Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 12:56
General
-
Target
42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
-
Size
166KB
-
MD5
43e9093ffc8dd69985a9ae65b26f5551
-
SHA1
7b268ff84e824ddcd8b7df3cf9993be012489d01
-
SHA256
42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d
-
SHA512
118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c
-
SSDEEP
3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0
Malware Config
Extracted
C:\Users\bm02qgl-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0422D02648DD265F
http://decryptor.cc/0422D02648DD265F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe"C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD526d5c6b69c3cd7c0326ae2bb62b19bc3
SHA16e708c9fff7975182366522f5f8e1e4e8c8c371f
SHA256e79fc1c410e78a93e0e6ff36dbbcbde29e349f0932c0ac0ea856417dea0b9a1c
SHA512adbc938794db379568dd34d401a7f42c2a2eb3e24256070b9ac1b000b247053344095fc99e8f82724b581cffd3740b993d9e99f16b56e7368b878c0dd0c687c6
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB