Analysis
-
max time kernel
71s -
max time network
74s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-08-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
Resource
win10v200722
General
-
Target
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll
-
Size
116KB
-
MD5
946a25739c934f91f795e002a9f77bda
-
SHA1
48fa5f0d87d162f8ae67e01d7ee309ae8fa976cf
-
SHA256
d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8
-
SHA512
07e6ec47cfbb44975ff7e69973c8154d8f26af1acb26e62b40e0003943953ab87b15a222b14bae7bfb74849f9aff36d727372cff3c3954418db7d28e9119ae69
Malware Config
Extracted
C:\sg9x6os19h-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4798B3F2F1587432
http://decryptor.cc/4798B3F2F1587432
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\GetRegister.png => \??\c:\users\admin\pictures\GetRegister.png.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\BackupReceive.tif => \??\c:\users\admin\pictures\BackupReceive.tif.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\PushConvert.png => \??\c:\users\admin\pictures\PushConvert.png.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\MeasureResolve.png => \??\c:\users\admin\pictures\MeasureResolve.png.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\OpenDisconnect.crw => \??\c:\users\admin\pictures\OpenDisconnect.crw.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\OpenEdit.tiff => \??\c:\users\admin\pictures\OpenEdit.tiff.sg9x6os19h rundll32.exe File renamed C:\Users\Admin\Pictures\StepComplete.tif => \??\c:\users\admin\pictures\StepComplete.tif.sg9x6os19h rundll32.exe File opened for modification \??\c:\users\admin\pictures\OpenEdit.tiff rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ikgbm12.bmp" rundll32.exe -
Drops file in Program Files directory 33 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\PublishGroup.dib rundll32.exe File opened for modification \??\c:\program files\ResizeCompress.inf rundll32.exe File opened for modification \??\c:\program files\SubmitRequest.vssx rundll32.exe File opened for modification \??\c:\program files\TestSave.vsdx rundll32.exe File opened for modification \??\c:\program files\WatchPublish.midi rundll32.exe File opened for modification \??\c:\program files\ResetRedo.dotx rundll32.exe File opened for modification \??\c:\program files\RevokeRepair.ini rundll32.exe File opened for modification \??\c:\program files\SetMove.pcx rundll32.exe File opened for modification \??\c:\program files\WatchPublish.rtf rundll32.exe File opened for modification \??\c:\program files\SplitCheckpoint.dwfx rundll32.exe File opened for modification \??\c:\program files\StartRestart.pub rundll32.exe File opened for modification \??\c:\program files\TraceCheckpoint.mp2 rundll32.exe File opened for modification \??\c:\program files\WriteDisable.js rundll32.exe File opened for modification \??\c:\program files\ConvertFromJoin.wps rundll32.exe File opened for modification \??\c:\program files\ReadStop.ini rundll32.exe File opened for modification \??\c:\program files\SuspendExpand.asx rundll32.exe File opened for modification \??\c:\program files\UnblockFormat.fon rundll32.exe File opened for modification \??\c:\program files\ConfirmReceive.pdf rundll32.exe File opened for modification \??\c:\program files\RevokeSearch.mpv2 rundll32.exe File opened for modification \??\c:\program files\RevokeUnprotect.shtml rundll32.exe File opened for modification \??\c:\program files\ExpandMerge.emz rundll32.exe File opened for modification \??\c:\program files\GetRename.mht rundll32.exe File opened for modification \??\c:\program files\ReadRestart.dib rundll32.exe File opened for modification \??\c:\program files\RepairTest.wpl rundll32.exe File opened for modification \??\c:\program files\UnregisterPop.odp rundll32.exe File created \??\c:\program files (x86)\sg9x6os19h-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompareComplete.ttf rundll32.exe File opened for modification \??\c:\program files\DenySend.emf rundll32.exe File opened for modification \??\c:\program files\WritePublish.jfif rundll32.exe File opened for modification \??\c:\program files\SyncUnpublish.fon rundll32.exe File created \??\c:\program files\sg9x6os19h-readme.txt rundll32.exe File opened for modification \??\c:\program files\ExpandMerge.emf rundll32.exe File opened for modification \??\c:\program files\InitializeDebug.xltx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 2972 rundll32.exe 2972 rundll32.exe 640 powershell.exe 640 powershell.exe 640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2972 rundll32.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeTakeOwnershipPrivilege 2972 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3056 wrote to memory of 2972 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 2972 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 2972 3056 rundll32.exe rundll32.exe PID 2972 wrote to memory of 640 2972 rundll32.exe powershell.exe PID 2972 wrote to memory of 640 2972 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0fb6f4c608994c787f15ee3b5cc1297180687522ade080c07a708e55ce23de8.bin.exe.dll,#12⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2188