Analysis
-
max time kernel
28s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-06-2021 10:35
Static task
static1
Behavioral task
behavioral1
Sample
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe
Resource
win10v20210410
General
-
Target
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe
-
Size
120KB
-
MD5
0c7c5fcfb2368c716ce7eb0eda3f3533
-
SHA1
96854d0cb673bd8575acc0c864052ce6b03ec9d2
-
SHA256
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135
-
SHA512
a5bf231ba0ab43d0fb9c87b8f2d936381f3baf68a9cb5b4eb8567cec835f468a3200a0834e2fcd57bbcf30f31899f54c680d0a4c292506d78c0518c63a31e89f
Malware Config
Extracted
C:\5w580-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D50146B595DBE2A4
http://decoder.re/D50146B595DBE2A4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\BlockConnect.tiff 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File renamed C:\Users\Admin\Pictures\BlockConnect.tiff => \??\c:\users\admin\pictures\BlockConnect.tiff.5w580 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File renamed C:\Users\Admin\Pictures\ConfirmEnter.crw => \??\c:\users\admin\pictures\ConfirmEnter.crw.5w580 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File renamed C:\Users\Admin\Pictures\EditCopy.raw => \??\c:\users\admin\pictures\EditCopy.raw.5w580 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\users\admin\pictures\OutWatch.tiff 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File renamed C:\Users\Admin\Pictures\OutWatch.tiff => \??\c:\users\admin\pictures\OutWatch.tiff.5w580 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File renamed C:\Users\Admin\Pictures\WriteSplit.png => \??\c:\users\admin\pictures\WriteSplit.png.5w580 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exedescription ioc process File opened (read-only) \??\T: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\Y: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\L: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\O: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\K: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\M: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\Q: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\V: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\B: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\E: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\H: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\I: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\J: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\N: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\U: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\D: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\A: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\F: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\R: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\S: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\W: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\X: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\Z: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\G: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened (read-only) \??\P: 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ur3v.bmp" 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe -
Drops file in Program Files directory 21 IoCs
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exedescription ioc process File opened for modification \??\c:\program files\MergeWait.reg 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\SyncSelect.docx 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\UninstallConnect.emf 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\UnlockResolve.wmf 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\GetReset.mpv2 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\HideRead.xps 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\ResumeAssert.i64 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\SplitTest.midi 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\SearchStep.au3 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\SuspendTrace.mpe 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\DisableCompare.xltx 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\ImportRequest.xml 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\AddUninstall.temp 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\AssertRedo.i64 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\GrantTrace.tiff 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\InitializeUnblock.cfg 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\OptimizeRevoke.vstx 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\RemoveDisconnect.dwfx 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File created \??\c:\program files\5w580-readme.txt 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File created \??\c:\program files (x86)\5w580-readme.txt 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe File opened for modification \??\c:\program files\SubmitGet.mov 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exepid process 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exevssvc.exedescription pid process Token: SeDebugPrivilege 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe Token: SeTakeOwnershipPrivilege 3912 42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe Token: SeBackupPrivilege 3976 vssvc.exe Token: SeRestorePrivilege 3976 vssvc.exe Token: SeAuditPrivilege 3976 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe"C:\Users\Admin\AppData\Local\Temp\42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3336
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976