Resubmissions
11-04-2024 17:53
240411-wgrc2agf82 1011-04-2024 17:50
240411-weydkagf52 1007-03-2024 21:32
240307-1d2rtafd3x 1005-03-2024 03:22
240305-dw4ykadb7x 1026-02-2024 08:40
240226-klbmlahd92 1025-01-2024 23:42
240125-3p3jlaagej 1010-10-2023 00:01
231010-aaxetahb7s 1014-07-2023 13:07
230714-qc385seh7w 1011-07-2023 13:35
230711-qv314aad81 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
v2.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
v2.bin.exe
Resource
win10v20210410
General
-
Target
v2.bin.exe
-
Size
121KB
-
MD5
944ed18066724dc6ca3fb3d72e4b9bdf
-
SHA1
1a19c8793cd783a5bb89777f5bc09e580f97ce29
-
SHA256
74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
-
SHA512
a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
Malware Config
Extracted
C:\q61y49h1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8444D1570928AADC
http://decoder.re/8444D1570928AADC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
v2.bin.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ConnectUnprotect.tiff v2.bin.exe File opened for modification \??\c:\users\admin\pictures\ExportShow.tiff v2.bin.exe File renamed C:\Users\Admin\Pictures\ExpandWrite.png => \??\c:\users\admin\pictures\ExpandWrite.png.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\ResetRepair.crw => \??\c:\users\admin\pictures\ResetRepair.crw.q61y49h1 v2.bin.exe File opened for modification \??\c:\users\admin\pictures\WriteRestore.tiff v2.bin.exe File renamed C:\Users\Admin\Pictures\WriteRestore.tiff => \??\c:\users\admin\pictures\WriteRestore.tiff.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\ConnectUnprotect.tiff => \??\c:\users\admin\pictures\ConnectUnprotect.tiff.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\DisableEnable.tif => \??\c:\users\admin\pictures\DisableEnable.tif.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\ExpandFind.raw => \??\c:\users\admin\pictures\ExpandFind.raw.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\ExportShow.tiff => \??\c:\users\admin\pictures\ExportShow.tiff.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\SplitMount.raw => \??\c:\users\admin\pictures\SplitMount.raw.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\TestFind.tif => \??\c:\users\admin\pictures\TestFind.tif.q61y49h1 v2.bin.exe File renamed C:\Users\Admin\Pictures\UninstallUnregister.crw => \??\c:\users\admin\pictures\UninstallUnregister.crw.q61y49h1 v2.bin.exe -
Drops startup file 1 IoCs
Processes:
v2.bin.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\q61y49h1-readme.txt v2.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
v2.bin.exedescription ioc process File opened (read-only) \??\F: v2.bin.exe File opened (read-only) \??\G: v2.bin.exe File opened (read-only) \??\I: v2.bin.exe File opened (read-only) \??\K: v2.bin.exe File opened (read-only) \??\M: v2.bin.exe File opened (read-only) \??\N: v2.bin.exe File opened (read-only) \??\O: v2.bin.exe File opened (read-only) \??\S: v2.bin.exe File opened (read-only) \??\W: v2.bin.exe File opened (read-only) \??\A: v2.bin.exe File opened (read-only) \??\J: v2.bin.exe File opened (read-only) \??\X: v2.bin.exe File opened (read-only) \??\Z: v2.bin.exe File opened (read-only) \??\D: v2.bin.exe File opened (read-only) \??\E: v2.bin.exe File opened (read-only) \??\H: v2.bin.exe File opened (read-only) \??\P: v2.bin.exe File opened (read-only) \??\R: v2.bin.exe File opened (read-only) \??\U: v2.bin.exe File opened (read-only) \??\V: v2.bin.exe File opened (read-only) \??\B: v2.bin.exe File opened (read-only) \??\L: v2.bin.exe File opened (read-only) \??\Q: v2.bin.exe File opened (read-only) \??\T: v2.bin.exe File opened (read-only) \??\Y: v2.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
v2.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdqr16z9.bmp" v2.bin.exe -
Drops file in Program Files directory 17 IoCs
Processes:
v2.bin.exedescription ioc process File opened for modification \??\c:\program files\ReadHide.dwg v2.bin.exe File opened for modification \??\c:\program files\ReceiveConvertTo.eprtx v2.bin.exe File opened for modification \??\c:\program files\SubmitOpen.mpe v2.bin.exe File opened for modification \??\c:\program files\GrantConfirm.htm v2.bin.exe File opened for modification \??\c:\program files\InstallMount.doc v2.bin.exe File opened for modification \??\c:\program files\RenameInvoke.m3u v2.bin.exe File created \??\c:\program files (x86)\q61y49h1-readme.txt v2.bin.exe File opened for modification \??\c:\program files\RequestLimit.mpeg v2.bin.exe File opened for modification \??\c:\program files\UnlockEdit.svg v2.bin.exe File opened for modification \??\c:\program files\UnregisterUnprotect.wmf v2.bin.exe File opened for modification \??\c:\program files\UpdateUnblock.wma v2.bin.exe File opened for modification \??\c:\program files\WriteUndo.M2T v2.bin.exe File created \??\c:\program files\q61y49h1-readme.txt v2.bin.exe File opened for modification \??\c:\program files\InstallRestart.vsdm v2.bin.exe File opened for modification \??\c:\program files\ReceiveMove.asx v2.bin.exe File opened for modification \??\c:\program files\ResumeHide.M2V v2.bin.exe File opened for modification \??\c:\program files\UnblockAssert.wvx v2.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
v2.bin.exepid process 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe 3872 v2.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
v2.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 3872 v2.bin.exe Token: SeTakeOwnershipPrivilege 3872 v2.bin.exe Token: SeBackupPrivilege 3308 vssvc.exe Token: SeRestorePrivilege 3308 vssvc.exe Token: SeAuditPrivilege 3308 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v2.bin.exe"C:\Users\Admin\AppData\Local\Temp\v2.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken