Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
General
-
Target
file.dll
-
Size
166KB
-
MD5
b979913c1157d8e0e1066afbd296e3f3
-
SHA1
1016b7581ea09468b93cf635dbe0ff760bcf1428
-
SHA256
c40dfd58e6da0aade75d09b6a659cf165f072ba89aef2d60c10c153793535ee7
-
SHA512
709acfdb81e5eaf00affadc74939935d8af36d061ad02fa7626db89a5a55b95dcd9c13a38f5205ab19d91e2abd30c856d67dfdd4257438f6ce6b9662e5781d53
Malware Config
Extracted
C:\138i1rd57-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BAC876DDC2770553
http://decryptor.cc/BAC876DDC2770553
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 122 IoCs
Processes:
rundll32.exeflow pid process 17 712 rundll32.exe 19 712 rundll32.exe 21 712 rundll32.exe 23 712 rundll32.exe 25 712 rundll32.exe 28 712 rundll32.exe 29 712 rundll32.exe 31 712 rundll32.exe 33 712 rundll32.exe 35 712 rundll32.exe 37 712 rundll32.exe 39 712 rundll32.exe 41 712 rundll32.exe 43 712 rundll32.exe 45 712 rundll32.exe 47 712 rundll32.exe 49 712 rundll32.exe 51 712 rundll32.exe 52 712 rundll32.exe 54 712 rundll32.exe 56 712 rundll32.exe 58 712 rundll32.exe 60 712 rundll32.exe 62 712 rundll32.exe 64 712 rundll32.exe 66 712 rundll32.exe 68 712 rundll32.exe 70 712 rundll32.exe 72 712 rundll32.exe 74 712 rundll32.exe 76 712 rundll32.exe 78 712 rundll32.exe 80 712 rundll32.exe 82 712 rundll32.exe 84 712 rundll32.exe 86 712 rundll32.exe 88 712 rundll32.exe 90 712 rundll32.exe 92 712 rundll32.exe 95 712 rundll32.exe 97 712 rundll32.exe 99 712 rundll32.exe 102 712 rundll32.exe 104 712 rundll32.exe 106 712 rundll32.exe 108 712 rundll32.exe 110 712 rundll32.exe 112 712 rundll32.exe 114 712 rundll32.exe 116 712 rundll32.exe 118 712 rundll32.exe 120 712 rundll32.exe 122 712 rundll32.exe 124 712 rundll32.exe 127 712 rundll32.exe 129 712 rundll32.exe 131 712 rundll32.exe 133 712 rundll32.exe 135 712 rundll32.exe 137 712 rundll32.exe 139 712 rundll32.exe 141 712 rundll32.exe 143 712 rundll32.exe 145 712 rundll32.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableRemove.tif => \??\c:\users\admin\pictures\EnableRemove.tif.138i1rd57 rundll32.exe File renamed C:\Users\Admin\Pictures\InitializeRequest.png => \??\c:\users\admin\pictures\InitializeRequest.png.138i1rd57 rundll32.exe File renamed C:\Users\Admin\Pictures\MoveEdit.tif => \??\c:\users\admin\pictures\MoveEdit.tif.138i1rd57 rundll32.exe File opened for modification \??\c:\users\admin\pictures\DenyRevoke.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\AddSearch.crw => \??\c:\users\admin\pictures\AddSearch.crw.138i1rd57 rundll32.exe File renamed C:\Users\Admin\Pictures\DenyRevoke.tiff => \??\c:\users\admin\pictures\DenyRevoke.tiff.138i1rd57 rundll32.exe File renamed C:\Users\Admin\Pictures\CompareOut.png => \??\c:\users\admin\pictures\CompareOut.png.138i1rd57 rundll32.exe -
Drops startup file 1 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\138i1rd57-readme.txt rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1o7gbj301.bmp" rundll32.exe -
Drops file in Program Files directory 37 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\DisableInitialize.vsw rundll32.exe File opened for modification \??\c:\program files\LockExport.dot rundll32.exe File opened for modification \??\c:\program files\OptimizeMount.DVR-MS rundll32.exe File opened for modification \??\c:\program files\WatchUnpublish.m1v rundll32.exe File created \??\c:\program files\138i1rd57-readme.txt rundll32.exe File opened for modification \??\c:\program files\NewGroup.midi rundll32.exe File opened for modification \??\c:\program files\WatchAdd.emz rundll32.exe File opened for modification \??