Analysis
-
max time kernel
44s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-05-2021 12:21
Static task
static1
Behavioral task
behavioral1
Sample
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe
Resource
win10v20210408
General
-
Target
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe
-
Size
121KB
-
MD5
b700a6753b6d418962c3c42aac604a26
-
SHA1
b30758dca5a4d39c6810f8f12a72dec48a195dc6
-
SHA256
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1
-
SHA512
f7bf911ee0e462ed870808dd8f189cf3834bc8cfd39111a056ace0e82eaf059665917eaec3f944fe9f3f8d9b747ea2aaf71ddb35fb369da9c3e23176942d52ff
Malware Config
Extracted
C:\gs4sa3ujhn-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/63A118ED4FC93B09
http://decoder.re/63A118ED4FC93B09
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\RenameRemove.tiff => \??\c:\users\admin\pictures\RenameRemove.tiff.gs4sa3ujhn fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\StepGroup.tiff fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File renamed C:\Users\Admin\Pictures\StepGroup.tiff => \??\c:\users\admin\pictures\StepGroup.tiff.gs4sa3ujhn fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConvertToUnregister.png => \??\c:\users\admin\pictures\ConvertToUnregister.png.gs4sa3ujhn fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\DisableClose.tiff fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File renamed C:\Users\Admin\Pictures\DisableClose.tiff => \??\c:\users\admin\pictures\DisableClose.tiff.gs4sa3ujhn fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File renamed C:\Users\Admin\Pictures\ReceiveCompress.tif => \??\c:\users\admin\pictures\ReceiveCompress.tif.gs4sa3ujhn fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\RenameRemove.tiff fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zQS1XtGvA8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe" fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exedescription ioc process File opened (read-only) \??\A: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\G: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\H: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\M: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\P: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\R: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\S: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\T: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\V: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\Z: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\D: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\E: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\F: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\I: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\J: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\K: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\N: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\O: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\Q: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\U: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\W: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\X: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\Y: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\B: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened (read-only) \??\L: fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y209ljm4j8b.bmp" fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Drops file in Program Files directory 36 IoCs
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exedescription ioc process File opened for modification \??\c:\program files\MeasureRequest.rar fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ShowExit.mid fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\UnblockPublish.emf fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ResizeRequest.pdf fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\UnprotectDebug.csv fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File created \??\c:\program files (x86)\gs4sa3ujhn-readme.txt fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\CompleteSkip.xlsb fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\EnterTest.dwg fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\StartUnpublish.tmp fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\UnprotectEnable.DVR fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ConfirmMerge.TTS fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\DisableCompare.001 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ReadClose.search-ms fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\OptimizePop.3g2 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\RenameMerge.odt fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\RequestSubmit.aiff fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ResizeMerge.mid fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\UnlockInvoke.rmi fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ConvertFromBlock.emf fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\FindAssert.ppt fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\FindSplit.wmv fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\MountNew.m4a fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ShowPublish.pptx fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ResetMeasure.ogg fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\UninstallShow.xltm fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\BackupFormat.odt fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\ExportRead.xltx fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\PingUnblock.mpeg3 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\RemoveDebug.xps fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\TraceCheckpoint.3gp2 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\WatchRevoke.M2V fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File created \??\c:\program files\gs4sa3ujhn-readme.txt fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\FindPop.scf fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\InvokeGet.pub fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\MoveConvert.mpeg fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe File opened for modification \??\c:\program files\PublishStart.xml fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exepid process 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe Token: SeTakeOwnershipPrivilege 408 fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe Token: SeBackupPrivilege 4028 vssvc.exe Token: SeRestorePrivilege 4028 vssvc.exe Token: SeAuditPrivilege 4028 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fe0b279e49e5c88ba57c3dd9f7143289d20b09d397bb629151ca7b2567a0c7e1.bin.sample.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028