Analysis
-
max time kernel
60s -
max time network
56s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 08:11
Static task
static1
Behavioral task
behavioral1
Sample
azure-agent.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
azure-agent.exe
Resource
win10v20201028
General
-
Target
azure-agent.exe
-
Size
146KB
-
MD5
b30ff382e069c56f5e53bb9bb6403965
-
SHA1
2710508a5a01281e509ed9201bda734d22798509
-
SHA256
75555df5e8b1644f321ca4fdd0122902aa664257105c5b0e698f402cbc0537d3
-
SHA512
2b810d64c72fc3485b2ac61451ae4be237ca5079e42f4124d97aa80d07e59ca90cdb0626bedbb7877fd6c877881f72a3384543c0f2ff4f571dd35a31f6bb58d5
Malware Config
Extracted
C:\4nwe6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7D031C38933EE26
http://decryptor.cc/A7D031C38933EE26
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
azure-agent.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertExit.raw => \??\c:\users\admin\pictures\ConvertExit.raw.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\DismountResume.png => \??\c:\users\admin\pictures\DismountResume.png.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\SyncEdit.tiff => \??\c:\users\admin\pictures\SyncEdit.tiff.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\UndoSplit.tif => \??\c:\users\admin\pictures\UndoSplit.tif.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\UpdateMerge.raw => \??\c:\users\admin\pictures\UpdateMerge.raw.4nwe6 azure-agent.exe File opened for modification \??\c:\users\admin\pictures\RevokePush.tiff azure-agent.exe File opened for modification \??\c:\users\admin\pictures\SyncEdit.tiff azure-agent.exe File renamed C:\Users\Admin\Pictures\BackupMeasure.crw => \??\c:\users\admin\pictures\BackupMeasure.crw.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\CompressMount.tiff => \??\c:\users\admin\pictures\CompressMount.tiff.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\RenamePing.png => \??\c:\users\admin\pictures\RenamePing.png.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\RevokePush.tiff => \??\c:\users\admin\pictures\RevokePush.tiff.4nwe6 azure-agent.exe File renamed C:\Users\Admin\Pictures\StepCompress.tif => \??\c:\users\admin\pictures\StepCompress.tif.4nwe6 azure-agent.exe File opened for modification \??\c:\users\admin\pictures\CompressMount.tiff azure-agent.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
azure-agent.exedescription ioc process File opened (read-only) \??\E: azure-agent.exe File opened (read-only) \??\O: azure-agent.exe File opened (read-only) \??\D: azure-agent.exe File opened (read-only) \??\B: azure-agent.exe File opened (read-only) \??\H: azure-agent.exe File opened (read-only) \??\N: azure-agent.exe File opened (read-only) \??\Q: azure-agent.exe File opened (read-only) \??\R: azure-agent.exe File opened (read-only) \??\T: azure-agent.exe File opened (read-only) \??\V: azure-agent.exe File opened (read-only) \??\W: azure-agent.exe File opened (read-only) \??\Y: azure-agent.exe File opened (read-only) \??\A: azure-agent.exe File opened (read-only) \??\G: azure-agent.exe File opened (read-only) \??\I: azure-agent.exe File opened (read-only) \??\J: azure-agent.exe File opened (read-only) \??\L: azure-agent.exe File opened (read-only) \??\M: azure-agent.exe File opened (read-only) \??\P: azure-agent.exe File opened (read-only) \??\S: azure-agent.exe File opened (read-only) \??\U: azure-agent.exe File opened (read-only) \??\X: azure-agent.exe File opened (read-only) \??\Z: azure-agent.exe File opened (read-only) \??\F: azure-agent.exe File opened (read-only) \??\K: azure-agent.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
azure-agent.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\045.bmp" azure-agent.exe -
Drops file in Program Files directory 27 IoCs
Processes:
azure-agent.exedescription ioc process File opened for modification \??\c:\program files\AssertOut.mpv2 azure-agent.exe File opened for modification \??\c:\program files\GroupLock.xhtml azure-agent.exe File opened for modification \??\c:\program files\RestoreHide.ods azure-agent.exe File opened for modification \??\c:\program files\UnpublishConfirm.pps azure-agent.exe File created \??\c:\program files\4nwe6-readme.txt azure-agent.exe File opened for modification \??\c:\program files\ConvertFromConvertTo.vsd azure-agent.exe File opened for modification \??\c:\program files\StepJoin.ini azure-agent.exe File opened for modification \??\c:\program files\GrantRename.easmx azure-agent.exe File opened for modification \??\c:\program files\RegisterBackup.aiff azure-agent.exe File created \??\c:\program files (x86)\4nwe6-readme.txt azure-agent.exe File opened for modification \??\c:\program files\OutLimit.xht azure-agent.exe File opened for modification \??\c:\program files\CompleteCheckpoint.asx azure-agent.exe File opened for modification \??\c:\program files\EditInitialize.mpeg azure-agent.exe File opened for modification \??\c:\program files\ResumeUnprotect.rar azure-agent.exe File opened for modification \??\c:\program files\SaveTest.dwg azure-agent.exe File opened for modification \??\c:\program files\ConfirmPublish.contact azure-agent.exe File opened for modification \??\c:\program files\CompressSearch.vsd azure-agent.exe File opened for modification \??\c:\program files\ImportResolve.wps azure-agent.exe File opened for modification \??\c:\program files\UnblockMount.csv azure-agent.exe File opened for modification \??\c:\program files\BlockSync.dib azure-agent.exe File opened for modification \??\c:\program files\InitializeSet.pps azure-agent.exe File opened for modification \??\c:\program files\RepairOut.mpe azure-agent.exe File opened for modification \??\c:\program files\SaveRepair.vbe azure-agent.exe File opened for modification \??\c:\program files\DenyUnregister.mp4 azure-agent.exe File opened for modification \??\c:\program files\InitializeOpen.css azure-agent.exe File opened for modification \??\c:\program files\SetRead.dwfx azure-agent.exe File opened for modification \??\c:\program files\StepUndo.tiff azure-agent.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
azure-agent.exepid process 1316 azure-agent.exe 1316 azure-agent.exe 1316 azure-agent.exe 1316 azure-agent.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
azure-agent.exevssvc.exedescription pid process Token: SeDebugPrivilege 1316 azure-agent.exe Token: SeTakeOwnershipPrivilege 1316 azure-agent.exe Token: SeBackupPrivilege 372 vssvc.exe Token: SeRestorePrivilege 372 vssvc.exe Token: SeAuditPrivilege 372 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\azure-agent.exe"C:\Users\Admin\AppData\Local\Temp\azure-agent.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\4nwe6-readme.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\4nwe6-readme.txtMD5
094220c3bd010caa763ff4627e302f29
SHA18cd64b01c444e4302bcb09e44e7a0c26bf9f5996
SHA256a9b0a99f0f61a1b41a906e0a9425aa724879ac08eea7c9c0d9a5211b94cee1ba
SHA512d1c8f88984a0a9f6572506c668d3d27f0340a9c46ad2766da4a9ca9ba8091f69262b4a8e485009bea3655dbcd0ebfe0dbd8e72b370a18d501c9ab7a252ac431e
-
memory/1316-0-0x00000000030F7000-0x00000000030F8000-memory.dmpFilesize
4KB
-
memory/1316-1-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB