Analysis
-
max time kernel
141s -
max time network
54s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-06-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
full.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
full.bin.exe
Resource
win10v20210408
General
-
Target
full.bin.exe
-
Size
122KB
-
MD5
75b7a0612a92dd0230ab84ca81e07e01
-
SHA1
c459b33b46d4d08ea720a449422ff2253ad16a09
-
SHA256
203e8db304a49ec45bb077154254d8209074ce0bbceede18c02de5cd27ed4e46
-
SHA512
cd09cf413da8792373362abae9cc787524a7022ee28ab59d33aca4e5bddae14845658e24844b9d92ed46fa8038fc729ddb7fcd743d12dc01eb416e4b1af637bf
Malware Config
Extracted
C:\z1qbcrap-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FE8E1110BD90F2A1
http://decoder.re/FE8E1110BD90F2A1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
full.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\UndoDebug.crw => \??\c:\users\admin\pictures\UndoDebug.crw.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\AssertSplit.raw => \??\c:\users\admin\pictures\AssertSplit.raw.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\ExpandCopy.tiff => \??\c:\users\admin\pictures\ExpandCopy.tiff.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\SelectUnblock.raw => \??\c:\users\admin\pictures\SelectUnblock.raw.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\StopMeasure.tiff => \??\c:\users\admin\pictures\StopMeasure.tiff.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\RestoreResize.png => \??\c:\users\admin\pictures\RestoreResize.png.z1qbcrap full.bin.exe File renamed C:\Users\Admin\Pictures\HideWrite.crw => \??\c:\users\admin\pictures\HideWrite.crw.z1qbcrap full.bin.exe File opened for modification \??\c:\users\admin\pictures\ExpandCopy.tiff full.bin.exe File opened for modification \??\c:\users\admin\pictures\StopMeasure.tiff full.bin.exe File renamed C:\Users\Admin\Pictures\GetRestart.png => \??\c:\users\admin\pictures\GetRestart.png.z1qbcrap full.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
full.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run full.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full.bin.exe" full.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
full.bin.exedescription ioc process File opened (read-only) \??\G: full.bin.exe File opened (read-only) \??\H: full.bin.exe File opened (read-only) \??\S: full.bin.exe File opened (read-only) \??\Z: full.bin.exe File opened (read-only) \??\E: full.bin.exe File opened (read-only) \??\T: full.bin.exe File opened (read-only) \??\V: full.bin.exe File opened (read-only) \??\W: full.bin.exe File opened (read-only) \??\Y: full.bin.exe File opened (read-only) \??\D: full.bin.exe File opened (read-only) \??\A: full.bin.exe File opened (read-only) \??\B: full.bin.exe File opened (read-only) \??\F: full.bin.exe File opened (read-only) \??\K: full.bin.exe File opened (read-only) \??\P: full.bin.exe File opened (read-only) \??\X: full.bin.exe File opened (read-only) \??\Q: full.bin.exe File opened (read-only) \??\R: full.bin.exe File opened (read-only) \??\I: full.bin.exe File opened (read-only) \??\J: full.bin.exe File opened (read-only) \??\L: full.bin.exe File opened (read-only) \??\M: full.bin.exe File opened (read-only) \??\N: full.bin.exe File opened (read-only) \??\O: full.bin.exe File opened (read-only) \??\U: full.bin.exe -
Drops file in Program Files directory 30 IoCs
Processes:
full.bin.exedescription ioc process File opened for modification \??\c:\program files\RestoreBlock.bmp full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp full.bin.exe File opened for modification \??\c:\program files\MountComplete.ram full.bin.exe File opened for modification \??\c:\program files\ReceiveAssert.pot full.bin.exe File opened for modification \??\c:\program files\RedoDisable.xml full.bin.exe File created \??\c:\program files\z1qbcrap-readme.txt full.bin.exe File opened for modification \??\c:\program files\ConvertFromSave.mov full.bin.exe File opened for modification \??\c:\program files\ConvertSplit.i64 full.bin.exe File opened for modification \??\c:\program files\TraceUpdate.bmp full.bin.exe File created \??\c:\program files (x86)\tmp full.bin.exe File opened for modification \??\c:\program files\InitializeGet.mpeg full.bin.exe File opened for modification \??\c:\program files\RequestRedo.3gp full.bin.exe File opened for modification \??\c:\program files\StopJoin.i64 full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\z1qbcrap-readme.txt full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp full.bin.exe File opened for modification \??\c:\program files\DismountExit.pcx full.bin.exe File opened for modification \??\c:\program files\MergeUnblock.rmi full.bin.exe File opened for modification \??\c:\program files\OpenRestart.mpeg3 full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\z1qbcrap-readme.txt full.bin.exe File opened for modification \??\c:\program files\FormatUndo.xml full.bin.exe File opened for modification \??\c:\program files\OptimizeRedo.xlt full.bin.exe File opened for modification \??\c:\program files\UnblockClear.3gp full.bin.exe File created \??\c:\program files\tmp full.bin.exe File created \??\c:\program files (x86)\z1qbcrap-readme.txt full.bin.exe File opened for modification \??\c:\program files\ConvertNew.rm full.bin.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\z1qbcrap-readme.txt full.bin.exe File opened for modification \??\c:\program files\CompleteSubmit.xps full.bin.exe File opened for modification \??\c:\program files\RenameSearch.clr full.bin.exe File opened for modification \??\c:\program files\UseDismount.docx full.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
full.bin.exepid process 292 full.bin.exe 292 full.bin.exe 292 full.bin.exe 292 full.bin.exe 292 full.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
full.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 292 full.bin.exe Token: SeTakeOwnershipPrivilege 292 full.bin.exe Token: SeBackupPrivilege 1448 vssvc.exe Token: SeRestorePrivilege 1448 vssvc.exe Token: SeAuditPrivilege 1448 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
full.bin.exedescription pid process target process PID 292 wrote to memory of 556 292 full.bin.exe netsh.exe PID 292 wrote to memory of 556 292 full.bin.exe netsh.exe PID 292 wrote to memory of 556 292 full.bin.exe netsh.exe PID 292 wrote to memory of 556 292 full.bin.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\full.bin.exe"C:\Users\Admin\AppData\Local\Temp\full.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:556
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:924
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448