Analysis
-
max time kernel
4265550s -
max time network
604s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-01-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
enc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
enc.exe
Resource
win10v2004-en-20220113
General
-
Target
enc.exe
-
Size
161KB
-
MD5
2c448be318e53757eeb78e1a1ec2245a
-
SHA1
072d3c8b6bb946acfe17656071faec4bac7c8b46
-
SHA256
c5b521000c1d318921b58f7b5db3a067d28e6badd304ea9085831af8985b9fec
-
SHA512
bf6614f3ac3556b3d049bc4192e49680025758174bb2c0873fe5967f8bc3e29f82ae2046876f1502c3db7adf51775ff7b2c34ad9c9cdea4e7a16d23f6f4e7f91
Malware Config
Extracted
C:\1liu3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BDE0D235131B359A
http://decryptor.top/BDE0D235131B359A
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
enc.exedescription ioc process File renamed C:\Users\Admin\Pictures\PopJoin.crw => \??\c:\users\admin\pictures\PopJoin.crw.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\InvokeConvertFrom.raw => \??\c:\users\admin\pictures\InvokeConvertFrom.raw.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\RemoveConfirm.raw => \??\c:\users\admin\pictures\RemoveConfirm.raw.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\SearchSend.png => \??\c:\users\admin\pictures\SearchSend.png.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\EnterRestart.crw => \??\c:\users\admin\pictures\EnterRestart.crw.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\NewConvertFrom.tiff => \??\c:\users\admin\pictures\NewConvertFrom.tiff.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\ReceiveRead.tiff => \??\c:\users\admin\pictures\ReceiveRead.tiff.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\RequestAssert.crw => \??\c:\users\admin\pictures\RequestAssert.crw.1liu3 enc.exe File renamed C:\Users\Admin\Pictures\SkipRepair.raw => \??\c:\users\admin\pictures\SkipRepair.raw.1liu3 enc.exe File opened for modification \??\c:\users\admin\pictures\NewConvertFrom.tiff enc.exe File opened for modification \??\c:\users\admin\pictures\ReceiveRead.tiff enc.exe File renamed C:\Users\Admin\Pictures\ExpandMount.raw => \??\c:\users\admin\pictures\ExpandMount.raw.1liu3 enc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
enc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation enc.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
enc.exedescription ioc process File opened (read-only) \??\T: enc.exe File opened (read-only) \??\V: enc.exe File opened (read-only) \??\A: enc.exe File opened (read-only) \??\F: enc.exe File opened (read-only) \??\G: enc.exe File opened (read-only) \??\K: enc.exe File opened (read-only) \??\N: enc.exe File opened (read-only) \??\P: enc.exe File opened (read-only) \??\Y: enc.exe File opened (read-only) \??\D: enc.exe File opened (read-only) \??\E: enc.exe File opened (read-only) \??\S: enc.exe File opened (read-only) \??\U: enc.exe File opened (read-only) \??\Z: enc.exe File opened (read-only) \??\H: enc.exe File opened (read-only) \??\J: enc.exe File opened (read-only) \??\L: enc.exe File opened (read-only) \??\O: enc.exe File opened (read-only) \??\R: enc.exe File opened (read-only) \??\W: enc.exe File opened (read-only) \??\B: enc.exe File opened (read-only) \??\I: enc.exe File opened (read-only) \??\M: enc.exe File opened (read-only) \??\Q: enc.exe File opened (read-only) \??\X: enc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
enc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65641n6lxs.bmp" enc.exe -
Drops file in Program Files directory 11 IoCs
Processes:
enc.exedescription ioc process File opened for modification \??\c:\program files\ConnectReceive.xls enc.exe File opened for modification \??\c:\program files\GrantBlock.iso enc.exe File opened for modification \??\c:\program files\GrantImport.xlt enc.exe File opened for modification \??\c:\program files\LimitGet.ram enc.exe File opened for modification \??\c:\program files\SkipOptimize.html enc.exe File created \??\c:\program files\1liu3-readme.txt enc.exe File opened for modification \??\c:\program files\CompareGet.tiff enc.exe File opened for modification \??\c:\program files\GetLock.xps enc.exe File opened for modification \??\c:\program files\ProtectReset.TS enc.exe File opened for modification \??\c:\program files\WatchTest.dwg enc.exe File created \??\c:\program files (x86)\1liu3-readme.txt enc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
enc.exepid process 2348 enc.exe 2348 enc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 3992 MusNotification.exe Token: SeCreatePagefilePrivilege 3992 MusNotification.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
enc.exedescription pid process target process PID 2348 wrote to memory of 3600 2348 enc.exe cmd.exe PID 2348 wrote to memory of 3600 2348 enc.exe cmd.exe PID 2348 wrote to memory of 3600 2348 enc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\enc.exe"C:\Users\Admin\AppData\Local\Temp\enc.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:3600
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\usoshared\logs\system\NotificationUxBroker.92a23dc2-8cba-43bd-be0f-43f3acbde06f.1.etlMD5
d395b91373b438ea1b581ae07ee7deaf
SHA136ccce18e64d963cad8a0c3bf9199b6ce8c2c5c1
SHA25683ea237dda18557e17dfc886d5402f4787e6041e986978ac6c3ce98f95066045
SHA512d6a77f13a5bf1acab8e18470e39699e85fb888b7ba5179369815b13297f68a68e04a64985e12137a1bee1648bd93bce9ced165b92d0ea6ae9506b03fcb26a493
-
memory/3600-130-0x0000000000000000-mapping.dmp