Resubmissions
11-04-2024 17:53
240411-wgrc2agf82 1011-04-2024 17:50
240411-weydkagf52 1007-03-2024 21:32
240307-1d2rtafd3x 1005-03-2024 03:22
240305-dw4ykadb7x 1026-02-2024 08:40
240226-klbmlahd92 1025-01-2024 23:42
240125-3p3jlaagej 1010-10-2023 00:01
231010-aaxetahb7s 1014-07-2023 13:07
230714-qc385seh7w 1011-07-2023 13:35
230711-qv314aad81 10Analysis
-
max time kernel
48s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-02-2024 08:40
General
-
Target
v2.exe
-
Size
121KB
-
MD5
944ed18066724dc6ca3fb3d72e4b9bdf
-
SHA1
1a19c8793cd783a5bb89777f5bc09e580f97ce29
-
SHA256
74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
-
SHA512
a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
-
SSDEEP
1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY
Malware Config
Extracted
C:\Recovery\dq67c1h-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6CD58D914EFF79CB
http://decoder.re/6CD58D914EFF79CB
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 40 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\dq67c1h-readme.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\dq67c1h-readme.txt1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ReadExport.mpa"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\dq67c1h-readme.txtFilesize
7KB
MD51bddf87af0d343ac6392f23ff01e34bc
SHA160c2e91ab79cb18603d389199490c5b5069e9f06
SHA256474e3a82446b569cb9150b8bb572d256c05999a2a2340a1a78cb8c890454e37a
SHA51286e8e31fc078ab7410394cda73132cd503a6d1fc37d3465586784180321fa592664a4709cdac8b613747dd5c098884b3779424d8a2274b1661c775d354252b86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5dca45339ca3024e0b1c4a83a4fb20fb1
SHA1cd4498d16465c1784f55f77712a9bdc5551f3ab2
SHA2568c9b30710727762dfda9bf3752092c61e623f9b6d0d6639487f8de3a0bbb4302
SHA512444b15c0c18443206bacc70b741bbe7d74aa83a6bb21323710fe114e633e1926ef98a3541c7b4c49e9acdf41ae11e326f3c6ccbe3969be844cac868230f4915c
-
C:\Users\Admin\AppData\Local\Temp\TarAA0A.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em2440Filesize
75B
MD5abd44f6620f7c84f5bacd51e73bd4d49
SHA1358c9a05b5b3944fdc43831094aa2b8ca3c82010
SHA25698ac364853ef51634a0a9851caf2f2ba603279aac4c82a15dd35ab65b2ee3e36
SHA5124aacfe1e0e9981d56a8bab88197115128f417c6894c3cc52324e356c03bd24a2d84df521d040f8fa1a91cefe28a8658b206517bf30d3a0fe9c8aba64bcf3545a
-
C:\Windows\System32\catroot2\dberr.txtFilesize
192KB
MD5cd5bd2de905cd091a9a0f87e208e7849
SHA12cb3e76cad47472afd6e89d92cd35a5e99f5c8c1
SHA2569e6126142666ba73a365a0525f46093a3589fa27b9362981e645b2333487ff09
SHA5126cdc453486c24a38c8c26a3b93249c3e9bc1293d9bcc34894051f28ad719b7efcfedff4d55381a9272810ea89a28817630af2a75f0fd53c7e5aa41eb028adbd2
-
memory/2440-2531-0x000000013F530000-0x000000013F628000-memory.dmpFilesize
992KB
-
memory/2440-2532-0x000007FEF65C0000-0x000007FEF65F4000-memory.dmpFilesize
208KB
-
memory/2440-2533-0x000007FEF5D50000-0x000007FEF6004000-memory.dmpFilesize
2.7MB
-
memory/2440-2534-0x000007FEF48F0000-0x000007FEF599B000-memory.dmpFilesize
16.7MB
-
memory/2440-2535-0x000007FEF3CE0000-0x000007FEF3DF2000-memory.dmpFilesize
1.1MB