Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-09-2020 11:37
Static task
static1
Behavioral task
behavioral1
Sample
PNaBtWvH.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
PNaBtWvH.exe.dll
Resource
win10v200722
General
-
Target
PNaBtWvH.exe.dll
-
Size
116KB
-
MD5
906476f7f37236ab87319d477afec56f
-
SHA1
16485c511e413cc33b4fe6ef3c95b65198cdd9f3
-
SHA256
b8dc282b15526821326ae7158f5e4e895a874fc15499d102d59e819aa78d5800
-
SHA512
8c893d42f90a4d63b6261c8644bb97807052fa1570693b3cc179566b7a14f28590d7d2e4e5062cbb731617f83c46c0333d46a45a5ad2138576b95867fbf323ce
Malware Config
Extracted
C:\0co8340t6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ADF5FEE9BFBA4D11
http://decryptor.cc/ADF5FEE9BFBA4D11
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 83 IoCs
Processes:
rundll32.exeflow pid process 24 800 rundll32.exe 25 800 rundll32.exe 27 800 rundll32.exe 29 800 rundll32.exe 31 800 rundll32.exe 36 800 rundll32.exe 43 800 rundll32.exe 45 800 rundll32.exe 47 800 rundll32.exe 49 800 rundll32.exe 51 800 rundll32.exe 53 800 rundll32.exe 55 800 rundll32.exe 57 800 rundll32.exe 59 800 rundll32.exe 60 800 rundll32.exe 62 800 rundll32.exe 64 800 rundll32.exe 65 800 rundll32.exe 67 800 rundll32.exe 69 800 rundll32.exe 71 800 rundll32.exe 73 800 rundll32.exe 75 800 rundll32.exe 77 800 rundll32.exe 79 800 rundll32.exe 81 800 rundll32.exe 83 800 rundll32.exe 85 800 rundll32.exe 87 800 rundll32.exe 89 800 rundll32.exe 91 800 rundll32.exe 93 800 rundll32.exe 95 800 rundll32.exe 97 800 rundll32.exe 100 800 rundll32.exe 102 800 rundll32.exe 104 800 rundll32.exe 106 800 rundll32.exe 108 800 rundll32.exe 111 800 rundll32.exe 113 800 rundll32.exe 115 800 rundll32.exe 117 800 rundll32.exe 119 800 rundll32.exe 121 800 rundll32.exe 123 800 rundll32.exe 125 800 rundll32.exe 127 800 rundll32.exe 130 800 rundll32.exe 132 800 rundll32.exe 134 800 rundll32.exe 136 800 rundll32.exe 138 800 rundll32.exe 140 800 rundll32.exe 142 800 rundll32.exe 143 800 rundll32.exe 145 800 rundll32.exe 147 800 rundll32.exe 149 800 rundll32.exe 151 800 rundll32.exe 153 800 rundll32.exe 155 800 rundll32.exe 157 800 rundll32.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishPush.tif => \??\c:\users\admin\pictures\UnpublishPush.tif.0co8340t6 rundll32.exe File renamed C:\Users\Admin\Pictures\DisconnectFormat.raw => \??\c:\users\admin\pictures\DisconnectFormat.raw.0co8340t6 rundll32.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.raw => \??\c:\users\admin\pictures\MeasureDebug.raw.0co8340t6 rundll32.exe File renamed C:\Users\Admin\Pictures\ShowFormat.crw => \??\c:\users\admin\pictures\ShowFormat.crw.0co8340t6 rundll32.exe File renamed C:\Users\Admin\Pictures\UnlockResolve.raw => \??\c:\users\admin\pictures\UnlockResolve.raw.0co8340t6 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqx4toqq6e20.bmp" rundll32.exe -
Drops file in Program Files directory 31 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\BlockShow.ppsm rundll32.exe File opened for modification \??\c:\program files\ExportConnect.3gp2 rundll32.exe File opened for modification \??\c:\program files\FindMount.dwg rundll32.exe File opened for modification \??\c:\program files\ResetEnter.xlt rundll32.exe File opened for modification \??\c:\program files\UnprotectEnable.odp rundll32.exe File opened for modification \??\c:\program files\PopEdit.tiff rundll32.exe File opened for modification \??\c:\program files\RegisterUninstall.DVR rundll32.exe File opened for modification \??\c:\program files\RestoreGet.dotx rundll32.exe File opened for modification \??\c:\program files\SearchProtect.inf rundll32.exe File created \??\c:\program files\0co8340t6-readme.txt rundll32.exe File opened for modification \??\c:\program files\LimitDisable.pptx rundll32.exe File opened for modification \??\c:\program files\LimitMerge.001 rundll32.exe File opened for modification \??\c:\program files\ReadPublish.vssm rundll32.exe File opened for modification \??\c:\program files\RedoRepair.cfg rundll32.exe File opened for modification \??\c:\program files\UndoSkip.wax rundll32.exe File opened for modification \??\c:\program files\ClearUnlock.ttf rundll32.exe File opened for modification \??\c:\program files\DismountWatch.vbs rundll32.exe File opened for modification \??\c:\program files\EnableComplete.kix rundll32.exe File opened for modification \??\c:\program files\JoinMount.dwfx rundll32.exe File opened for modification \??\c:\program files\UninstallReceive.wps rundll32.exe File opened for modification \??\c:\program files\OpenClose.otf rundll32.exe File created \??\c:\program files (x86)\0co8340t6-readme.txt rundll32.exe File opened for modification \??\c:\program files\BackupStep.mp3 rundll32.exe File opened for modification \??\c:\program files\ResetExport.rtf rundll32.exe File opened for modification \??\c:\program files\UpdateReceive.tif rundll32.exe File opened for modification \??\c:\program files\UpdateUndo.js rundll32.exe File opened for modification \??\c:\program files\CheckpointGroup.php rundll32.exe File opened for modification \??\c:\program files\LimitExport.vdw rundll32.exe File opened for modification \??\c:\program files\SaveFind.js rundll32.exe File opened for modification \??\c:\program files\SaveUnblock.ADTS rundll32.exe File opened for modification \??\c:\program files\UnregisterUnblock.png rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 800 rundll32.exe 800 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 800 rundll32.exe Token: SeTakeOwnershipPrivilege 800 rundll32.exe Token: SeBackupPrivilege 3328 vssvc.exe Token: SeRestorePrivilege 3328 vssvc.exe Token: SeAuditPrivilege 3328 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4016 wrote to memory of 800 4016 rundll32.exe rundll32.exe PID 4016 wrote to memory of 800 4016 rundll32.exe rundll32.exe PID 4016 wrote to memory of 800 4016 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\PNaBtWvH.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\PNaBtWvH.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3924
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3328