Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
full.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
full.bin.exe
Resource
win10v20210408
General
-
Target
full.bin.exe
-
Size
122KB
-
MD5
75b7a0612a92dd0230ab84ca81e07e01
-
SHA1
c459b33b46d4d08ea720a449422ff2253ad16a09
-
SHA256
203e8db304a49ec45bb077154254d8209074ce0bbceede18c02de5cd27ed4e46
-
SHA512
cd09cf413da8792373362abae9cc787524a7022ee28ab59d33aca4e5bddae14845658e24844b9d92ed46fa8038fc729ddb7fcd743d12dc01eb416e4b1af637bf
Malware Config
Extracted
C:\yb6yg3p3q-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB1431A5C605227C
http://decoder.re/EB1431A5C605227C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
full.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ProtectMove.tiff => \??\c:\users\admin\pictures\ProtectMove.tiff.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\SelectTrace.raw => \??\c:\users\admin\pictures\SelectTrace.raw.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\UpdateJoin.tif => \??\c:\users\admin\pictures\UpdateJoin.tif.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\CompressRevoke.raw => \??\c:\users\admin\pictures\CompressRevoke.raw.yb6yg3p3q full.bin.exe File opened for modification \??\c:\users\admin\pictures\ProtectMove.tiff full.bin.exe File opened for modification \??\c:\users\admin\pictures\SaveHide.tiff full.bin.exe File renamed C:\Users\Admin\Pictures\SaveHide.tiff => \??\c:\users\admin\pictures\SaveHide.tiff.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\SplitSave.png => \??\c:\users\admin\pictures\SplitSave.png.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\BlockSwitch.tif => \??\c:\users\admin\pictures\BlockSwitch.tif.yb6yg3p3q full.bin.exe File renamed C:\Users\Admin\Pictures\RenameRead.raw => \??\c:\users\admin\pictures\RenameRead.raw.yb6yg3p3q full.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
full.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run full.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full.bin.exe" full.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
full.bin.exedescription ioc process File opened (read-only) \??\D: full.bin.exe File opened (read-only) \??\H: full.bin.exe File opened (read-only) \??\Q: full.bin.exe File opened (read-only) \??\S: full.bin.exe File opened (read-only) \??\X: full.bin.exe File opened (read-only) \??\W: full.bin.exe File opened (read-only) \??\Y: full.bin.exe File opened (read-only) \??\F: full.bin.exe File opened (read-only) \??\O: full.bin.exe File opened (read-only) \??\P: full.bin.exe File opened (read-only) \??\R: full.bin.exe File opened (read-only) \??\Z: full.bin.exe File opened (read-only) \??\A: full.bin.exe File opened (read-only) \??\L: full.bin.exe File opened (read-only) \??\M: full.bin.exe File opened (read-only) \??\T: full.bin.exe File opened (read-only) \??\J: full.bin.exe File opened (read-only) \??\K: full.bin.exe File opened (read-only) \??\N: full.bin.exe File opened (read-only) \??\U: full.bin.exe File opened (read-only) \??\B: full.bin.exe File opened (read-only) \??\E: full.bin.exe File opened (read-only) \??\G: full.bin.exe File opened (read-only) \??\I: full.bin.exe File opened (read-only) \??\V: full.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
full.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89oj5.bmp" full.bin.exe -
Drops file in Program Files directory 32 IoCs
Processes:
full.bin.exedescription ioc process File opened for modification \??\c:\program files\DisconnectDisable.3gpp full.bin.exe File created \??\c:\program files (x86)\yb6yg3p3q-readme.txt full.bin.exe File opened for modification \??\c:\program files\BlockDisable.rle full.bin.exe File opened for modification \??\c:\program files\CompareRevoke.wvx full.bin.exe File opened for modification \??\c:\program files\CompleteGet.3gp2 full.bin.exe File opened for modification \??\c:\program files\BlockRename.png full.bin.exe File opened for modification \??\c:\program files\ImportEnable.rm full.bin.exe File opened for modification \??\c:\program files\RequestResolve.otf full.bin.exe File opened for modification \??\c:\program files\SendSuspend.M2TS full.bin.exe File opened for modification \??\c:\program files\EnterEnable.png full.bin.exe File opened for modification \??\c:\program files\WaitPing.mpeg full.bin.exe File created \??\c:\program files\tmp full.bin.exe File opened for modification \??\c:\program files\ExitStep.vssx full.bin.exe File opened for modification \??\c:\program files\GetConfirm.contact full.bin.exe File opened for modification \??\c:\program files\SearchUninstall.mp2v full.bin.exe File opened for modification \??\c:\program files\ResumeStop.m4v full.bin.exe File opened for modification \??\c:\program files\StopEnable.m4v full.bin.exe File created \??\c:\program files\yb6yg3p3q-readme.txt full.bin.exe File opened for modification \??\c:\program files\AddUnpublish.ppsm full.bin.exe File opened for modification \??\c:\program files\PublishBlock.3g2 full.bin.exe File opened for modification \??\c:\program files\ReadUninstall.temp full.bin.exe File opened for modification \??\c:\program files\RevokeCheckpoint.xlsm full.bin.exe File created \??\c:\program files (x86)\tmp full.bin.exe File opened for modification \??\c:\program files\ClearRepair.tiff full.bin.exe File opened for modification \??\c:\program files\ConvertFromEdit.wvx full.bin.exe File opened for modification \??\c:\program files\ImportDebug.search-ms full.bin.exe File opened for modification \??\c:\program files\CompressTest.rtf full.bin.exe File opened for modification \??\c:\program files\DisableTest.dwg full.bin.exe File opened for modification \??\c:\program files\BlockDisable.wmf full.bin.exe File opened for modification \??\c:\program files\CheckpointInstall.pps full.bin.exe File opened for modification \??\c:\program files\MoveLock.emf full.bin.exe File opened for modification \??\c:\program files\UpdatePublish.xlsb full.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
full.bin.exepid process 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe 416 full.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
full.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 416 full.bin.exe Token: SeTakeOwnershipPrivilege 416 full.bin.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
full.bin.exedescription pid process target process PID 416 wrote to memory of 768 416 full.bin.exe netsh.exe PID 416 wrote to memory of 768 416 full.bin.exe netsh.exe PID 416 wrote to memory of 768 416 full.bin.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\full.bin.exe"C:\Users\Admin\AppData\Local\Temp\full.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:768
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:192
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/768-114-0x0000000000000000-mapping.dmp