Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
General
-
Target
file.dll
-
Size
164KB
-
MD5
7d113ca1ae3f5d652e95a7235bb5f500
-
SHA1
ac1a058579d7fc2795b114e9f5b127d16c6cb8f2
-
SHA256
e98671b2d66ed8e660d8653d19773ca46706a43c3d489b947df1fd4b0cefce41
-
SHA512
80bb2ca4475afe8d9ce35c38ab4c25358f07aea28f7d1c7034c64e4cb17614760cfd836869b5dc7bb5834b8075178e2831c5a1741698262910836d1d83659a18
Malware Config
Extracted
C:\8lyuypc099-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A96FAC3F1D0657E
http://decryptor.cc/8A96FAC3F1D0657E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 63 IoCs
Processes:
rundll32.exeflow pid process 21 1112 rundll32.exe 23 1112 rundll32.exe 25 1112 rundll32.exe 27 1112 rundll32.exe 29 1112 rundll32.exe 30 1112 rundll32.exe 31 1112 rundll32.exe 32 1112 rundll32.exe 34 1112 rundll32.exe 36 1112 rundll32.exe 37 1112 rundll32.exe 41 1112 rundll32.exe 43 1112 rundll32.exe 45 1112 rundll32.exe 47 1112 rundll32.exe 49 1112 rundll32.exe 51 1112 rundll32.exe 53 1112 rundll32.exe 55 1112 rundll32.exe 57 1112 rundll32.exe 59 1112 rundll32.exe 61 1112 rundll32.exe 63 1112 rundll32.exe 65 1112 rundll32.exe 67 1112 rundll32.exe 70 1112 rundll32.exe 72 1112 rundll32.exe 74 1112 rundll32.exe 76 1112 rundll32.exe 78 1112 rundll32.exe 80 1112 rundll32.exe 82 1112 rundll32.exe 84 1112 rundll32.exe 86 1112 rundll32.exe 90 1112 rundll32.exe 92 1112 rundll32.exe 94 1112 rundll32.exe 97 1112 rundll32.exe 99 1112 rundll32.exe 101 1112 rundll32.exe 104 1112 rundll32.exe 106 1112 rundll32.exe 108 1112 rundll32.exe 110 1112 rundll32.exe 112 1112 rundll32.exe 114 1112 rundll32.exe 116 1112 rundll32.exe 119 1112 rundll32.exe 122 1112 rundll32.exe 124 1112 rundll32.exe 125 1112 rundll32.exe 126 1112 rundll32.exe 127 1112 rundll32.exe 129 1112 rundll32.exe 131 1112 rundll32.exe 133 1112 rundll32.exe 135 1112 rundll32.exe 137 1112 rundll32.exe 139 1112 rundll32.exe 141 1112 rundll32.exe 143 1112 rundll32.exe 145 1112 rundll32.exe 146 1112 rundll32.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindAssert.tiff => \??\c:\users\admin\pictures\FindAssert.tiff.8lyuypc099 rundll32.exe File renamed C:\Users\Admin\Pictures\MergeRequest.tiff => \??\c:\users\admin\pictures\MergeRequest.tiff.8lyuypc099 rundll32.exe File renamed C:\Users\Admin\Pictures\MountMeasure.tif => \??\c:\users\admin\pictures\MountMeasure.tif.8lyuypc099 rundll32.exe File renamed C:\Users\Admin\Pictures\ResetRestore.png => \??\c:\users\admin\pictures\ResetRestore.png.8lyuypc099 rundll32.exe File renamed C:\Users\Admin\Pictures\SendCompress.tif => \??\c:\users\admin\pictures\SendCompress.tif.8lyuypc099 rundll32.exe File opened for modification \??\c:\users\admin\pictures\FindAssert.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\MergeRequest.tiff rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gps2p2xt84i.bmp" rundll32.exe -
Drops file in Program Files directory 40 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\DismountExpand.ppsm rundll32.exe File opened for modification \??\c:\program files\RedoMove.TTS rundll32.exe File opened for modification \??\c:\program files\SubmitSet.cr2 rundll32.exe File opened for modification \??\c:\program files\CompareRestore.pptm rundll32.exe File created \??\c:\program files (x86)\8lyuypc099-readme.txt rundll32.exe File opened for modification \??\c:\program files\DebugEnter.asx rundll32.exe File opened for modification \??\c:\program files\GrantPush.vstm rundll32.exe File opened for modification \??\c:\program files\UnprotectResolve.wav rundll32.exe File created \??