Analysis
-
max time kernel
300s -
max time network
264s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 11:29
Static task
static1
Behavioral task
behavioral1
Sample
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe
Resource
win10v20210410
General
-
Target
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe
-
Size
122KB
-
MD5
899ce62f2adfda5e589e3ec3682a4e45
-
SHA1
4d868fd000cbbdeff0e27e63e8ff091c2e1e0afc
-
SHA256
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344
-
SHA512
2c625ee1122ba0ad9034d1ae94fea7adb436bdf8319a5b6105b6aed4fdcb9f9eea1b15e1ad833342d9f5652a000e37246d583a2ee08165d4b6300246b9b41ddf
Malware Config
Extracted
C:\q7195g7y24-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/28A45C2D2C5348AA
http://decoder.re/28A45C2D2C5348AA
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingGrant.tiff => \??\c:\users\admin\pictures\PingGrant.tiff.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File renamed C:\Users\Admin\Pictures\UninstallSync.tif => \??\c:\users\admin\pictures\UninstallSync.tif.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File renamed C:\Users\Admin\Pictures\DisconnectCheckpoint.crw => \??\c:\users\admin\pictures\DisconnectCheckpoint.crw.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File renamed C:\Users\Admin\Pictures\InvokeConnect.png => \??\c:\users\admin\pictures\InvokeConnect.png.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File renamed C:\Users\Admin\Pictures\MergeProtect.tif => \??\c:\users\admin\pictures\MergeProtect.tif.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File renamed C:\Users\Admin\Pictures\MergeUnlock.tif => \??\c:\users\admin\pictures\MergeUnlock.tif.q7195g7y24 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\PingGrant.tiff b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exedescription ioc process File opened (read-only) \??\E: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\H: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\Z: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\A: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\J: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\P: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\Q: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\R: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\W: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\X: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\I: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\F: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\L: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\M: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\O: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\T: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\B: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\K: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\N: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\S: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\U: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\V: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\Y: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\D: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened (read-only) \??\G: b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jxl98.bmp" b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe -
Drops file in Program Files directory 15 IoCs
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exedescription ioc process File created \??\c:\program files\tmp b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\DisableLock.svg b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\MergeCopy.au3 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\ResetResolve.xla b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\CompareConnect.wpl b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\UnlockConfirm.php b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File created \??\c:\program files (x86)\q7195g7y24-readme.txt b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File created \??\c:\program files\q7195g7y24-readme.txt b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File created \??\c:\program files (x86)\tmp b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\AssertSend.mp2v b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\HideGrant.odt b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\HideUnlock.csv b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\OutEnable.dxf b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\UnblockProtect.tiff b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe File opened for modification \??\c:\program files\UnlockSearch.odp b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exepid process 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe Token: SeTakeOwnershipPrivilege 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe Token: SeBackupPrivilege 3560 vssvc.exe Token: SeRestorePrivilege 3560 vssvc.exe Token: SeAuditPrivilege 3560 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exedescription pid process target process PID 4016 wrote to memory of 3132 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe netsh.exe PID 4016 wrote to memory of 3132 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe netsh.exe PID 4016 wrote to memory of 3132 4016 b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\b0a4024ab2d2d4ef4a3a702f5b65deb2a52034a221fd225db2217b8130a47344.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3132
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3132-114-0x0000000000000000-mapping.dmp