Analysis
-
max time kernel
24s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 01:07
Static task
static1
Behavioral task
behavioral1
Sample
8hHzXixt.exe.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8hHzXixt.exe.dll
Resource
win10v20201028
General
-
Target
8hHzXixt.exe.dll
-
Size
116KB
-
MD5
73f8252eea3a1361eb07f58f7e695f5d
-
SHA1
cf153e39e65b2ccc3ea0bc7637ff075b9f43579c
-
SHA256
e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00
-
SHA512
ad9f41b212568ad5888641104fdb2ff83fb98d97ddc8728ace4d853dac14467dd12b6162d0df43b30f54bfc0228c193fe7dec29ebf83392a7ed96a938d3cec86
Malware Config
Extracted
C:\993zajv3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/80738617A6B16F69
http://decryptor.cc/80738617A6B16F69
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ConfirmSync.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => \??\c:\users\admin\pictures\CompareEnter.raw.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\ConfirmSync.tiff => \??\c:\users\admin\pictures\ConfirmSync.tiff.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\GetStop.png => \??\c:\users\admin\pictures\GetStop.png.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\RemoveInitialize.raw => \??\c:\users\admin\pictures\RemoveInitialize.raw.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\RestartClose.tiff => \??\c:\users\admin\pictures\RestartClose.tiff.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\SendConvertFrom.png => \??\c:\users\admin\pictures\SendConvertFrom.png.993zajv3 rundll32.exe File renamed C:\Users\Admin\Pictures\UseRegister.crw => \??\c:\users\admin\pictures\UseRegister.crw.993zajv3 rundll32.exe File opened for modification \??\c:\users\admin\pictures\GetPop.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\RestartClose.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\GetPop.tiff => \??\c:\users\admin\pictures\GetPop.tiff.993zajv3 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g4wq8od0e3q3.bmp" rundll32.exe -
Drops file in Program Files directory 17 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\EditEnter.xml rundll32.exe File opened for modification \??\c:\program files\InvokeSuspend.vdw rundll32.exe File opened for modification \??\c:\program files\PopTrace.M2V rundll32.exe File opened for modification \??\c:\program files\ResetApprove.ods rundll32.exe File opened for modification \??\c:\program files\StepRestart.potm rundll32.exe File opened for modification \??\c:\program files\UpdateReceive.sql rundll32.exe File created \??\c:\program files (x86)\993zajv3-readme.txt rundll32.exe File opened for modification \??\c:\program files\ShowRegister.css rundll32.exe File opened for modification \??\c:\program files\SplitWatch.php rundll32.exe File opened for modification \??\c:\program files\UnblockPop.wps rundll32.exe File opened for modification \??\c:\program files\HidePing.css rundll32.exe File opened for modification \??\c:\program files\RepairReceive.csv rundll32.exe File opened for modification \??\c:\program files\StartTest.au rundll32.exe File created \??\c:\program files\993zajv3-readme.txt rundll32.exe File opened for modification \??\c:\program files\UnregisterSkip.mp3 rundll32.exe File opened for modification \??\c:\program files\UpdateDisable.pub rundll32.exe File opened for modification \??\c:\program files\WaitFormat.mhtml rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 900 rundll32.exe 900 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 900 rundll32.exe Token: SeTakeOwnershipPrivilege 900 rundll32.exe Token: SeBackupPrivilege 1276 vssvc.exe Token: SeRestorePrivilege 1276 vssvc.exe Token: SeAuditPrivilege 1276 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 500 wrote to memory of 900 500 rundll32.exe rundll32.exe PID 500 wrote to memory of 900 500 rundll32.exe rundll32.exe PID 500 wrote to memory of 900 500 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8hHzXixt.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8hHzXixt.exe.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-0-0x0000000000000000-mapping.dmp