Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 07:03
Static task
static1
Behavioral task
behavioral1
Sample
as.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
as.exe
Resource
win10v20201028
General
-
Target
as.exe
-
Size
192KB
-
MD5
beed14bc183ad523b94ef6ac2b270b08
-
SHA1
4ea45e0d8a4d50182063cc97c8a86d579f3adf05
-
SHA256
b10d9a62edb6081aa9f7fc865554064bb212555392b1181dc40040e12927f988
-
SHA512
da74c44e21e120af26074fb6493a35067f037cc633e630b415d9b6947c9dc58e354fbb33afc87f733da8cd4d1f8ca66081df0e96d249ffb1c2ba8142c9317196
Malware Config
Extracted
C:\z8670ejqk3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E0228824883A2F7E
http://decryptor.cc/E0228824883A2F7E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
as.exedescription ioc process File opened (read-only) \??\N: as.exe File opened (read-only) \??\T: as.exe File opened (read-only) \??\V: as.exe File opened (read-only) \??\B: as.exe File opened (read-only) \??\E: as.exe File opened (read-only) \??\G: as.exe File opened (read-only) \??\H: as.exe File opened (read-only) \??\K: as.exe File opened (read-only) \??\L: as.exe File opened (read-only) \??\O: as.exe File opened (read-only) \??\S: as.exe File opened (read-only) \??\W: as.exe File opened (read-only) \??\Z: as.exe File opened (read-only) \??\F: as.exe File opened (read-only) \??\J: as.exe File opened (read-only) \??\R: as.exe File opened (read-only) \??\X: as.exe File opened (read-only) \??\Y: as.exe File opened (read-only) \??\U: as.exe File opened (read-only) \??\A: as.exe File opened (read-only) \??\I: as.exe File opened (read-only) \??\M: as.exe File opened (read-only) \??\P: as.exe File opened (read-only) \??\Q: as.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 35 IoCs
Processes:
as.exedescription ioc process File opened for modification \??\c:\program files\LimitPush.css as.exe File opened for modification \??\c:\program files\WriteRequest.WTV as.exe File opened for modification \??\c:\program files\CloseSend.xla as.exe File opened for modification \??\c:\program files\InstallSelect.au as.exe File opened for modification \??\c:\program files\MergeInitialize.xls as.exe File opened for modification \??\c:\program files\StopCheckpoint.pps as.exe File opened for modification \??\c:\program files\UnregisterReset.DVR-MS as.exe File opened for modification \??\c:\program files\ProtectStop.mp4 as.exe File opened for modification \??\c:\program files\ResolveUnlock.easmx as.exe File opened for modification \??\c:\program files\WatchStep.eprtx as.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\z8670ejqk3-readme.txt as.exe File created \??\c:\program files (x86)\z8670ejqk3-readme.txt as.exe File opened for modification \??\c:\program files\SetExport.raw as.exe File opened for modification \??\c:\program files\GroupShow.mov as.exe File opened for modification \??\c:\program files\PingSplit.xml as.exe File opened for modification \??\c:\program files\RestoreInvoke.html as.exe File opened for modification \??\c:\program files\UndoApprove.xml as.exe File opened for modification \??\c:\program files\WriteClear.odp as.exe File created \??\c:\program files\z8670ejqk3-readme.txt as.exe File opened for modification \??\c:\program files\TraceImport.xsl as.exe File opened for modification \??\c:\program files\UnpublishConvertTo.rmi as.exe File opened for modification \??\c:\program files\UpdateEnable.otf as.exe File opened for modification \??\c:\program files\ConfirmPing.js as.exe File opened for modification \??\c:\program files\ExitNew.ADTS as.exe File opened for modification \??\c:\program files\MeasureSearch.mpe as.exe File opened for modification \??\c:\program files\RestartStep.tif as.exe File opened for modification \??\c:\program files\UndoExpand.temp as.exe File opened for modification \??\c:\program files\ResolveGroup.mhtml as.exe File opened for modification \??\c:\program files\SearchInitialize.wax as.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\z8670ejqk3-readme.txt as.exe File opened for modification \??\c:\program files\CloseSuspend.emf as.exe File opened for modification \??\c:\program files\ConvertCheckpoint.mp4 as.exe File opened for modification \??\c:\program files\CopyConvertFrom.html as.exe File opened for modification \??\c:\program files\InitializeMerge.wmv as.exe File opened for modification \??\c:\program files\RegisterStart.emf as.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
as.exepid process 744 as.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
as.exevssvc.exedescription pid process Token: SeDebugPrivilege 744 as.exe Token: SeTakeOwnershipPrivilege 744 as.exe Token: SeBackupPrivilege 1796 vssvc.exe Token: SeRestorePrivilege 1796 vssvc.exe Token: SeAuditPrivilege 1796 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\as.exe"C:\Users\Admin\AppData\Local\Temp\as.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1796