Analysis
-
max time kernel
1788s -
max time network
1806s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-08-2021 11:15
Static task
static1
Behavioral task
behavioral1
Sample
full.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
full.bin.exe
Resource
win10v20210408
General
-
Target
full.bin.exe
-
Size
122KB
-
MD5
75b7a0612a92dd0230ab84ca81e07e01
-
SHA1
c459b33b46d4d08ea720a449422ff2253ad16a09
-
SHA256
203e8db304a49ec45bb077154254d8209074ce0bbceede18c02de5cd27ed4e46
-
SHA512
cd09cf413da8792373362abae9cc787524a7022ee28ab59d33aca4e5bddae14845658e24844b9d92ed46fa8038fc729ddb7fcd743d12dc01eb416e4b1af637bf
Malware Config
Extracted
C:\8z10cl9y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/683031DAAB05A186
http://decoder.re/683031DAAB05A186
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
full.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectRename.crw => \??\c:\users\admin\pictures\SelectRename.crw.8z10cl9y full.bin.exe File renamed C:\Users\Admin\Pictures\WaitGet.crw => \??\c:\users\admin\pictures\WaitGet.crw.8z10cl9y full.bin.exe File renamed C:\Users\Admin\Pictures\OutReset.raw => \??\c:\users\admin\pictures\OutReset.raw.8z10cl9y full.bin.exe File renamed C:\Users\Admin\Pictures\RedoWatch.png => \??\c:\users\admin\pictures\RedoWatch.png.8z10cl9y full.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
full.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run full.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full.bin.exe" full.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
full.bin.exedescription ioc process File opened (read-only) \??\P: full.bin.exe File opened (read-only) \??\W: full.bin.exe File opened (read-only) \??\Z: full.bin.exe File opened (read-only) \??\D: full.bin.exe File opened (read-only) \??\H: full.bin.exe File opened (read-only) \??\K: full.bin.exe File opened (read-only) \??\N: full.bin.exe File opened (read-only) \??\E: full.bin.exe File opened (read-only) \??\F: full.bin.exe File opened (read-only) \??\X: full.bin.exe File opened (read-only) \??\O: full.bin.exe File opened (read-only) \??\R: full.bin.exe File opened (read-only) \??\V: full.bin.exe File opened (read-only) \??\I: full.bin.exe File opened (read-only) \??\J: full.bin.exe File opened (read-only) \??\M: full.bin.exe File opened (read-only) \??\L: full.bin.exe File opened (read-only) \??\Q: full.bin.exe File opened (read-only) \??\S: full.bin.exe File opened (read-only) \??\T: full.bin.exe File opened (read-only) \??\U: full.bin.exe File opened (read-only) \??\A: full.bin.exe File opened (read-only) \??\B: full.bin.exe File opened (read-only) \??\G: full.bin.exe File opened (read-only) \??\Y: full.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
full.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44h62wq08kcz.bmp" full.bin.exe -
Drops file in Program Files directory 19 IoCs
Processes:
full.bin.exedescription ioc process File created \??\c:\program files (x86)\8z10cl9y-readme.txt full.bin.exe File opened for modification \??\c:\program files\CompleteUnprotect.DVR full.bin.exe File opened for modification \??\c:\program files\InstallClose.search-ms full.bin.exe File opened for modification \??\c:\program files\UpdateConvert.TTS full.bin.exe File created \??\c:\program files\8z10cl9y-readme.txt full.bin.exe File created \??\c:\program files (x86)\tmp full.bin.exe File opened for modification \??\c:\program files\ConvertSubmit.htm full.bin.exe File opened for modification \??\c:\program files\ConvertToNew.vbs full.bin.exe File opened for modification \??\c:\program files\UninstallCompress.zip full.bin.exe File opened for modification \??\c:\program files\AddConvert.mp2v full.bin.exe File opened for modification \??\c:\program files\AssertUnpublish.wvx full.bin.exe File opened for modification \??\c:\program files\InstallGrant.tif full.bin.exe File opened for modification \??\c:\program files\LimitCompress.dot full.bin.exe File opened for modification \??\c:\program files\SearchStep.3gp full.bin.exe File created \??\c:\program files\tmp full.bin.exe File opened for modification \??\c:\program files\DismountEnter.emf full.bin.exe File opened for modification \??\c:\program files\ResizeResume.xml full.bin.exe File opened for modification \??\c:\program files\UnblockConvertTo.rmi full.bin.exe File opened for modification \??\c:\program files\UnpublishImport.vsdx full.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
