Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
18-09-2020 14:01
Static task
static1
Behavioral task
behavioral1
Sample
uRzaV4mH.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
uRzaV4mH.exe.dll
Resource
win10v200722
General
-
Target
uRzaV4mH.exe.dll
-
Size
116KB
-
MD5
586c80559a50dc4a431d36caaf3c2694
-
SHA1
f59dc0c154de3f02804f643047db9beb2f3a579a
-
SHA256
83002399482a30115e37cea0222fdb265cc6d57101ca7ce4591374acd6b8a371
-
SHA512
b79e1a4a28011ab62d8a86c8ceaa3d8dc8959b76fbe7744e9290e8c9d89dc8afaaf3e59a9b80c12885301fcfbc2b4045c65562470e3fde06cf7ed7e9c860594d
Malware Config
Extracted
C:\b9nf0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3D51E0BA0E304706
http://decryptor.cc/3D51E0BA0E304706
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 120 IoCs
Processes:
rundll32.exeflow pid process 21 800 rundll32.exe 23 800 rundll32.exe 24 800 rundll32.exe 26 800 rundll32.exe 28 800 rundll32.exe 30 800 rundll32.exe 32 800 rundll32.exe 34 800 rundll32.exe 36 800 rundll32.exe 38 800 rundll32.exe 40 800 rundll32.exe 42 800 rundll32.exe 44 800 rundll32.exe 46 800 rundll32.exe 48 800 rundll32.exe 50 800 rundll32.exe 52 800 rundll32.exe 54 800 rundll32.exe 57 800 rundll32.exe 59 800 rundll32.exe 61 800 rundll32.exe 63 800 rundll32.exe 65 800 rundll32.exe 67 800 rundll32.exe 69 800 rundll32.exe 71 800 rundll32.exe 73 800 rundll32.exe 75 800 rundll32.exe 77 800 rundll32.exe 78 800 rundll32.exe 80 800 rundll32.exe 82 800 rundll32.exe 84 800 rundll32.exe 86 800 rundll32.exe 88 800 rundll32.exe 90 800 rundll32.exe 92 800 rundll32.exe 94 800 rundll32.exe 95 800 rundll32.exe 97 800 rundll32.exe 99 800 rundll32.exe 101 800 rundll32.exe 103 800 rundll32.exe 105 800 rundll32.exe 107 800 rundll32.exe 109 800 rundll32.exe 110 800 rundll32.exe 112 800 rundll32.exe 114 800 rundll32.exe 115 800 rundll32.exe 116 800 rundll32.exe 117 800 rundll32.exe 119 800 rundll32.exe 121 800 rundll32.exe 123 800 rundll32.exe 125 800 rundll32.exe 127 800 rundll32.exe 129 800 rundll32.exe 131 800 rundll32.exe 133 800 rundll32.exe 135 800 rundll32.exe 138 800 rundll32.exe 140 800 rundll32.exe 141 800 rundll32.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\CompleteInvoke.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\FormatUnlock.tif => \??\c:\users\admin\pictures\FormatUnlock.tif.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\OpenRestart.tif => \??\c:\users\admin\pictures\OpenRestart.tif.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\StepWrite.tif => \??\c:\users\admin\pictures\StepWrite.tif.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\SendUnblock.raw => \??\c:\users\admin\pictures\SendUnblock.raw.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\SelectEnable.png => \??\c:\users\admin\pictures\SelectEnable.png.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\SplitMount.raw => \??\c:\users\admin\pictures\SplitMount.raw.b9nf0 rundll32.exe File opened for modification \??\c:\users\admin\pictures\AddUse.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\CompleteInvoke.tiff => \??\c:\users\admin\pictures\CompleteInvoke.tiff.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\AddUse.tiff => \??\c:\users\admin\pictures\AddUse.tiff.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\HideCompare.tif => \??\c:\users\admin\pictures\HideCompare.tif.b9nf0 rundll32.exe File renamed C:\Users\Admin\Pictures\RenameTrace.raw => \??\c:\users\admin\pictures\RenameTrace.raw.b9nf0 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\T: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f5m2r8gm550.bmp" rundll32.exe -
Drops file in Program Files directory 37 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\MountFormat.clr rundll32.exe File opened for modification \??\c:\program files\SearchRemove.ram rundll32.exe File opened for modification \??\c:\program files\WaitDisconnect.bmp rundll32.exe File opened for modification \??\c:\program files\ConvertDebug.dib rundll32.exe File opened for modification \??\c:\program files\PopAdd.ods rundll32.exe File opened for modification \??\c:\program files\CloseRedo.ppsx rundll32.exe File opened for modification \??\c:\program files\OptimizeComplete.txt rundll32.exe File opened for modification \??\c:\program files\RenameGrant.aifc rundll32.exe File opened for modification \??\c:\program files\SkipRename.odp rundll32.exe File opened for modification \??\c:\program files\AssertRead.cr2 rundll32.exe File opened for modification \??\c:\program files\ConnectResize.midi rundll32.exe File opened for modification \??\c:\program files\SavePing.rtf rundll32.exe File opened for modification \??\c:\program files\SuspendOpen.wma rundll32.exe File opened for modification \??\c:\program files\UnprotectRemove.aifc rundll32.exe File opened for modification \??\c:\program files\WriteInitialize.001 rundll32.exe File created \??\c:\program files\b9nf0-readme.txt rundll32.exe File created \??\c:\program files (x86)\b9nf0-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConnectWait.emf rundll32.exe File opened for modification \??\c:\program files\GroupUndo.wmv rundll32.exe File opened for modification \??\c:\program files\ProtectEnter.asf rundll32.exe File opened for modification \??\c:\program files\UnblockPop.dotm rundll32.exe File opened for modification \??\c:\program files\AddDebug.mov rundll32.exe File opened for modification \??\c:\program files\DebugCompress.clr rundll32.exe File opened for modification \??\c:\program files\EnableRepair.wm rundll32.exe File opened for modification \??\c:\program files\PublishGrant.rar rundll32.exe File opened for modification \??\c:\program files\SubmitSend.jpg rundll32.exe File opened for modification \??\c:\program files\AssertExit.mpe rundll32.exe File opened for modification \??\c:\program files\OptimizeConvert.mp3 rundll32.exe File opened for modification \??\c:\program files\PingShow.M2V rundll32.exe File opened for modification \??\c:\program files\RestartMeasure.mov rundll32.exe File opened for modification \??\c:\program files\UnregisterLock.wmf rundll32.exe File opened for modification \??\c:\program files\ApproveSplit.m4v rundll32.exe File opened for modification \??\c:\program files\ConvertToGrant.tiff rundll32.exe File opened for modification \??\c:\program files\DenyInstall.asx rundll32.exe File opened for modification \??\c:\program files\InitializeRename.svgz rundll32.exe File opened for modification \??\c:\program files\PingRevoke.mht rundll32.exe File opened for modification \??\c:\program files\RenameDismount.search-ms rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 800 rundll32.exe 800 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 800 rundll32.exe Token: SeTakeOwnershipPrivilege 800 rundll32.exe Token: SeBackupPrivilege 3444 vssvc.exe Token: SeRestorePrivilege 3444 vssvc.exe Token: SeAuditPrivilege 3444 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3956 wrote to memory of 800 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 800 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 800 3956 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\uRzaV4mH.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\uRzaV4mH.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1776
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3444