Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-10-2020 07:22
Static task
static1
Behavioral task
behavioral1
Sample
LbYesiVe.exe.dll
Resource
win7
Behavioral task
behavioral2
Sample
LbYesiVe.exe.dll
Resource
win10v200722
General
-
Target
LbYesiVe.exe.dll
-
Size
116KB
-
MD5
284281286455371cf12b69ad76034d08
-
SHA1
9cee17cf7463f677555ccbd1cc2e574ea7e74a31
-
SHA256
8c32012baa74c8ee1bf676094f688505eae215317cc38c0e28a518e5a9d0b70b
-
SHA512
e1ac523859e197594c89937a88d9c556041a5965e0a4b2f52fb602a0dee2ab990c00a1912e40d115c4164016a43a2d7b24a8a07f095dbee51393c113f5c04918
Malware Config
Extracted
C:\d56m7cc0r-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24120883B193C4BE
http://decryptor.cc/24120883B193C4BE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 63 IoCs
Processes:
rundll32.exeflow pid process 21 3836 rundll32.exe 23 3836 rundll32.exe 25 3836 rundll32.exe 27 3836 rundll32.exe 29 3836 rundll32.exe 31 3836 rundll32.exe 33 3836 rundll32.exe 35 3836 rundll32.exe 37 3836 rundll32.exe 40 3836 rundll32.exe 42 3836 rundll32.exe 44 3836 rundll32.exe 46 3836 rundll32.exe 48 3836 rundll32.exe 50 3836 rundll32.exe 51 3836 rundll32.exe 52 3836 rundll32.exe 53 3836 rundll32.exe 55 3836 rundll32.exe 57 3836 rundll32.exe 59 3836 rundll32.exe 61 3836 rundll32.exe 63 3836 rundll32.exe 65 3836 rundll32.exe 67 3836 rundll32.exe 69 3836 rundll32.exe 71 3836 rundll32.exe 73 3836 rundll32.exe 75 3836 rundll32.exe 76 3836 rundll32.exe 78 3836 rundll32.exe 80 3836 rundll32.exe 82 3836 rundll32.exe 84 3836 rundll32.exe 86 3836 rundll32.exe 88 3836 rundll32.exe 90 3836 rundll32.exe 91 3836 rundll32.exe 93 3836 rundll32.exe 95 3836 rundll32.exe 97 3836 rundll32.exe 99 3836 rundll32.exe 101 3836 rundll32.exe 103 3836 rundll32.exe 105 3836 rundll32.exe 107 3836 rundll32.exe 109 3836 rundll32.exe 111 3836 rundll32.exe 113 3836 rundll32.exe 115 3836 rundll32.exe 117 3836 rundll32.exe 119 3836 rundll32.exe 121 3836 rundll32.exe 123 3836 rundll32.exe 125 3836 rundll32.exe 127 3836 rundll32.exe 130 3836 rundll32.exe 132 3836 rundll32.exe 134 3836 rundll32.exe 136 3836 rundll32.exe 138 3836 rundll32.exe 140 3836 rundll32.exe 142 3836 rundll32.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearDeny.crw => \??\c:\users\admin\pictures\ClearDeny.crw.d56m7cc0r rundll32.exe File renamed C:\Users\Admin\Pictures\EnterSearch.tiff => \??\c:\users\admin\pictures\EnterSearch.tiff.d56m7cc0r rundll32.exe File opened for modification \??\c:\users\admin\pictures\EnterSearch.tiff rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\209v1a.bmp" rundll32.exe -
Drops file in Program Files directory 18 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\program files (x86)\d56m7cc0r-readme.txt rundll32.exe File opened for modification \??\c:\program files\BlockDebug.gif rundll32.exe File opened for modification \??\c:\program files\FormatReset.xml rundll32.exe File created \??\c:\program files\d56m7cc0r-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressSave.reg rundll32.exe File opened for modification \??\c:\program files\MoveSet.xlsx rundll32.exe File opened for modification \??\c:\program files\OptimizeExit.jpeg rundll32.exe File opened for modification \??\c:\program files\InitializeReceive.mp2v rundll32.exe File opened for modification \??\c:\program files\OpenSave.vsdx rundll32.exe File opened for modification \??\c:\program files\SendWrite.3gp2 rundll32.exe File opened for modification \??\c:\program files\UnregisterUnprotect.ps1xml rundll32.exe File opened for modification \??\c:\program files\ConnectImport.rtf rundll32.exe File opened for modification \??\c:\program files\ConnectRestart.dotm rundll32.exe File opened for modification \??\c:\program files\ConvertFromMeasure.emz rundll32.exe File opened for modification \??\c:\program files\LimitStep.xlsm rundll32.exe File opened for modification \??\c:\program files\NewFormat.cfg rundll32.exe File opened for modification \??\c:\program files\SendSkip.pdf rundll32.exe File opened for modification \??\c:\program files\StopSubmit.ini rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3836 rundll32.exe 3836 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 3836 rundll32.exe Token: SeTakeOwnershipPrivilege 3836 rundll32.exe Token: SeBackupPrivilege 3568 vssvc.exe Token: SeRestorePrivilege 3568 vssvc.exe Token: SeAuditPrivilege 3568 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3712 wrote to memory of 3836 3712 rundll32.exe rundll32.exe PID 3712 wrote to memory of 3836 3712 rundll32.exe rundll32.exe PID 3712 wrote to memory of 3836 3712 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LbYesiVe.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\LbYesiVe.exe.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3376
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3836-0-0x0000000000000000-mapping.dmp