full.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2F7AA2D86056A8775796F798C481A079E538E004 full.bin.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\2F7AA2D86056A8775796F798C481A079E538E004\Blob = 0300000001000000140000002f7aa2d86056a8775796f798c481a079e538e00414000000010000001400000012c9889b2fc9447a7d12f1df4003429892c724d6040000000100000010000000249f06a9652b2112fc4d7368e6372fec0f00000001000000200000008929be84b4db8bea07b5a70b3bc65a39b1e9b28722689c21893afae875b2ed0c190000000100000010000000d0e6e37d30133bf9aa9f1b76135668425c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000550500003082055130820439a00302010202100c08966535b942a9735265e4f97540bc300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3230303731363132323134345a170d3233303533313233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a47656f547275737420544c5320445620525341204d697865642053484132353620323032302043412d3130820122300d06092a864886f70d01010105000382010f003082010a0282010100b3bd41fb6be6dfa251bf541463c675a651eee388a73a78a09b9e5b917ca5a85933fac66c0750339979fa53f1cc16dde5a69961d34da2ef939402e4c4c95f97d11a6e09da34540bb238c6dd4dad717dbade9bedcb49a04bc363a77f3364b7c7ba7673d21b5286ae9c12e4e7a0ab7cf3efaad5da852308682b1c78e69bafb466fe47d5c18b632c5ccc02f211ded0e9a40c8db9f99accebcc83ab5d84e0aaed19df8f3b553a43b65c114e5af431b6eabd646858109966b2bef39f1a858312a8d7025fec271e6fdf8f80c747edde4b33d31f78b4193b8b13d5f35af35373dd9429245b6d5916cf01c92eeb50450e99f9b6de4527a45e306f8fc3cd4767082d3188c90203010001a382020b30820207301d0603551d0e0416041412c9889b2fc9447a7d12f1df4003429892c724d6301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c3081ce0603551d200481c63081c33081c00604551d20003081b7302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f43505330818a06082b06010505070202307e0c7c416e7920757365206f66207468697320436572746966696361746520636f6e737469747574657320616363657074616e6365206f66207468652052656c79696e672050617274792041677265656d656e74206c6f63617465642061742068747470733a2f2f7777772e64696769636572742e636f6d2f7270612d7561300d06092a864886f70d01010b050003820101007f4bfc33ba6545c2d8416b8e48ab3c02c8fa11b0e61e714ecc57f7b57473f922b366d3ab97940b27c90eec681a72450ba8875a14c4ba8b178db3b1a576074a0e9852b0f602ab8596ff420ac2f3af50013dc6c7f5834b4ce2c7e300d4df3861f3e914914b7882cca69e7ab2a63afa90f80529512072cc4abd23ec3c6bcb586b2724562ddedc1ebb3bbaa1e7560a02812847f57b2dcb9d13b87959eb40799ae97afc6ef9fa9a410b3b667b87334029f321c619ffc944f5949ff11467e87c13d6bd2313cd2b27d5fe8bba6df3ea58bc17acd14e993c89c12aed7f96c04284c91c31cb3347a1e5f69539909df5aa2b56a10b4df2f54fcd48118e88aec57257a53d12 full.bin.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
full.bin.exepid process 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe 628 full.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
full.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 628 full.bin.exe Token: SeTakeOwnershipPrivilege 628 full.bin.exe Token: SeBackupPrivilege 3684 vssvc.exe Token: SeRestorePrivilege 3684 vssvc.exe Token: SeAuditPrivilege 3684 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
full.bin.exedescription pid process target process PID 628 wrote to memory of 3136 628 full.bin.exe netsh.exe PID 628 wrote to memory of 3136 628 full.bin.exe netsh.exe PID 628 wrote to memory of 3136 628 full.bin.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\full.bin.exe"C:\Users\Admin\AppData\Local\Temp\full.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3136
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3136-114-0x0000000000000000-mapping.dmp