Analysis
-
max time kernel
136s -
max time network
71s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-05-2020 20:35
Static task
static1
Behavioral task
behavioral1
Sample
8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2.dll
Resource
win7v200430
Behavioral task
behavioral2
Sample
8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2.dll
Resource
win10v200430
General
-
Target
8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2.dll
-
Size
166KB
-
MD5
70c36b8050aaed69ddaa0a8160a99581
-
SHA1
4d067a026a2d9acea3eaee40343d49f7c1340a55
-
SHA256
8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2
-
SHA512
64f949cc7da8e23f41081595d0600aa745b490f63872c10594ec2b8124a85e90fa6c678a718d8eb1339a386e8f2987ac50a23b920c1902418605dd4ede8c54b0
Malware Config
Extracted
C:\q59e80s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1B912C4D734C761A
http://decryptor.cc/1B912C4D734C761A
Signatures
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in Program Files directory 19 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\SplitMerge.ini rundll32.exe File opened for modification \??\c:\program files\RepairRead.nfo rundll32.exe File opened for modification \??\c:\program files\SubmitResolve.dotx rundll32.exe File opened for modification \??\c:\program files\SuspendRead.rtf rundll32.exe File opened for modification \??\c:\program files\SwitchOptimize.wm rundll32.exe File opened for modification \??\c:\program files\SyncConvert.dotm rundll32.exe File opened for modification \??\c:\program files\WaitExit.MTS rundll32.exe File opened for modification \??\c:\program files\WaitJoin.xls rundll32.exe File created \??\c:\program files (x86)\q59e80s-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressGet.wps rundll32.exe File opened for modification \??\c:\program files\LockRedo.kix rundll32.exe File opened for modification \??\c:\program files\SearchReceive.tiff rundll32.exe File opened for modification \??\c:\program files\SetPush.ex_ rundll32.exe File opened for modification \??\c:\program files\UnlockGet.mpe rundll32.exe File created \??\c:\program files\q59e80s-readme.txt rundll32.exe File opened for modification \??\c:\program files\MeasureSearch.pdf rundll32.exe File opened for modification \??\c:\program files\UnprotectDismount.crw rundll32.exe File opened for modification \??\c:\program files\UpdateConnect.odt rundll32.exe File opened for modification \??\c:\program files\ConvertFromBackup.pps rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4on2hp.bmp" rundll32.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3748 wrote to memory of 440 3748 rundll32.exe rundll32.exe PID 3748 wrote to memory of 440 3748 rundll32.exe rundll32.exe PID 3748 wrote to memory of 440 3748 rundll32.exe rundll32.exe PID 440 wrote to memory of 1512 440 rundll32.exe powershell.exe PID 440 wrote to memory of 1512 440 rundll32.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 440 rundll32.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeBackupPrivilege 2496 vssvc.exe Token: SeRestorePrivilege 2496 vssvc.exe Token: SeAuditPrivilege 2496 vssvc.exe Token: SeTakeOwnershipPrivilege 440 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 440 rundll32.exe 440 rundll32.exe 1512 powershell.exe 1512 powershell.exe 1512 powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d9f3cede776bc69e50fdf67e270097b427440bc685a30acc7aa4756e5741eb2.dll,#12⤵
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2496