Analysis
-
max time kernel
146s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
General
-
Target
file.dll
-
Size
164KB
-
MD5
0ae77d606609c1f0fc3f1fbac91cf140
-
SHA1
c1d7832d4e1ef884dcf00be860517abad5d0c1d2
-
SHA256
ccdb5316112f277ca0b8475884223713ca5afc4f9b729250fa5be07c486822a4
-
SHA512
3236e6bcb11ba90ba7dbb591200d316f6c3168cb9c21623caba23d36a1724f11fc036a3629cecf88e21506feebdfe0002906cec41b0cf5e96a28b2e97a6e541e
Malware Config
Extracted
C:\34jk3-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8667C63459393CD8
http://decryptor.top/8667C63459393CD8
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompleteRegister.png => \??\c:\users\admin\pictures\CompleteRegister.png.34jk3 rundll32.exe File renamed C:\Users\Admin\Pictures\ExportSwitch.crw => \??\c:\users\admin\pictures\ExportSwitch.crw.34jk3 rundll32.exe File renamed C:\Users\Admin\Pictures\PushRename.png => \??\c:\users\admin\pictures\PushRename.png.34jk3 rundll32.exe File renamed C:\Users\Admin\Pictures\SplitComplete.tiff => \??\c:\users\admin\pictures\SplitComplete.tiff.34jk3 rundll32.exe File opened for modification \??\c:\users\admin\pictures\CheckpointExport.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\SplitComplete.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\CheckpointExport.tiff => \??\c:\users\admin\pictures\CheckpointExport.tiff.34jk3 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops file in Program Files directory 41 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\CompleteExport.odp rundll32.exe File opened for modification \??\c:\program files\FormatWatch.xla rundll32.exe File opened for modification \??\c:\program files\TestConvertFrom.xps rundll32.exe File created \??\c:\program files (x86)\34jk3-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearOpen.aiff rundll32.exe File opened for modification \??\c:\program files\GroupCompress.wax rundll32.exe File opened for modification \??\c:\program files\SelectConvertFrom.gif rundll32.exe File opened for modification \??\c:\program files\ReceiveProtect.reg rundll32.exe File opened for modification \??\c:\program files\RevokeConvert.pptm rundll32.exe File opened for modification \??\c:\program files\SelectDeny.eprtx rundll32.exe File opened for modification \??\c:\program files\SyncStop.vsd rundll32.exe File opened for modification \??\c:\program files\CloseStop.jpg rundll32.exe File opened for modification \??\c:\program files\GroupRevoke.vsdm rundll32.exe File opened for modification \??\c:\program files\RestoreRevoke.au3 rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\34jk3-readme.txt rundll32.exe File opened for modification \??\c:\program files\NewPublish.ADT rundll32.exe File opened for modification \??\c:\program files\ResizeLimit.midi rundll32.exe File opened for modification \??\c:\program files\CloseConvertTo.mpg rundll32.exe File opened for modification \??\c:\program files\HideLock.ex_ rundll32.exe File opened for modification \??\c:\program files\StartStep.xht rundll32.exe File opened for modification \??\c:\program files\UseUpdate.ADT rundll32.exe File opened for modification \??\c:\program files\CloseRevoke.ppt rundll32.exe File opened for modification \??\c:\program files\PublishSearch.docx rundll32.exe File opened for modification \??\c:\program files\LockResolve.mpg rundll32.exe File opened for modification \??\c:\program files\RemoveSwitch.ppsx rundll32.exe File opened for modification \??\c:\program files\RestoreOpen.xla rundll32.exe File opened for modification \??\c:\program files\SwitchEdit.eprtx rundll32.exe File opened for modification \??\c:\program files\UnpublishGrant.aif rundll32.exe File opened for modification \??\c:\program files\WatchMove.mpeg rundll32.exe File opened for modification \??\c:\program files\DebugReset.xlsm rundll32.exe File opened for modification \??\c:\program files\GetRedo.mp4v rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\34jk3-readme.txt rundll32.exe File opened for modification \??\c:\program files\EditUnblock.htm rundll32.exe File opened for modification \??\c:\program files\ResizeSwitch.doc rundll32.exe File opened for modification \??\c:\program files\SaveLock.wvx rundll32.exe File opened for modification \??\c:\program files\StepRepair.mpg rundll32.exe File opened for modification \??\c:\program files\TraceDismount.htm rundll32.exe File opened for modification \??\c:\program files\UnlockRepair.jtx rundll32.exe File created \??\c:\program files\34jk3-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertToClose.tmp rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\34jk3-readme.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 1684 rundll32.exe 1284 powershell.exe 1284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1684 rundll32.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeBackupPrivilege 288 vssvc.exe Token: SeRestorePrivilege 288 vssvc.exe Token: SeAuditPrivilege 288 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1684 1764 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1284 1684 rundll32.exe powershell.exe PID 1684 wrote to memory of 1284 1684 rundll32.exe powershell.exe PID 1684 wrote to memory of 1284 1684 rundll32.exe powershell.exe PID 1684 wrote to memory of 1284 1684 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1120
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:288