Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
02-09-2020 16:06
Static task
static1
Behavioral task
behavioral1
Sample
9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f.dll
Resource
win10
General
-
Target
9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f.dll
-
Size
116KB
-
MD5
e464e53eb7a4f84aa2fd0a540b2a3840
-
SHA1
bdc8d31dcd1f56a9ab2abf79bba817fb75b3859b
-
SHA256
9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f
-
SHA512
5ce4c7bd667c361fc1afeb752e59de9f29d7ed5c0252af3b6cb7e78e9ebd2ab237a454daea4474640e35fdc8b6d4be47a60cb8926a4801469f0570c64d2ad110
Malware Config
Extracted
C:\k2fiyf-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6DA09EC49B5AA070
http://decryptor.cc/6DA09EC49B5AA070
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 49 IoCs
Processes:
rundll32.exeflow pid process 10 3752 rundll32.exe 12 3752 rundll32.exe 14 3752 rundll32.exe 17 3752 rundll32.exe 19 3752 rundll32.exe 21 3752 rundll32.exe 23 3752 rundll32.exe 25 3752 rundll32.exe 27 3752 rundll32.exe 30 3752 rundll32.exe 32 3752 rundll32.exe 33 3752 rundll32.exe 35 3752 rundll32.exe 37 3752 rundll32.exe 39 3752 rundll32.exe 41 3752 rundll32.exe 43 3752 rundll32.exe 45 3752 rundll32.exe 47 3752 rundll32.exe 49 3752 rundll32.exe 51 3752 rundll32.exe 53 3752 rundll32.exe 55 3752 rundll32.exe 57 3752 rundll32.exe 59 3752 rundll32.exe 61 3752 rundll32.exe 63 3752 rundll32.exe 65 3752 rundll32.exe 67 3752 rundll32.exe 69 3752 rundll32.exe 72 3752 rundll32.exe 74 3752 rundll32.exe 76 3752 rundll32.exe 78 3752 rundll32.exe 80 3752 rundll32.exe 82 3752 rundll32.exe 83 3752 rundll32.exe 85 3752 rundll32.exe 87 3752 rundll32.exe 89 3752 rundll32.exe 91 3752 rundll32.exe 93 3752 rundll32.exe 95 3752 rundll32.exe 97 3752 rundll32.exe 99 3752 rundll32.exe 101 3752 rundll32.exe 103 3752 rundll32.exe 105 3752 rundll32.exe 107 3752 rundll32.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\DismountPop.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\ConvertFromRead.png => \??\c:\users\admin\pictures\ConvertFromRead.png.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\DismountPop.tiff => \??\c:\users\admin\pictures\DismountPop.tiff.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\DebugOpen.png => \??\c:\users\admin\pictures\DebugOpen.png.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\FormatDismount.crw => \??\c:\users\admin\pictures\FormatDismount.crw.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\ResizeLock.tiff => \??\c:\users\admin\pictures\ResizeLock.tiff.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\ReceiveEnable.tif => \??\c:\users\admin\pictures\ReceiveEnable.tif.k2fiyf rundll32.exe File opened for modification \??\c:\users\admin\pictures\BlockPop.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\ResizeLock.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\BlockPop.tiff => \??\c:\users\admin\pictures\BlockPop.tiff.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\ExpandStep.tif => \??\c:\users\admin\pictures\ExpandStep.tif.k2fiyf rundll32.exe File renamed C:\Users\Admin\Pictures\MoveStart.raw => \??\c:\users\admin\pictures\MoveStart.raw.k2fiyf rundll32.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202fp9t7n.bmp" rundll32.exe -
Drops file in Program Files directory 11 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\LockPush.xltx rundll32.exe File opened for modification \??\c:\program files\RedoExpand.dib rundll32.exe File created \??\c:\program files\k2fiyf-readme.txt rundll32.exe File created \??\c:\program files (x86)\k2fiyf-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressBackup.xlsm rundll32.exe File opened for modification \??\c:\program files\DenyPush.vssm rundll32.exe File opened for modification \??\c:\program files\EnterGroup.png rundll32.exe File opened for modification \??\c:\program files\ConfirmJoin.inf rundll32.exe File opened for modification \??\c:\program files\OpenUndo.jtx rundll32.exe File opened for modification \??\c:\program files\ResolveRemove.zip rundll32.exe File opened for modification \??\c:\program files\UnpublishSubmit.dwfx rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = c72c76be4781d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3752 rundll32.exe 3752 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
svchost.exerundll32.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1500 svchost.exe Token: SeCreatePagefilePrivilege 1500 svchost.exe Token: SeDebugPrivilege 3752 rundll32.exe Token: SeTakeOwnershipPrivilege 3752 rundll32.exe Token: SeBackupPrivilege 2532 vssvc.exe Token: SeRestorePrivilege 2532 vssvc.exe Token: SeAuditPrivilege 2532 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3984 wrote to memory of 3752 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 3752 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 3752 3984 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b183afcfccc12af90f82c5f5b8a077bd8c77cf815c62e946a0dfdb4bc78847f.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2532