Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 19:09
Static task
static1
Behavioral task
behavioral1
Sample
DomainName.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DomainName.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
DomainName.bin.exe
-
Size
120KB
-
MD5
af94ccb62f97700115a219c4b7626d22
-
SHA1
bb67edcfe4e5b6fe09ee96e5b8ace7a4cfe39eb7
-
SHA256
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c
-
SHA512
08c05f8dc98aba168734732d043c3e403f531522e0ec0ec64484d15375f353aa23f9654852ad2c54a3e6b2a9344f4ffb553cac24455f62bb65b55800e311c12a
-
SSDEEP
1536:J8A4krBJLarHZZd/M4PI8iwplAXpzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2C:+/LPrlAZZE0cOzbwMflEBPo
Malware Config
Extracted
C:\Recovery\lbqnh-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/67E8A2017A072ECF
http://decoder.re/67E8A2017A072ECF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
DomainName.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\BlockCopy.crw => \??\c:\users\admin\pictures\BlockCopy.crw.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\CheckpointPing.crw => \??\c:\users\admin\pictures\CheckpointPing.crw.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\CopyDeny.crw => \??\c:\users\admin\pictures\CopyDeny.crw.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\ExpandInstall.crw => \??\c:\users\admin\pictures\ExpandInstall.crw.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\FindTest.png => \??\c:\users\admin\pictures\FindTest.png.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\GrantEnable.png => \??\c:\users\admin\pictures\GrantEnable.png.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\ResumeComplete.tif => \??\c:\users\admin\pictures\ResumeComplete.tif.lbqnh DomainName.bin.exe File renamed C:\Users\Admin\Pictures\AssertSet.png => \??\c:\users\admin\pictures\AssertSet.png.lbqnh DomainName.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DomainName.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DomainName.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aDTFUAIa7j = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DomainName.bin.exe" DomainName.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DomainName.bin.exedescription ioc process File opened (read-only) \??\W: DomainName.bin.exe File opened (read-only) \??\H: DomainName.bin.exe File opened (read-only) \??\I: DomainName.bin.exe File opened (read-only) \??\S: DomainName.bin.exe File opened (read-only) \??\T: DomainName.bin.exe File opened (read-only) \??\V: DomainName.bin.exe File opened (read-only) \??\F: DomainName.bin.exe File opened (read-only) \??\K: DomainName.bin.exe File opened (read-only) \??\L: DomainName.bin.exe File opened (read-only) \??\U: DomainName.bin.exe File opened (read-only) \??\M: DomainName.bin.exe File opened (read-only) \??\O: DomainName.bin.exe File opened (read-only) \??\P: DomainName.bin.exe File opened (read-only) \??\A: DomainName.bin.exe File opened (read-only) \??\B: DomainName.bin.exe File opened (read-only) \??\E: DomainName.bin.exe File opened (read-only) \??\G: DomainName.bin.exe File opened (read-only) \??\J: DomainName.bin.exe File opened (read-only) \??\Q: DomainName.bin.exe File opened (read-only) \??\R: DomainName.bin.exe File opened (read-only) \??\X: DomainName.bin.exe File opened (read-only) \??\Y: DomainName.bin.exe File opened (read-only) \??\N: DomainName.bin.exe File opened (read-only) \??\Z: DomainName.bin.exe File opened (read-only) \??\D: DomainName.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
DomainName.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6n6sy00145t.bmp" DomainName.bin.exe -
Drops file in Program Files directory 38 IoCs
Processes:
