Resubmissions
11-04-2024 17:53
240411-wgrc2agf82 1011-04-2024 17:50
240411-weydkagf52 1007-03-2024 21:32
240307-1d2rtafd3x 1005-03-2024 03:22
240305-dw4ykadb7x 1026-02-2024 08:40
240226-klbmlahd92 1025-01-2024 23:42
240125-3p3jlaagej 1010-10-2023 00:01
231010-aaxetahb7s 1014-07-2023 13:07
230714-qc385seh7w 1011-07-2023 13:35
230711-qv314aad81 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 03:22
Static task
static1
Behavioral task
behavioral1
Sample
v2.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
v2.exe
Resource
win10v2004-20240226-en
General
-
Target
v2.exe
-
Size
121KB
-
MD5
944ed18066724dc6ca3fb3d72e4b9bdf
-
SHA1
1a19c8793cd783a5bb89777f5bc09e580f97ce29
-
SHA256
74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
-
SHA512
a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
-
SSDEEP
1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY
Malware Config
Extracted
C:\ProgramData\4ill810-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/11007FAF1E8AC359
http://decoder.re/11007FAF1E8AC359
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Drops startup file 1 IoCs
Processes:
v2.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\4ill810-readme.txt v2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
v2.exedescription ioc process File opened (read-only) \??\J: v2.exe File opened (read-only) \??\O: v2.exe File opened (read-only) \??\P: v2.exe File opened (read-only) \??\R: v2.exe File opened (read-only) \??\T: v2.exe File opened (read-only) \??\I: v2.exe File opened (read-only) \??\U: v2.exe File opened (read-only) \??\G: v2.exe File opened (read-only) \??\S: v2.exe File opened (read-only) \??\D: v2.exe File opened (read-only) \??\H: v2.exe File opened (read-only) \??\V: v2.exe File opened (read-only) \??\A: v2.exe File opened (read-only) \??\E: v2.exe File opened (read-only) \??\W: v2.exe File opened (read-only) \??\X: v2.exe File opened (read-only) \??\B: v2.exe File opened (read-only) \??\Z: v2.exe File opened (read-only) \??\K: v2.exe File opened (read-only) \??\L: v2.exe File opened (read-only) \??\M: v2.exe File opened (read-only) \??\Q: v2.exe File opened (read-only) \??\Y: v2.exe File opened (read-only) \??\F: v2.exe File opened (read-only) \??\N: v2.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mk8.bmp" v2.exe -
Drops file in Program Files directory 28 IoCs
Processes:
v2.exedescription ioc process File opened for modification \??\c:\program files\ConfirmReceive.docx v2.exe File opened for modification \??\c:\program files\ExportDisable.TTS v2.exe File opened for modification \??\c:\program files\InvokeRepair.M2T v2.exe File opened for modification \??\c:\program files\AssertTrace.dwfx v2.exe File opened for modification \??\c:\program files\LimitResume.edrwx v2.exe File opened for modification \??\c:\program files\LockUnlock.tmp v2.exe File opened for modification \??\c:\program files\ProtectFormat.TS v2.exe File opened for modification \??\c:\program files\UnregisterUndo.xsl v2.exe File created \??\c:\program files (x86)\4ill810-readme.txt v2.exe File opened for modification \??\c:\program files\JoinStep.vdw v2.exe File opened for modification \??\c:\program files\SaveShow.otf v2.exe File opened for modification \??\c:\program files\CheckpointLock.pps v2.exe File opened for modification \??\c:\program files\ExpandRegister.xlsb v2.exe File opened for modification \??\c:\program files\FindBackup.ex_ v2.exe File opened for modification \??\c:\program files\RedoImport.easmx v2.exe File opened for modification \??\c:\program files\StartResume.TS v2.exe File opened for modification \??\c:\program files\EditReset.wmv v2.exe File opened for modification \??\c:\program files\AssertStep.avi v2.exe File opened for modification \??\c:\program files\PushSync.wav v2.exe File opened for modification \??\c:\program files\StopMount.wmf v2.exe File created \??\c:\program files\4ill810-readme.txt v2.exe File opened for modification \??\c:\program files\StopSend.zip v2.exe File opened for modification \??\c:\program files\ConvertInvoke.potx v2.exe File opened for modification \??\c:\program files\ResumeOpen.zip v2.exe File opened for modification \??\c:\program files\PublishProtect.vsdm v2.exe File opened for modification \??\c:\program files\SplitLimit.mov v2.exe File opened for modification \??\c:\program files\UnregisterLimit.mpe v2.exe File opened for modification \??\c:\program files\OptimizeRead.ADT v2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 5996 notepad.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
v2.exepid process 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe 4872 v2.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
v2.exevssvc.exedescription pid process Token: SeDebugPrivilege 4872 v2.exe Token: SeTakeOwnershipPrivilege 4872 v2.exe Token: SeBackupPrivilege 2448 vssvc.exe Token: SeRestorePrivilege 2448 vssvc.exe Token: SeAuditPrivilege 2448 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 5248 OpenWith.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\SyncGet.ps1"1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\4ill810-readme.txtFilesize
7KB
MD5cd71294a8774171a8e6f4309a8e1f6aa
SHA1e34c7042df2d4e76cb6a5dbe87942deaaa7f68e9
SHA256716d07e35cedd1e3da8610a21d52a085455877cfe91d9bc08aa3720302a7baa3
SHA51289e54d714c586c538302d370c5e6fb4c9167028ce8f1afeeada46239afd7570866f6bc3ec7270f3e3520bc40a1d4aa384868cd0cba642d157324a21dd0327416