Analysis
-
max time kernel
143s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-03-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe
Resource
win10v20201028
General
-
Target
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe
-
Size
120KB
-
MD5
8265a35b73b1de8ecb204202e44cbc4d
-
SHA1
cbd2632ede0831883a1c7ba1ab7977be13ca4dd3
-
SHA256
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940
-
SHA512
1e74a78d1bdd1704c9403a738f44beb06e0308ac84a378f02449fdc937e5861e0a3063bdb0f451b8f1b6ae32336ef3459b0b6e04877fe3184e7bdb4f692af8d4
Malware Config
Extracted
C:\1r8p3d85i4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60DDE6F52A0E6FF2
http://decoder.re/60DDE6F52A0E6FF2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exedescription ioc process File renamed C:\Users\Admin\Pictures\EditResolve.tif => \??\c:\users\admin\pictures\EditResolve.tif.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File renamed C:\Users\Admin\Pictures\InitializeRequest.crw => \??\c:\users\admin\pictures\InitializeRequest.crw.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File renamed C:\Users\Admin\Pictures\OptimizeWatch.crw => \??\c:\users\admin\pictures\OptimizeWatch.crw.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File renamed C:\Users\Admin\Pictures\OutBlock.raw => \??\c:\users\admin\pictures\OutBlock.raw.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File renamed C:\Users\Admin\Pictures\ResizeEnable.raw => \??\c:\users\admin\pictures\ResizeEnable.raw.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File renamed C:\Users\Admin\Pictures\SetGet.crw => \??\c:\users\admin\pictures\SetGet.crw.1r8p3d85i4 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exedescription ioc process File opened (read-only) \??\S: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\T: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\W: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\E: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\K: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\L: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\P: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\R: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\X: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\B: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\F: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\Q: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\V: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\Z: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\D: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\G: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\H: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\J: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\O: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\U: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\A: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\I: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\M: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\N: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened (read-only) \??\Y: 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14zwmj6l.bmp" 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe -
Drops file in Program Files directory 38 IoCs
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exedescription ioc process File opened for modification \??\c:\program files\RemoveCompare.xlsm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\SetDebug.xla 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ShowDisable.rtf 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ClearUnlock.WTV 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\InstallEnter.AAC 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\InstallSend.htm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ConvertToSet.kix 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\WatchRepair.vstm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ResizeReceive.ini 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\StopCompress.fon 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\SubmitRevoke.csv 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\DebugDisable.WTV 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\DisableLimit.mpeg 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\InvokeCompress.nfo 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\RestoreRestart.gif 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\CheckpointApprove.mp3 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\FindSync.avi 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\RegisterEnter.ini 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ResumePublish.asp 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\StepUnlock.vsd 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File created \??\c:\program files\1r8p3d85i4-readme.txt 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\EnterRedo.vssm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ResetAdd.vstm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\RestoreDismount.ppsx 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File created \??\c:\program files (x86)\1r8p3d85i4-readme.txt 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\ConvertFromRemove.dxf 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\RequestExit.ods 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\PopDisconnect.rar 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\StepDisable.wmv 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\UninstallCheckpoint.txt 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\FormatInvoke.odt 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\InitializePing.svg 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\PushDisable.xht 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\RepairSet.wav 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\UninstallApprove.inf 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\CloseGroup.raw 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\CompressJoin.xltm 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe File opened for modification \??\c:\program files\FindUninstall.vst 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exepid process 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exevssvc.exedescription pid process Token: SeDebugPrivilege 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe Token: SeTakeOwnershipPrivilege 4804 93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe Token: SeBackupPrivilege 596 vssvc.exe Token: SeRestorePrivilege 596 vssvc.exe Token: SeAuditPrivilege 596 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe"C:\Users\Admin\AppData\Local\Temp\93c4b144a4ef5e9ebcb5de425f6151fb6fd892d1042b21e639ab6c358cad3940.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596