Analysis
-
max time kernel
149s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
24-08-2020 12:19
Static task
static1
Behavioral task
behavioral1
Sample
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
Resource
win10v200722
General
-
Target
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
-
Size
116KB
-
MD5
4a23ba5e733f132b8fae5c9f0219d32a
-
SHA1
3a12b89cbf552b440fe167b91462db17d294d56f
-
SHA256
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27
-
SHA512
b08af5e1fd466e6aba204789985538de8c0eea90be058d4e8e2243bb783a96a4e63087558a4993b54ce0f6c7ddaaf887134820fd14dcebe287d0ca035081241c
Malware Config
Extracted
C:\7zyo1iyv1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/760AD4C9552E164F
http://decryptor.cc/760AD4C9552E164F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 24 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\program files\7zyo1iyv1-readme.txt rundll32.exe File opened for modification \??\c:\program files\ExportTest.mpg rundll32.exe File opened for modification \??\c:\program files\GroupPublish.M2V rundll32.exe File opened for modification \??\c:\program files\RequestSearch.mpg rundll32.exe File opened for modification \??\c:\program files\StepEnter.php rundll32.exe File opened for modification \??\c:\program files\TestShow.rtf rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\v3.5\7zyo1iyv1-readme.txt rundll32.exe File opened for modification \??\c:\program files\WatchUnblock.inf rundll32.exe File opened for modification \??\c:\program files\DisconnectExit.ppt rundll32.exe File opened for modification \??\c:\program files\EnterUse.3gp rundll32.exe File created \??\c:\program files\microsoft sql server compact edition\7zyo1iyv1-readme.txt rundll32.exe File opened for modification \??\c:\program files\PingEdit.ppsx rundll32.exe File opened for modification \??\c:\program files\SetJoin.avi rundll32.exe File opened for modification \??\c:\program files\StopSwitch.i64 rundll32.exe File opened for modification \??\c:\program files\UseSelect.ttf rundll32.exe File created \??\c:\program files (x86)\7zyo1iyv1-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertToSet.M2V rundll32.exe File opened for modification \??\c:\program files\EnterInitialize.mpeg2 rundll32.exe File opened for modification \??\c:\program files\TraceComplete.css rundll32.exe File opened for modification \??\c:\program files\ConnectConvertFrom.wmf rundll32.exe File opened for modification \??\c:\program files\ExportImport.wma rundll32.exe File opened for modification \??\c:\program files\MountRestart.mpv2 rundll32.exe File opened for modification \??\c:\program files\UnlockSet.mpp rundll32.exe File opened for modification \??\c:\program files\UnpublishSubmit.ogg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1396 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1396 rundll32.exe Token: SeTakeOwnershipPrivilege 1396 rundll32.exe Token: SeBackupPrivilege 1368 vssvc.exe Token: SeRestorePrivilege 1368 vssvc.exe Token: SeAuditPrivilege 1368 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1396 1296 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll,#12⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1368