Analysis
-
max time kernel
33s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 16:00
Static task
static1
Behavioral task
behavioral1
Sample
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe
Resource
win10v20210408
General
-
Target
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe
-
Size
143KB
-
MD5
fc12ec1b213c77784a3f52f8a4b97a24
-
SHA1
49d119a9b8ec4ef7cace0259144033358b154bcf
-
SHA256
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f
-
SHA512
a5224870826d5511a919a3070ad1866d74015f40b1d69f4c7944e0551a7a5ab75532ba26cad289f86bdfaf96e3b61f024ab05a953f7afa18bd69c8d68b79de46
Malware Config
Extracted
C:\49o39a-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1DD90F606EF98E84
http://decoder.re/1DD90F606EF98E84
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectExport.crw => \??\c:\users\admin\pictures\SelectExport.crw.49o39a 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File renamed C:\Users\Admin\Pictures\SkipStop.raw => \??\c:\users\admin\pictures\SkipStop.raw.49o39a 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exedescription ioc process File opened (read-only) \??\T: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\U: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\I: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\K: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\Q: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\S: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\V: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\Y: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\Z: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\E: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\J: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\N: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\R: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\O: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\P: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\A: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\B: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\H: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\M: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\X: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\D: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\F: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\G: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\L: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened (read-only) \??\W: 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v8wjm.bmp" 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe -
Drops file in Program Files directory 21 IoCs
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exedescription ioc process File opened for modification \??\c:\program files\ReceiveDebug.rtf 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\SwitchReceive.mov 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File created \??\c:\program files\49o39a-readme.txt 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\ExportPing.3gp2 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\ExportSkip.rtf 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\JoinDisconnect.fon 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\MeasureUnregister.pcx 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File created \??\c:\program files (x86)\49o39a-readme.txt 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\ExportClear.emz 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\RenameConvertFrom.DVR 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\UnregisterExit.odt 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\RepairComplete.mp3 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\TestSearch.rm 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\DebugTest.wvx 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\EnableOptimize.odt 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\HideExpand.mp2v 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\MergeSync.csv 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\ReceiveConvertTo.contact 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\BlockDebug.AAC 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\ExportSend.bmp 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe File opened for modification \??\c:\program files\TestUse.avi 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exepid process 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe Token: SeTakeOwnershipPrivilege 784 4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe Token: SeBackupPrivilege 3236 vssvc.exe Token: SeRestorePrivilege 3236 vssvc.exe Token: SeAuditPrivilege 3236 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\4f6ce92fccafa6d2454a12022e21fbd6adf1a6ec2d45c71de6f8729ec3ad195f.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:204
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236