Analysis
-
max time kernel
75s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
18-08-2020 22:20
Static task
static1
Behavioral task
behavioral1
Sample
YBAHw19X.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
YBAHw19X.exe.dll
Resource
win10
General
-
Target
YBAHw19X.exe.dll
-
Size
116KB
-
MD5
c6dcff3157df6baed69092a977d0ec63
-
SHA1
5114221dd8e4e0b50f04b92e0ec2be442ba5e0e1
-
SHA256
9fb4aca06e67c01e6ae8c11817428cfb8e9206d9bf2fe1126af8bfef3d16835f
-
SHA512
65d54a46d3acfc460e9a5a4978457066016e8c0643643eab3038c74be2fe623c019aa10db67f0e79a6a339b27d377bebc8bf8c90bdb29fe41d69942b8410f338
Malware Config
Extracted
C:\jqi739152-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/810361ACE3B05675
http://decryptor.cc/810361ACE3B05675
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitOpen.png => \??\c:\users\admin\pictures\ExitOpen.png.jqi739152 rundll32.exe File renamed C:\Users\Admin\Pictures\GroupDismount.tif => \??\c:\users\admin\pictures\GroupDismount.tif.jqi739152 rundll32.exe File renamed C:\Users\Admin\Pictures\FindClear.png => \??\c:\users\admin\pictures\FindClear.png.jqi739152 rundll32.exe File renamed C:\Users\Admin\Pictures\SearchCheckpoint.png => \??\c:\users\admin\pictures\SearchCheckpoint.png.jqi739152 rundll32.exe File renamed C:\Users\Admin\Pictures\CompareOptimize.png => \??\c:\users\admin\pictures\CompareOptimize.png.jqi739152 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eom.bmp" rundll32.exe -
Drops file in Program Files directory 19 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\ConvertFromGroup.bmp rundll32.exe File opened for modification \??\c:\program files\RedoLimit.iso rundll32.exe File opened for modification \??\c:\program files\RevokeConfirm.reg rundll32.exe File created \??\c:\program files\jqi739152-readme.txt rundll32.exe File created \??\c:\program files (x86)\jqi739152-readme.txt rundll32.exe File opened for modification \??\c:\program files\ExitApprove.jpeg rundll32.exe File opened for modification \??\c:\program files\GroupSend.vb rundll32.exe File opened for modification \??\c:\program files\RevokeGroup.clr rundll32.exe File opened for modification \??\c:\program files\ConfirmClear.potm rundll32.exe File opened for modification \??\c:\program files\JoinGroup.docx rundll32.exe File opened for modification \??\c:\program files\ResumeWatch.css rundll32.exe File opened for modification \??\c:\program files\UndoSet.au3 rundll32.exe File opened for modification \??\c:\program files\WatchOut.mpeg3 rundll32.exe File opened for modification \??\c:\program files\AssertSplit.potx rundll32.exe File opened for modification \??\c:\program files\CompareDisable.vssm rundll32.exe File opened for modification \??\c:\program files\CompleteReset.jpeg rundll32.exe File opened for modification \??\c:\program files\CompressCopy.ods rundll32.exe File opened for modification \??\c:\program files\StartUnregister.docx rundll32.exe File opened for modification \??\c:\program files\SwitchExpand.xps rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 336 rundll32.exe 336 rundll32.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 336 rundll32.exe Token: SeDebugPrivilege 3560 powershell.exe Token: SeBackupPrivilege 3352 vssvc.exe Token: SeRestorePrivilege 3352 vssvc.exe Token: SeAuditPrivilege 3352 vssvc.exe Token: SeTakeOwnershipPrivilege 336 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe PID 720 wrote to memory of 336 720 rundll32.exe rundll32.exe PID 336 wrote to memory of 3560 336 rundll32.exe powershell.exe PID 336 wrote to memory of 3560 336 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YBAHw19X.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YBAHw19X.exe.dll,#12⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3352