\c:\program files\8lyuypc099-readme.txt rundll32.exe File opened for modification \??\c:\program files\UndoRedo.tiff rundll32.exe File opened for modification \??\c:\program files\EditGroup.csv rundll32.exe File opened for modification \??\c:\program files\RepairRevoke.vsw rundll32.exe File opened for modification \??\c:\program files\UnlockMerge.aif rundll32.exe File opened for modification \??\c:\program files\WriteStop.zip rundll32.exe File opened for modification \??\c:\program files\EnableCopy.xlsm rundll32.exe File opened for modification \??\c:\program files\ConvertMount.emf rundll32.exe File opened for modification \??\c:\program files\RevokeConvert.htm rundll32.exe File opened for modification \??\c:\program files\UninstallExit.xsl rundll32.exe File opened for modification \??\c:\program files\AssertOptimize.dib rundll32.exe File opened for modification \??\c:\program files\MergePublish.cr2 rundll32.exe File opened for modification \??\c:\program files\RedoConfirm.WTV rundll32.exe File opened for modification \??\c:\program files\RemoveFormat.vssm rundll32.exe File opened for modification \??\c:\program files\ResetStep.svg rundll32.exe File opened for modification \??\c:\program files\RestartBlock.css rundll32.exe File opened for modification \??\c:\program files\SendSwitch.M2TS rundll32.exe File opened for modification \??\c:\program files\TestOpen.rar rundll32.exe File opened for modification \??\c:\program files\ConnectMerge.ppsm rundll32.exe File opened for modification \??\c:\program files\WatchOptimize.vsd rundll32.exe File opened for modification \??\c:\program files\UnregisterCopy.xhtml rundll32.exe File opened for modification \??\c:\program files\DenyRestart.jpe rundll32.exe File opened for modification \??\c:\program files\ImportCompare.svgz rundll32.exe File opened for modification \??\c:\program files\InstallOptimize.3gp rundll32.exe File opened for modification \??\c:\program files\ResizeRedo.midi rundll32.exe File opened for modification \??\c:\program files\RevokeImport.docx rundll32.exe File opened for modification \??\c:\program files\SendSelect.wm rundll32.exe File opened for modification \??\c:\program files\CopyDismount.m4a rundll32.exe File opened for modification \??\c:\program files\GrantBackup.crw rundll32.exe File opened for modification \??\c:\program files\ReceiveCompress.M2T rundll32.exe File opened for modification \??\c:\program files\SubmitSend.mhtml rundll32.exe File opened for modification \??\c:\program files\DismountDebug.vsx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 1112 rundll32.exe 1112 rundll32.exe 3992 powershell.exe 3992 powershell.exe 3992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1112 rundll32.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeBackupPrivilege 4080 vssvc.exe Token: SeRestorePrivilege 4080 vssvc.exe Token: SeAuditPrivilege 4080 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 640 wrote to memory of 1112 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1112 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1112 640 rundll32.exe rundll32.exe PID 1112 wrote to memory of 3992 1112 rundll32.exe powershell.exe PID 1112 wrote to memory of 3992 1112 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-0-0x0000000000000000-mapping.dmp
-
memory/3992-1-0x0000000000000000-mapping.dmp
-
memory/3992-2-0x00007FFC33590000-0x00007FFC33F7C000-memory.dmpFilesize
9.9MB
-
memory/3992-3-0x0000020CA39D0000-0x0000020CA39D1000-memory.dmpFilesize
4KB
-
memory/3992-4-0x0000020CA3B80000-0x0000020CA3B81000-memory.dmpFilesize
4KB