Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2023 18:29
Static task
static1
Behavioral task
behavioral1
Sample
c5baecf5016437ex_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
c5baecf5016437ex_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
c5baecf5016437ex_JC.exe
-
Size
122KB
-
MD5
c5baecf50164376ef048646969d080d4
-
SHA1
610ba6ae85414b12e509e77906d8b81f95ce8cb7
-
SHA256
da5d73f59359d904a6c58c4940270a4ad7774ff340442f7a0eaebd2ccbc7c7fb
-
SHA512
7c8231224b15d43a1129bb5012fb443937f9fd0153ecf223371b2d362bdb0242645655fc573a0be2d260f6629d5b109ba896c18dafbdfa187a8050376d813571
-
SSDEEP
1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6UdOgYMTLOjeW47s:hMhQNDEtb3AiPnGjeW47s
Malware Config
Extracted
C:\Recovery\pwz7p11bx-read-me-PUP.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1512413402C44067
http://decoder.re/1512413402C44067
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c5baecf5016437ex_JC.exedescription ioc process File opened (read-only) \??\G: c5baecf5016437ex_JC.exe File opened (read-only) \??\J: c5baecf5016437ex_JC.exe File opened (read-only) \??\M: c5baecf5016437ex_JC.exe File opened (read-only) \??\N: c5baecf5016437ex_JC.exe File opened (read-only) \??\T: c5baecf5016437ex_JC.exe File opened (read-only) \??\U: c5baecf5016437ex_JC.exe File opened (read-only) \??\X: c5baecf5016437ex_JC.exe File opened (read-only) \??\H: c5baecf5016437ex_JC.exe File opened (read-only) \??\Z: c5baecf5016437ex_JC.exe File opened (read-only) \??\F: c5baecf5016437ex_JC.exe File opened (read-only) \??\R: c5baecf5016437ex_JC.exe File opened (read-only) \??\A: c5baecf5016437ex_JC.exe File opened (read-only) \??\E: c5baecf5016437ex_JC.exe File opened (read-only) \??\I: c5baecf5016437ex_JC.exe File opened (read-only) \??\K: c5baecf5016437ex_JC.exe File opened (read-only) \??\L: c5baecf5016437ex_JC.exe File opened (read-only) \??\P: c5baecf5016437ex_JC.exe File opened (read-only) \??\Q: c5baecf5016437ex_JC.exe File opened (read-only) \??\V: c5baecf5016437ex_JC.exe File opened (read-only) \??\D: c5baecf5016437ex_JC.exe File opened (read-only) \??\B: c5baecf5016437ex_JC.exe File opened (read-only) \??\O: c5baecf5016437ex_JC.exe File opened (read-only) \??\S: c5baecf5016437ex_JC.exe File opened (read-only) \??\W: c5baecf5016437ex_JC.exe File opened (read-only) \??\Y: c5baecf5016437ex_JC.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c5baecf5016437ex_JC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4h29jway4b.bmp" c5baecf5016437ex_JC.exe -
Drops file in Program Files directory 19 IoCs
Processes:
c5baecf5016437ex_JC.exedescription ioc process File opened for modification \??\c:\program files\WriteFormat.odp c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\ClearBlock.easmx c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\EditPublish.vst c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\RepairMount.mp3 c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\RepairUninstall.cfg c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\UnlockMerge.js c5baecf5016437ex_JC.exe File created \??\c:\program files (x86)\tmp c5baecf5016437ex_JC.exe File created \??\c:\program files (x86)\pwz7p11bx-read-me-PUP.txt c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\ConfirmResume.nfo c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\GrantImport.vb c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\LockProtect.mp4 c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\AddPop.mp4 c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\DisconnectInitialize.odt c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\SplitMount.svg c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\StopReceive.mpeg3 c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\UpdateSkip.rle c5baecf5016437ex_JC.exe File created \??\c:\program files\tmp c5baecf5016437ex_JC.exe File created \??\c:\program files\pwz7p11bx-read-me-PUP.txt c5baecf5016437ex_JC.exe File opened for modification \??\c:\program files\DenyClose.vsx c5baecf5016437ex_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
c5baecf5016437ex_JC.exepid process 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe 3872 c5baecf5016437ex_JC.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c5baecf5016437ex_JC.exevssvc.exedescription pid process Token: SeDebugPrivilege 3872 c5baecf5016437ex_JC.exe Token: SeTakeOwnershipPrivilege 3872 c5baecf5016437ex_JC.exe Token: SeBackupPrivilege 4168 vssvc.exe Token: SeRestorePrivilege 4168 vssvc.exe Token: SeAuditPrivilege 4168 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c5baecf5016437ex_JC.exedescription pid process target process PID 3872 wrote to memory of 3076 3872 c5baecf5016437ex_JC.exe netsh.exe PID 3872 wrote to memory of 3076 3872 c5baecf5016437ex_JC.exe netsh.exe PID 3872 wrote to memory of 3076 3872 c5baecf5016437ex_JC.exe netsh.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5baecf5016437ex_JC.exe"C:\Users\Admin\AppData\Local\Temp\c5baecf5016437ex_JC.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Modifies Windows Firewall
PID:3076
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3060
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\pwz7p11bx-read-me-PUP.txtFilesize
8KB
MD5df75e9ced940eaef2d0594809a258bd0
SHA1bca45474f4d9b50cc9a1942b0d0b78c8fea78ca0
SHA256551f4322a0851eb347989680b206850233495459a7230cacc7e23318ca13e86c
SHA51213ac5ddc44e0ca278cf4518313d7dee6aa4aba603b7bd619ab01bf12acd3e73f1d9c3803e0dcda3334a9ecbde81d38764ff55807e82f1f3bd7aa2074e386eeab