Analysis
-
max time kernel
135s -
max time network
9s -
platform
windows7_x64 -
resource
win7 -
submitted
07-09-2020 15:41
Static task
static1
Behavioral task
behavioral1
Sample
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
Resource
win7
Behavioral task
behavioral2
Sample
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
Resource
win10v200722
General
-
Target
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
-
Size
192KB
-
MD5
beed14bc183ad523b94ef6ac2b270b08
-
SHA1
4ea45e0d8a4d50182063cc97c8a86d579f3adf05
-
SHA256
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988
-
SHA512
da74c44e21e120af26074fb6493a35067f037cc633e630b415d9b6947c9dc58e354fbb33afc87f733da8cd4d1f8ca66081df0e96d249ffb1c2ba8142c9317196
Malware Config
Extracted
C:\wl2qidi-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/786F34B10F5F5557
http://decryptor.cc/786F34B10F5F5557
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exedescription ioc process File created \??\c:\program files\wl2qidi-readme.txt b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File created \??\c:\program files (x86)\wl2qidi-readme.txt b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exepid process 1456 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exedescription pid process Token: SeDebugPrivilege 1456 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe Token: SeTakeOwnershipPrivilege 1456 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe"C:\Users\Admin\AppData\Local\Temp\b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456