\ReadSkip.tif.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\users\admin\pictures\MountEdit.tiff 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\ApproveGet.crw => \??\c:\users\admin\pictures\ApproveGet.crw.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\DebugPublish.tif => \??\c:\users\admin\pictures\DebugPublish.tif.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\EnableSelect.tif => \??\c:\users\admin\pictures\EnableSelect.tif.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\MeasureInitialize.png => \??\c:\users\admin\pictures\MeasureInitialize.png.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\OutWrite.png => \??\c:\users\admin\pictures\OutWrite.png.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File renamed C:\Users\Admin\Pictures\SuspendPop.raw => \??\c:\users\admin\pictures\SuspendPop.raw.z2z8459ig 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5gWVTP1TBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe" 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07ml4i85hq.bmp" 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Drops file in Program Files directory 12 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription ioc process File opened for modification \??\c:\program files\UninstallRepair.3gp 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\UpdatePop.dwg 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File created \??\c:\program files\z2z8459ig-readme.txt 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File created \??\c:\program files (x86)\z2z8459ig-readme.txt 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\CompressMeasure.dot 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\ConvertToAssert.ini 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\ReadUnregister.avi 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\ReceiveSuspend.i64 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\WatchWait.css 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\RenameUninstall.au 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\RestartExit.vstm 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe File opened for modification \??\c:\program files\SwitchProtect.mp3 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe Set value (data) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB\Blob = 030000000100000014000000e6a3b45b062d509b3382282d196efe97d5956ccb140000000100000014000000a84a6a63047dddbae6d139b7a64565eff3a8eca1040000000100000010000000b15409274f54ad8f023d3b85a5ecec5d0f00000001000000200000003e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db8381900000001000000100000007ea7d53d76b46eea695a589c2bdbfdc65c0000000100000004000000000800001800000001000000100000006cf252fec3e8f20996de5d4dd9aef424200000000100000096040000308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d01010b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exepowershell.exepid process 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe 640 powershell.exe 640 powershell.exe 640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeTakeOwnershipPrivilege 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exedescription pid process target process PID 292 wrote to memory of 640 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe powershell.exe PID 292 wrote to memory of 640 292 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe"C:\Users\Admin\AppData\Local\Temp\8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:712
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1816