Analysis
-
max time kernel
26s -
max time network
63s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
21-10-2020 13:58
Static task
static1
Behavioral task
behavioral1
Sample
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe
Resource
win10v200722
General
-
Target
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe
-
Size
117KB
-
MD5
10a09a96cb6a005bccf75cd8221f8599
-
SHA1
95997839fe029519e990f22cd28dc3d15bd03833
-
SHA256
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d
-
SHA512
521f8a1ec8ff561a0086214eaf387c4221a4696910eb5ada0d48049c8ba271a83983a77b27eaab5a2749225953fdf516be2590e5acf0d02378193d6857186fd7
Malware Config
Extracted
C:\mttu9-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/23DC7C2AEED5C80F
http://decryptor.cc/23DC7C2AEED5C80F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\WatchMerge.tiff f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\CompareInvoke.raw => \??\c:\users\admin\pictures\CompareInvoke.raw.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\DebugEnable.tif => \??\c:\users\admin\pictures\DebugEnable.tif.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\LimitInstall.raw => \??\c:\users\admin\pictures\LimitInstall.raw.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\ResizeShow.crw => \??\c:\users\admin\pictures\ResizeShow.crw.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\SuspendClear.png => \??\c:\users\admin\pictures\SuspendClear.png.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\UnpublishShow.tif => \??\c:\users\admin\pictures\UnpublishShow.tif.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\WaitConfirm.crw => \??\c:\users\admin\pictures\WaitConfirm.crw.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File renamed C:\Users\Admin\Pictures\WatchMerge.tiff => \??\c:\users\admin\pictures\WatchMerge.tiff.mttu9 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exedescription ioc process File opened (read-only) \??\B: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\F: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\J: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\K: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\O: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\T: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\G: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\I: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\L: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\P: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\X: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\Y: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\Z: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\Q: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\V: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\U: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\A: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\E: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\H: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\M: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\N: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\R: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\S: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\W: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened (read-only) \??\D: f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0h6f.bmp" f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe -
Drops file in Program Files directory 17 IoCs
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exedescription ioc process File opened for modification \??\c:\program files\ConnectRestart.wmf f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\GroupWrite.rtf f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\OpenSearch.AAC f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\ShowWatch.vsw f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\SplitReset.txt f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\AddDisable.gif f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\SelectStop.mpeg2 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\UnblockOptimize.php f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\RepairCompare.ppt f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File created \??\c:\program files (x86)\mttu9-readme.txt f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\ConvertSearch.001 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\ConvertToCopy.docx f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\DisableEnable.pcx f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\OpenSync.mp4 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\UnpublishExit.potx f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File created \??\c:\program files\mttu9-readme.txt f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe File opened for modification \??\c:\program files\ExpandPublish.mpeg3 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exepid process 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exevssvc.exedescription pid process Token: SeDebugPrivilege 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe Token: SeTakeOwnershipPrivilege 500 f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe Token: SeBackupPrivilege 3696 vssvc.exe Token: SeRestorePrivilege 3696 vssvc.exe Token: SeAuditPrivilege 3696 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe"C:\Users\Admin\AppData\Local\Temp\f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:500
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3696