DomainName.bin.exedescription ioc process File opened for modification \??\c:\program files\WaitEdit.3gpp DomainName.bin.exe File opened for modification \??\c:\program files\MoveShow.xltm DomainName.bin.exe File opened for modification \??\c:\program files\TestInstall.mp2v DomainName.bin.exe File opened for modification \??\c:\program files\ConvertExport.gif DomainName.bin.exe File opened for modification \??\c:\program files\ResolveOptimize.vssm DomainName.bin.exe File opened for modification \??\c:\program files\WatchUnblock.ppsm DomainName.bin.exe File opened for modification \??\c:\program files\ConfirmDisconnect.rtf DomainName.bin.exe File opened for modification \??\c:\program files\InitializeEnter.rle DomainName.bin.exe File opened for modification \??\c:\program files\RemoveReceive.vstm DomainName.bin.exe File opened for modification \??\c:\program files\SendRequest.mpeg DomainName.bin.exe File opened for modification \??\c:\program files\ResetDeny.doc DomainName.bin.exe File opened for modification \??\c:\program files\SaveConvertTo.potm DomainName.bin.exe File opened for modification \??\c:\program files\StopLimit.eps DomainName.bin.exe File opened for modification \??\c:\program files\UndoPush.M2T DomainName.bin.exe File created \??\c:\program files (x86)\lbqnh-readme.txt DomainName.bin.exe File opened for modification \??\c:\program files\GetNew.mp4 DomainName.bin.exe File opened for modification \??\c:\program files\FindDisable.tif DomainName.bin.exe File opened for modification \??\c:\program files\MergeUpdate.html DomainName.bin.exe File opened for modification \??\c:\program files\MountRevoke.vbs DomainName.bin.exe File opened for modification \??\c:\program files\MountSelect.css DomainName.bin.exe File opened for modification \??\c:\program files\MoveSync.odp DomainName.bin.exe File opened for modification \??\c:\program files\CloseGet.raw DomainName.bin.exe File opened for modification \??\c:\program files\EnableSubmit.mpeg2 DomainName.bin.exe File opened for modification \??\c:\program files\ExitUnprotect.asf DomainName.bin.exe File opened for modification \??\c:\program files\InstallPush.ADTS DomainName.bin.exe File opened for modification \??\c:\program files\NewClose.odt DomainName.bin.exe File opened for modification \??\c:\program files\RestartPing.vsd DomainName.bin.exe File opened for modification \??\c:\program files\UninstallSync.asx DomainName.bin.exe File created \??\c:\program files\lbqnh-readme.txt DomainName.bin.exe File opened for modification \??\c:\program files\EnableConfirm.aiff DomainName.bin.exe File opened for modification \??\c:\program files\OpenBackup.vssm DomainName.bin.exe File opened for modification \??\c:\program files\RenameSuspend.docm DomainName.bin.exe File opened for modification \??\c:\program files\RepairSet.vb DomainName.bin.exe File opened for modification \??\c:\program files\SkipCompare.rtf DomainName.bin.exe File opened for modification \??\c:\program files\UnlockWrite.mht DomainName.bin.exe File opened for modification \??\c:\program files\WaitStop.asp DomainName.bin.exe File opened for modification \??\c:\program files\BlockProtect.emz DomainName.bin.exe File opened for modification \??\c:\program files\LimitFind.rar DomainName.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DomainName.bin.exepid process 364 DomainName.bin.exe 364 DomainName.bin.exe 364 DomainName.bin.exe 364 DomainName.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
DomainName.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 364 DomainName.bin.exe Token: SeTakeOwnershipPrivilege 364 DomainName.bin.exe Token: SeBackupPrivilege 3112 vssvc.exe Token: SeRestorePrivilege 3112 vssvc.exe Token: SeAuditPrivilege 3112 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DomainName.bin.exe"C:\Users\Admin\AppData\Local\Temp\DomainName.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\lbqnh-readme.txtFilesize
7KB
MD59603c72c8f8ca39ed064cc219a938341
SHA11bacb7c52da52d8503e4b00299e4ca05238905aa
SHA256c39466899ba707625e1fde9bc76647deee093528f2e3603ed39c9b7e1330df8c
SHA512d12e71bf3a41b2e4c65575ea976106cbe32803e00713774a9e0da778959c0e8df2065a7dbcc2413857ebb10b5144b6710d899c2a54660d0ae2ec84b193641f40