Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-02-2021 08:41
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ransomware.bin.exe
Resource
win10v20201028
General
-
Target
ransomware.bin.exe
-
Size
118KB
-
MD5
39d22b8f3da4a83cd957f324f2423309
-
SHA1
70baae39f80e8917a71353110bb85e797e23524a
-
SHA256
c8c169ad2628ff3860c4d0bd04afeb81262051f664f9d5a334c32c78e791a7f8
-
SHA512
293ac35141e885e685b7ba588fea2ba84ece78441dea9c9b3e28d584923dc9ab0605016244d3f95dec56e49c701a9e19d006e8d5d3604a3423ed167b236a7ecd
Malware Config
Extracted
C:\3j428mt-readme.txt
sodinokibi
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ransomware.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\RequestRegister.tiff => \??\c:\users\admin\pictures\RequestRegister.tiff.3j428mt ransomware.bin.exe File renamed C:\Users\Admin\Pictures\SyncConvertFrom.crw => \??\c:\users\admin\pictures\SyncConvertFrom.crw.3j428mt ransomware.bin.exe File opened for modification \??\c:\users\admin\pictures\WaitRestart.tiff ransomware.bin.exe File renamed C:\Users\Admin\Pictures\WaitRestart.tiff => \??\c:\users\admin\pictures\WaitRestart.tiff.3j428mt ransomware.bin.exe File renamed C:\Users\Admin\Pictures\FindPublish.tif => \??\c:\users\admin\pictures\FindPublish.tif.3j428mt ransomware.bin.exe File renamed C:\Users\Admin\Pictures\JoinRepair.tif => \??\c:\users\admin\pictures\JoinRepair.tif.3j428mt ransomware.bin.exe File opened for modification \??\c:\users\admin\pictures\RequestRegister.tiff ransomware.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ransomware.bin.exedescription ioc process File opened (read-only) \??\P: ransomware.bin.exe File opened (read-only) \??\R: ransomware.bin.exe File opened (read-only) \??\V: ransomware.bin.exe File opened (read-only) \??\E: ransomware.bin.exe File opened (read-only) \??\F: ransomware.bin.exe File opened (read-only) \??\I: ransomware.bin.exe File opened (read-only) \??\Q: ransomware.bin.exe File opened (read-only) \??\S: ransomware.bin.exe File opened (read-only) \??\W: ransomware.bin.exe File opened (read-only) \??\X: ransomware.bin.exe File opened (read-only) \??\A: ransomware.bin.exe File opened (read-only) \??\G: ransomware.bin.exe File opened (read-only) \??\H: ransomware.bin.exe File opened (read-only) \??\J: ransomware.bin.exe File opened (read-only) \??\M: ransomware.bin.exe File opened (read-only) \??\O: ransomware.bin.exe File opened (read-only) \??\T: ransomware.bin.exe File opened (read-only) \??\U: ransomware.bin.exe File opened (read-only) \??\B: ransomware.bin.exe File opened (read-only) \??\L: ransomware.bin.exe File opened (read-only) \??\N: ransomware.bin.exe File opened (read-only) \??\Y: ransomware.bin.exe File opened (read-only) \??\Z: ransomware.bin.exe File opened (read-only) \??\D: ransomware.bin.exe File opened (read-only) \??\K: ransomware.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ransomware.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k8ktucve1.bmp" ransomware.bin.exe -
Drops file in Program Files directory 26 IoCs
Processes:
ransomware.bin.exedescription ioc process File opened for modification \??\c:\program files\OptimizeSwitch.M2TS ransomware.bin.exe File opened for modification \??\c:\program files\RemovePop.mpeg2 ransomware.bin.exe File opened for modification \??\c:\program files\RenameEdit.xlsm ransomware.bin.exe File opened for modification \??\c:\program files\UnlockLimit.dotx ransomware.bin.exe File opened for modification \??\c:\program files\DebugOpen.vstx ransomware.bin.exe File opened for modification \??\c:\program files\GrantSuspend.mhtml ransomware.bin.exe File opened for modification \??\c:\program files\ImportCompare.search-ms ransomware.bin.exe File opened for modification \??\c:\program files\MergeDeny.ttf ransomware.bin.exe File opened for modification \??\c:\program files\UseClose.docm ransomware.bin.exe File opened for modification \??\c:\program files\HideDismount.svgz ransomware.bin.exe File opened for modification \??\c:\program files\UnlockInvoke.pps ransomware.bin.exe File opened for modification \??\c:\program files\UnprotectApprove.wm ransomware.bin.exe File opened for modification \??\c:\program files\UpdateGrant.ADTS ransomware.bin.exe File opened for modification \??\c:\program files\SendOpen.wmf ransomware.bin.exe File opened for modification \??\c:\program files\FormatInitialize.dib ransomware.bin.exe File opened for modification \??\c:\program files\InvokeApprove.mht ransomware.bin.exe File opened for modification \??\c:\program files\MountResolve.dotx ransomware.bin.exe File opened for modification \??\c:\program files\OutGet.vb ransomware.bin.exe File opened for modification \??\c:\program files\ResolveConvert.mpv2 ransomware.bin.exe File opened for modification \??\c:\program files\SuspendSubmit.mpv2 ransomware.bin.exe File opened for modification \??\c:\program files\SyncMeasure.mp4 ransomware.bin.exe File opened for modification \??\c:\program files\UnprotectNew.html ransomware.bin.exe File opened for modification \??\c:\program files\BackupClear.wax ransomware.bin.exe File opened for modification \??\c:\program files\DismountDisable.docx ransomware.bin.exe File opened for modification \??\c:\program files\ExportEnable.m4v ransomware.bin.exe File opened for modification \??\c:\program files\JoinOpen.potm ransomware.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ransomware.bin.exepid process 3116 ransomware.bin.exe 3116 ransomware.bin.exe 3116 ransomware.bin.exe 3116 ransomware.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ransomware.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 3116 ransomware.bin.exe Token: SeTakeOwnershipPrivilege 3116 ransomware.bin.exe Token: SeBackupPrivilege 3936 vssvc.exe Token: SeRestorePrivilege 3936 vssvc.exe Token: SeAuditPrivilege 3936 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.bin.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2712
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936