Analysis
-
max time kernel
24s -
max time network
34s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-06-2021 04:40
Static task
static1
Behavioral task
behavioral1
Sample
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe
Resource
win10v20210408
General
-
Target
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe
-
Size
122KB
-
MD5
7433147e8adf33228685e7365c14fe6c
-
SHA1
7020d35e701819cb403c5a155ebca71c0a1b3068
-
SHA256
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb
-
SHA512
352b4ed4b4cfca5d958822c56e11d789ea94ba8c21bd91dc31b4633e7a4983a9c82c85c6717d189f347203f4c70d721903d87110cdd7a4a2069f52ae93013f26
Malware Config
Extracted
C:\uq0l99-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E4C13555CB41C8B3
http://decoder.re/E4C13555CB41C8B3
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exedescription ioc process File renamed C:\Users\Admin\Pictures\MergeSplit.tif => \??\c:\users\admin\pictures\MergeSplit.tif.uq0l99 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File renamed C:\Users\Admin\Pictures\ReceiveRename.raw => \??\c:\users\admin\pictures\ReceiveRename.raw.uq0l99 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File renamed C:\Users\Admin\Pictures\RevokeTest.crw => \??\c:\users\admin\pictures\RevokeTest.crw.uq0l99 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File renamed C:\Users\Admin\Pictures\SyncBlock.tif => \??\c:\users\admin\pictures\SyncBlock.tif.uq0l99 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exedescription ioc process File opened (read-only) \??\F: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\I: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\J: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\W: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\Y: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\E: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\K: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\Q: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\U: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\P: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\S: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\T: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\Z: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\B: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\G: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\L: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\N: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\R: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\V: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\X: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\D: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\A: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\H: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\M: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened (read-only) \??\O: db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe -
Drops file in Program Files directory 40 IoCs
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exedescription ioc process File opened for modification \??\c:\program files\OptimizePublish.png db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\RemoveDisconnect.wma db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\UnlockLimit.mpeg2 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File created \??\c:\program files\uq0l99-readme.txt db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File created \??\c:\program files (x86)\uq0l99-readme.txt db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ConvertToImport.vb db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\DisableClear.xht db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ExpandImport.mht db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ExportConvert.vbe db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\RequestComplete.mp4 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ConvertFind.3gp db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\DenySelect.wvx db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ExitInvoke.vbs db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\MeasureRead.m4v db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\MoveUnregister.tiff db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\OptimizeRestart.xltm db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\PingBackup.vst db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\BlockBackup.html db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\BlockUse.midi db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\MoveReceive.potx db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\SaveRemove.wmx db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ProtectInvoke.avi db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ResetRestart.wav db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\UnpublishReceive.aif db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\WatchUndo.zip db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\CloseComplete.vdw db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ConvertFromUnregister.xlsb db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\MeasureSubmit.emf db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\UnpublishReceive.doc db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\DisconnectCopy.pdf db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File created \??\c:\program files\tmp db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File created \??\c:\program files (x86)\tmp db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\CloseConvertTo.DVR db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\CompressRevoke.docx db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ConvertResize.wmv db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\CopyWrite.mhtml db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\DenySelect.ADT db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\ExportPush.3gp2 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\LockGrant.docx db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe File opened for modification \??\c:\program files\SendLock.pub db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exepid process 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exevssvc.exedescription pid process Token: SeDebugPrivilege 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe Token: SeTakeOwnershipPrivilege 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe Token: SeBackupPrivilege 1312 vssvc.exe Token: SeRestorePrivilege 1312 vssvc.exe Token: SeAuditPrivilege 1312 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exedescription pid process target process PID 900 wrote to memory of 2864 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe netsh.exe PID 900 wrote to memory of 2864 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe netsh.exe PID 900 wrote to memory of 2864 900 db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe"C:\Users\Admin\AppData\Local\Temp\db59d4ab0aaf660fe778f9190102e1b808bc5d357026736ca335e4858ec512eb.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:2864
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:192
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2864-114-0x0000000000000000-mapping.dmp