Analysis
-
max time kernel
103s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
PORT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PORT.exe
Resource
win10v2004-20220414-en
General
-
Target
PORT.exe
-
Size
164KB
-
MD5
6268478bf01dc3eacfa23372ca8b59fa
-
SHA1
f497026449bef302c235a1749ede57e7a077e159
-
SHA256
b5e73c65a92abd6d8ea6040739e6b71a207035f1517f3813c56fbac937b8ff06
-
SHA512
94ed316419f5350a845f4a988cf7b74703486fab2ba7ad0652f7280370915d8685d44447a59e8fe1f133d3923a1e929a96fe659a1b69202aae619193048345e6
Malware Config
Extracted
C:\583h7239-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9DBBAA9023E7FBEC
http://decryptor.top/9DBBAA9023E7FBEC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
PORT.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnblockRead.raw => \??\c:\users\admin\pictures\UnblockRead.raw.583h7239 PORT.exe File renamed C:\Users\Admin\Pictures\StepExpand.raw => \??\c:\users\admin\pictures\StepExpand.raw.583h7239 PORT.exe File opened for modification \??\c:\users\admin\pictures\GrantPush.tiff PORT.exe File renamed C:\Users\Admin\Pictures\ExitMeasure.crw => \??\c:\users\admin\pictures\ExitMeasure.crw.583h7239 PORT.exe File renamed C:\Users\Admin\Pictures\GrantPush.tiff => \??\c:\users\admin\pictures\GrantPush.tiff.583h7239 PORT.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
PORT.exedescription ioc process File opened (read-only) \??\F: PORT.exe File opened (read-only) \??\O: PORT.exe File opened (read-only) \??\Q: PORT.exe File opened (read-only) \??\R: PORT.exe File opened (read-only) \??\A: PORT.exe File opened (read-only) \??\E: PORT.exe File opened (read-only) \??\I: PORT.exe File opened (read-only) \??\N: PORT.exe File opened (read-only) \??\M: PORT.exe File opened (read-only) \??\V: PORT.exe File opened (read-only) \??\X: PORT.exe File opened (read-only) \??\D: PORT.exe File opened (read-only) \??\H: PORT.exe File opened (read-only) \??\L: PORT.exe File opened (read-only) \??\J: PORT.exe File opened (read-only) \??\K: PORT.exe File opened (read-only) \??\P: PORT.exe File opened (read-only) \??\S: PORT.exe File opened (read-only) \??\T: PORT.exe File opened (read-only) \??\U: PORT.exe File opened (read-only) \??\B: PORT.exe File opened (read-only) \??\G: PORT.exe File opened (read-only) \??\Z: PORT.exe File opened (read-only) \??\W: PORT.exe File opened (read-only) \??\Y: PORT.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
PORT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ko7r5o593.bmp" PORT.exe -
Drops file in Program Files directory 14 IoCs
Processes:
PORT.exedescription ioc process File opened for modification \??\c:\program files\StepStop.mp3 PORT.exe File opened for modification \??\c:\program files\UnprotectInitialize.vdw PORT.exe File opened for modification \??\c:\program files\WaitImport.pub PORT.exe File opened for modification \??\c:\program files\OutFormat.asp PORT.exe File opened for modification \??\c:\program files\RenameWait.wav PORT.exe File created \??\c:\program files\583h7239-readme.txt PORT.exe File opened for modification \??\c:\program files\CompleteExport.pot PORT.exe File opened for modification \??\c:\program files\CopyWait.mp2v PORT.exe File opened for modification \??\c:\program files\PublishWait.mpeg3 PORT.exe File opened for modification \??\c:\program files\ReceivePing.easmx PORT.exe File created \??\c:\program files (x86)\583h7239-readme.txt PORT.exe File opened for modification \??\c:\program files\ImportFormat.iso PORT.exe File opened for modification \??\c:\program files\InitializeSwitch.7z PORT.exe File opened for modification \??\c:\program files\ResizeUnregister.ex_ PORT.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PORT.exepowershell.exepid process 988 PORT.exe 988 PORT.exe 2976 powershell.exe 2976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PORT.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 988 PORT.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeBackupPrivilege 5016 vssvc.exe Token: SeRestorePrivilege 5016 vssvc.exe Token: SeAuditPrivilege 5016 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
PORT.exedescription pid process target process PID 988 wrote to memory of 2976 988 PORT.exe powershell.exe PID 988 wrote to memory of 2976 988 PORT.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PORT.exe"C:\Users\Admin\AppData\Local\Temp\PORT.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2976-130-0x0000000000000000-mapping.dmp
-
memory/2976-131-0x0000018955980000-0x00000189559A2000-memory.dmpFilesize
136KB
-
memory/2976-132-0x00007FF963AC0000-0x00007FF964581000-memory.dmpFilesize
10.8MB
-
memory/2976-133-0x00007FF963AC0000-0x00007FF964581000-memory.dmpFilesize
10.8MB