\c:\program files\SuspendTest.ods rundll32.exe File opened for modification \??\c:\program files\UnblockCopy.svgz rundll32.exe File opened for modification \??\c:\program files\UseDismount.m3u rundll32.exe File opened for modification \??\c:\program files\CompareGet.wmv rundll32.exe File opened for modification \??\c:\program files\CompressPop.rtf rundll32.exe File opened for modification \??\c:\program files\DebugStop.mpe rundll32.exe File opened for modification \??\c:\program files\MountRegister.m3u rundll32.exe File opened for modification \??\c:\program files\SendStep.M2T rundll32.exe File opened for modification \??\c:\program files\HideUninstall.xml rundll32.exe File opened for modification \??\c:\program files\ConvertTrace.mpeg2 rundll32.exe File opened for modification \??\c:\program files\MergeBlock.wmx rundll32.exe File opened for modification \??\c:\program files\SelectDisable.ADTS rundll32.exe File opened for modification \??\c:\program files\SubmitUnlock.odt rundll32.exe File opened for modification \??\c:\program files\SwitchCompress.mp4 rundll32.exe File created \??\c:\program files (x86)\138i1rd57-readme.txt rundll32.exe File opened for modification \??\c:\program files\ImportWait.wma rundll32.exe File opened for modification \??\c:\program files\OutSplit.tif rundll32.exe File opened for modification \??\c:\program files\RegisterSwitch.ppsx rundll32.exe File opened for modification \??\c:\program files\SubmitAdd.mpv2 rundll32.exe File opened for modification \??\c:\program files\DebugResume.001 rundll32.exe File opened for modification \??\c:\program files\DismountWatch.txt rundll32.exe File opened for modification \??\c:\program files\JoinStart.fon rundll32.exe File opened for modification \??\c:\program files\UpdateWait.wma rundll32.exe File opened for modification \??\c:\program files\WaitMeasure.scf rundll32.exe File opened for modification \??\c:\program files\SuspendSkip.asf rundll32.exe File opened for modification \??\c:\program files\CompleteProtect.wdp rundll32.exe File opened for modification \??\c:\program files\DisableSend.dot rundll32.exe File opened for modification \??\c:\program files\RemoveLimit.ogg rundll32.exe File opened for modification \??\c:\program files\RestoreSplit.contact rundll32.exe File opened for modification \??\c:\program files\SetUnprotect.vstx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 712 rundll32.exe 712 rundll32.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 712 rundll32.exe Token: SeDebugPrivilege 660 powershell.exe Token: SeBackupPrivilege 1468 vssvc.exe Token: SeRestorePrivilege 1468 vssvc.exe Token: SeAuditPrivilege 1468 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe PID 712 wrote to memory of 660 712 rundll32.exe powershell.exe PID 712 wrote to memory of 660 712 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\admin\appdata\local\microsoft\clr_v4.0\usagelogs\powershell.exe.logMD5
e220a0e8ab5e1f9804f929e4e900c1ab
SHA10f3e883c25ae5371abd55364c8c1dec0e521049a
SHA25690ddda82b164697c8964b4046b1728678150d34d7ef387be23b58dc67d741d03
SHA51218d4ad832c219a76797b70ff658c105f19c49fb89c02f7c63438ffb5e6d1c2d13636057194edb2e0d29537d2687eb442a9298315d4f4f1dae7dc29ce7260fc03
-
memory/660-1-0x0000000000000000-mapping.dmp
-
memory/660-2-0x00007FF8FE2A0000-0x00007FF8FEC8C000-memory.dmpFilesize
9.9MB
-
memory/660-3-0x00000161AC5B0000-0x00000161AC5B1000-memory.dmpFilesize
4KB
-
memory/660-4-0x00000161C7490000-0x00000161C7491000-memory.dmpFilesize
4KB
-
memory/712-0-0x0000000000000000-mapping.dmp