Analysis
-
max time kernel
60s -
max time network
59s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-12-2020 14:44
Static task
static1
Behavioral task
behavioral1
Sample
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe
Resource
win10v20201028
General
-
Target
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe
-
Size
117KB
-
MD5
1aa4a440dbb64066a9d2ffeb16618121
-
SHA1
e0130f08665b53e1fec96c2de8de97f7796b9fad
-
SHA256
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148
-
SHA512
3a594e707c2c676cc64f441a03b9b0560f6ec1155fdad802c1868dc686acfdc64ea697f3e79d522dae2e2a107159594ee85e3d67a3a1f4990452c6020b0c6820
Malware Config
Extracted
C:\3s7ak7r8s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF9F5255F9EBF6E8
http://decryptor.cc/DF9F5255F9EBF6E8
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\GetRestart.tiff a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\users\admin\pictures\RegisterShow.tiff a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\CompareTest.raw => \??\c:\users\admin\pictures\CompareTest.raw.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\InvokeReset.raw => \??\c:\users\admin\pictures\InvokeReset.raw.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\SelectPublish.tif => \??\c:\users\admin\pictures\SelectPublish.tif.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\SyncConvertTo.tif => \??\c:\users\admin\pictures\SyncConvertTo.tif.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\GetRestart.tiff => \??\c:\users\admin\pictures\GetRestart.tiff.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\LockUninstall.png => \??\c:\users\admin\pictures\LockUninstall.png.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File renamed C:\Users\Admin\Pictures\RegisterShow.tiff => \??\c:\users\admin\pictures\RegisterShow.tiff.3s7ak7r8s a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exedescription ioc process File opened (read-only) \??\E: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\K: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\L: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\M: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\T: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\X: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\A: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\F: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\J: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\O: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\Q: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\R: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\W: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\Y: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\Z: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\D: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\B: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\H: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\N: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\P: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\U: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\G: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\I: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\S: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened (read-only) \??\V: a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8g133wsqy.bmp" a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe -
Drops file in Program Files directory 32 IoCs
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exedescription ioc process File opened for modification \??\c:\program files\FormatEnter.mpg a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\JoinSave.pub a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\RestartInvoke.zip a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\TraceConfirm.ttf a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\UnprotectNew.pot a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\UpdateShow.wma a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\ExportCompress.mhtml a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\EnableConvertFrom.vbe a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\JoinSync.vdx a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\OutLimit.html a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\BackupResolve.xps a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\GrantDisable.DVR a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\PingProtect.vst a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\TestBackup.wav a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\DenyImport.jfif a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\HideMeasure.aiff a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\ImportConvertFrom.otf a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\MountDebug.mp3 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\CloseApprove.jtx a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\HideConvertFrom.asp a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\RequestShow.mpeg a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File created \??\c:\program files (x86)\3s7ak7r8s-readme.txt a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\SelectSuspend.mp3 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\UninstallRequest.cfg a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\UnlockClose.mht a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File created \??\c:\program files\3s7ak7r8s-readme.txt a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\DisconnectFind.M2TS a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\ExportImport.m4a a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\LimitCompress.i64 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\SelectLimit.aiff a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\SubmitUndo.pptx a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe File opened for modification \??\c:\program files\ConvertEnable.doc a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exepid process 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exevssvc.exedescription pid process Token: SeDebugPrivilege 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe Token: SeTakeOwnershipPrivilege 1404 a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe Token: SeBackupPrivilege 1008 vssvc.exe Token: SeRestorePrivilege 1008 vssvc.exe Token: SeAuditPrivilege 1008 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
firefox.exedescription pid process target process PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe PID 3180 wrote to memory of 3440 3180 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe"C:\Users\Admin\AppData\Local\Temp\a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\3s7ak7r8s-readme.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\3s7ak7r8s-readme.txtMD5
7f071bc34cf2e9ac66fd06ef32a88803
SHA12c6e0c5b7ce6f95730f6e591b031cac79979ef6a
SHA256345c0944ea9cc3bc592afe79c3227d34979c44b6314452f000a3b7d2cb9fdc63
SHA512c049db2f433fdfec7a094075f1b7ab3a91f5fd591de2a6bd19e68548b893e70617b796607a446031d331721bb1a0722609a69622a8127e70ca4e1dbcc6e61032
-
memory/3440-2-0x0000000000000000-mapping.dmp