Analysis
-
max time kernel
141s -
max time network
53s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-06-2021 09:47
Static task
static1
Behavioral task
behavioral1
Sample
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe
Resource
win10v20210410
General
-
Target
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe
-
Size
122KB
-
MD5
95eb5380f665c8f21795b5ef2716f86d
-
SHA1
ff2c2fcd062d1a878712823e0e9a5d38488710f9
-
SHA256
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864
-
SHA512
692a8b06ff65cee31aa5022955276e958a1fd3828859b9051608d80120ca5da3417c8b2f32aba933068dcd55e52437a116fdd2ba08233d4a371d96b3365e6813
Malware Config
Extracted
C:\151tdi9gq-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56E9302013FF6576
http://decoder.re/56E9302013FF6576
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\SubmitSuspend.tiff 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompleteRemove.tif => \??\c:\users\admin\pictures\CompleteRemove.tif.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\DisableSuspend.tif => \??\c:\users\admin\pictures\DisableSuspend.tif.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExpandSuspend.crw => \??\c:\users\admin\pictures\ExpandSuspend.crw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\StartUse.tif => \??\c:\users\admin\pictures\StartUse.tif.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\BackupEdit.tiff 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\CheckpointRestart.crw => \??\c:\users\admin\pictures\CheckpointRestart.crw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\BackupEdit.tiff => \??\c:\users\admin\pictures\BackupEdit.tiff.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\EnterRevoke.crw => \??\c:\users\admin\pictures\EnterRevoke.crw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallStop.crw => \??\c:\users\admin\pictures\InstallStop.crw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\SubmitSuspend.tiff => \??\c:\users\admin\pictures\SubmitSuspend.tiff.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\AssertPush.png => \??\c:\users\admin\pictures\AssertPush.png.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\FindDebug.crw => \??\c:\users\admin\pictures\FindDebug.crw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\CloseUnblock.raw => \??\c:\users\admin\pictures\CloseUnblock.raw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File renamed C:\Users\Admin\Pictures\UseFind.raw => \??\c:\users\admin\pictures\UseFind.raw.151tdi9gq 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exedescription ioc process File opened (read-only) \??\B: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\E: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\G: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\K: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\R: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\F: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\I: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\Q: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\U: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\Z: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\A: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\N: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\O: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\P: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\T: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\Y: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\H: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\J: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\L: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\M: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\S: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\V: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\W: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened (read-only) \??\X: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe -
Drops file in Program Files directory 29 IoCs
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exedescription ioc process File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\151tdi9gq-readme.txt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\tmp 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\ShowRemove.xlsb 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\UnblockReceive.potm 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\DismountUnlock.dib 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\GroupConvertFrom.svgz 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\SkipOut.vdx 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\151tdi9gq-readme.txt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files\151tdi9gq-readme.txt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\ConvertFromExpand.aiff 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\OpenShow.mpeg 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\SelectSave.cfg 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\151tdi9gq-readme.txt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\InstallUndo.wmx 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\ResolveSwitch.3gp2 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\RestartSync.vstx 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\UnregisterShow.mp4 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files\tmp 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\EnterFind.vstx 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\GroupWait.mp3 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\ResetPublish.mpe 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\ClearAssert.jpg 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\HideTest.mp2v 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\RegisterBackup.search-ms 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\151tdi9gq-readme.txt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File opened for modification \??\c:\program files\JoinRemove.odt 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exepid process 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exedescription pid process Token: SeDebugPrivilege 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe Token: SeTakeOwnershipPrivilege 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exedescription pid process target process PID 1100 wrote to memory of 1468 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe netsh.exe PID 1100 wrote to memory of 1468 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe netsh.exe PID 1100 wrote to memory of 1468 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe netsh.exe PID 1100 wrote to memory of 1468 1100 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:1468
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1852
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1144