Analysis
-
max time kernel
77s -
max time network
110s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
07-09-2020 15:41
Static task
static1
Behavioral task
behavioral1
Sample
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
Resource
win7
Behavioral task
behavioral2
Sample
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
Resource
win10v200722
General
-
Target
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe
-
Size
192KB
-
MD5
beed14bc183ad523b94ef6ac2b270b08
-
SHA1
4ea45e0d8a4d50182063cc97c8a86d579f3adf05
-
SHA256
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988
-
SHA512
da74c44e21e120af26074fb6493a35067f037cc633e630b415d9b6947c9dc58e354fbb33afc87f733da8cd4d1f8ca66081df0e96d249ffb1c2ba8142c9317196
Malware Config
Extracted
C:\5ie55-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/721AD826AEAB7627
http://decryptor.cc/721AD826AEAB7627
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnblockMount.tif => \??\c:\users\admin\pictures\UnblockMount.tif.5ie55 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File renamed C:\Users\Admin\Pictures\ApproveDismount.tif => \??\c:\users\admin\pictures\ApproveDismount.tif.5ie55 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h4gjl51fa87x8.bmp" b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Drops file in Program Files directory 36 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exedescription ioc process File opened for modification \??\c:\program files\InstallBackup.crw b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\StartBackup.shtml b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\WatchConfirm.xlsx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File created \??\c:\program files\5ie55-readme.txt b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File created \??\c:\program files (x86)\5ie55-readme.txt b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\ExportInvoke.vbs b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\WatchAssert.kix b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\WatchRepair.xls b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\ConfirmMerge.mpg b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\CopyReset.bmp b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\EnableRead.aiff b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\WatchSubmit.mp4 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\ShowTrace.docx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\SyncEnter.TTS b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\BackupTest.vdx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\CheckpointCompress.avi b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\CopyExpand.ADTS b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\DebugClose.pptm b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\DisconnectRead.edrwx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\MountClear.eprtx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\UseTrace.M2V b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\MeasurePop.m3u b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\ResumeRead.mpg b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\UndoDisable.jpe b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\UnpublishSuspend.jpg b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\DisconnectApprove.vssm b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\ExportPublish.asx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\JoinSkip.xml b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\PingCheckpoint.wmf b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\StopProtect.mpp b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\TestComplete.vst b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\CopyResolve.mp2v b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\HideMount.snd b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\RepairSave.asx b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\RestoreConvertFrom.dwg b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe File opened for modification \??\c:\program files\SplitMeasure.xls b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 2a1d2e903e85d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exepid process 3740 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe 3740 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
svchost.exeb10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1844 svchost.exe Token: SeCreatePagefilePrivilege 1844 svchost.exe Token: SeDebugPrivilege 3740 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe Token: SeTakeOwnershipPrivilege 3740 b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe Token: SeBackupPrivilege 2664 vssvc.exe Token: SeRestorePrivilege 2664 vssvc.exe Token: SeAuditPrivilege 2664 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe"C:\Users\Admin\AppData\Local\Temp\b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2664