Analysis
-
max time kernel
78s -
max time network
81s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
24-08-2020 12:19
Static task
static1
Behavioral task
behavioral1
Sample
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
Resource
win10v200722
General
-
Target
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll
-
Size
116KB
-
MD5
4a23ba5e733f132b8fae5c9f0219d32a
-
SHA1
3a12b89cbf552b440fe167b91462db17d294d56f
-
SHA256
f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27
-
SHA512
b08af5e1fd466e6aba204789985538de8c0eea90be058d4e8e2243bb783a96a4e63087558a4993b54ce0f6c7ddaaf887134820fd14dcebe287d0ca035081241c
Malware Config
Extracted
C:\m2n9346-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EEAC9A004D1EEC18
http://decryptor.cc/EEAC9A004D1EEC18
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\AddUnpublish.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\AddUnpublish.tiff => \??\c:\users\admin\pictures\AddUnpublish.tiff.m2n9346 rundll32.exe File opened for modification \??\c:\users\admin\pictures\SaveAssert.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\MountStart.raw => \??\c:\users\admin\pictures\MountStart.raw.m2n9346 rundll32.exe File renamed C:\Users\Admin\Pictures\SaveAssert.tiff => \??\c:\users\admin\pictures\SaveAssert.tiff.m2n9346 rundll32.exe File renamed C:\Users\Admin\Pictures\UnblockShow.tif => \??\c:\users\admin\pictures\UnblockShow.tif.m2n9346 rundll32.exe File renamed C:\Users\Admin\Pictures\UnblockEnable.raw => \??\c:\users\admin\pictures\UnblockEnable.raw.m2n9346 rundll32.exe File renamed C:\Users\Admin\Pictures\UpdateUnprotect.png => \??\c:\users\admin\pictures\UpdateUnprotect.png.m2n9346 rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4rqs5rgky15b.bmp" rundll32.exe -
Drops file in Program Files directory 17 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\RepairConvert.aifc rundll32.exe File created \??\c:\program files (x86)\m2n9346-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearReceive.3gpp rundll32.exe File opened for modification \??\c:\program files\DisableConvertTo.3gp rundll32.exe File opened for modification \??\c:\program files\EditAssert.pptm rundll32.exe File opened for modification \??\c:\program files\BlockWatch.docx rundll32.exe File opened for modification \??\c:\program files\ConnectGet.vb rundll32.exe File opened for modification \??\c:\program files\SearchSelect.zip rundll32.exe File opened for modification \??\c:\program files\SetAdd.asf rundll32.exe File opened for modification \??\c:\program files\AssertResume.vbs rundll32.exe File opened for modification \??\c:\program files\ConvertFromUpdate.midi rundll32.exe File opened for modification \??\c:\program files\ResetDeny.docx rundll32.exe File opened for modification \??\c:\program files\ResizeSkip.MTS rundll32.exe File created \??\c:\program files\m2n9346-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompareClose.avi rundll32.exe File opened for modification \??\c:\program files\ConvertFromBlock.vstx rundll32.exe File opened for modification \??\c:\program files\ExportConvertFrom.docx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1016 rundll32.exe 1016 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1016 rundll32.exe Token: SeTakeOwnershipPrivilege 1016 rundll32.exe Token: SeBackupPrivilege 2112 vssvc.exe Token: SeRestorePrivilege 2112 vssvc.exe Token: SeAuditPrivilege 2112 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 908 wrote to memory of 1016 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1016 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1016 908 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1662bfebf68d8da9879fd50b41536078c0c06ed4616dc388ee78a30ce8ccd27.dll,#12⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1304
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2112