Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:28
Static task
static1
Behavioral task
behavioral1
Sample
file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.dll
Resource
win10v20201028
General
-
Target
file.dll
-
Size
166KB
-
MD5
103f84a7f18492bb17b68cede3a8c53d
-
SHA1
ed4e3c82883ef862df0a86f858d30fae4bda8cf3
-
SHA256
1b9dfd1fe17d3783b2ab4a6d583be6fca9ba164d2a1cd6814c710774ec9bd031
-
SHA512
7bf42382e4c9cdeae9e364a16945366eaebd5ea1859a09d8b8dff5d79593812a07e0037aa54464ae3ec25990b259d87c3c8462391986dbfaff961377972fb512
Malware Config
Extracted
C:\9gd02lg850-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FA59E30A8F9FC69
http://decryptor.cc/7FA59E30A8F9FC69
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request 63 IoCs
Processes:
rundll32.exeflow pid process 29 1204 rundll32.exe 31 1204 rundll32.exe 33 1204 rundll32.exe 35 1204 rundll32.exe 37 1204 rundll32.exe 39 1204 rundll32.exe 41 1204 rundll32.exe 43 1204 rundll32.exe 45 1204 rundll32.exe 47 1204 rundll32.exe 49 1204 rundll32.exe 51 1204 rundll32.exe 53 1204 rundll32.exe 55 1204 rundll32.exe 57 1204 rundll32.exe 61 1204 rundll32.exe 62 1204 rundll32.exe 64 1204 rundll32.exe 66 1204 rundll32.exe 70 1204 rundll32.exe 72 1204 rundll32.exe 74 1204 rundll32.exe 76 1204 rundll32.exe 80 1204 rundll32.exe 82 1204 rundll32.exe 84 1204 rundll32.exe 86 1204 rundll32.exe 88 1204 rundll32.exe 90 1204 rundll32.exe 92 1204 rundll32.exe 94 1204 rundll32.exe 95 1204 rundll32.exe 97 1204 rundll32.exe 100 1204 rundll32.exe 102 1204 rundll32.exe 104 1204 rundll32.exe 106 1204 rundll32.exe 108 1204 rundll32.exe 110 1204 rundll32.exe 112 1204 rundll32.exe 114 1204 rundll32.exe 117 1204 rundll32.exe 119 1204 rundll32.exe 122 1204 rundll32.exe 124 1204 rundll32.exe 126 1204 rundll32.exe 128 1204 rundll32.exe 130 1204 rundll32.exe 132 1204 rundll32.exe 134 1204 rundll32.exe 137 1204 rundll32.exe 139 1204 rundll32.exe 141 1204 rundll32.exe 143 1204 rundll32.exe 145 1204 rundll32.exe 147 1204 rundll32.exe 149 1204 rundll32.exe 151 1204 rundll32.exe 153 1204 rundll32.exe 155 1204 rundll32.exe 157 1204 rundll32.exe 159 1204 rundll32.exe 160 1204 rundll32.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\FormatPing.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\RedoSwitch.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\ConvertFromBlock.tiff => \??\c:\users\admin\pictures\ConvertFromBlock.tiff.9gd02lg850 rundll32.exe File renamed C:\Users\Admin\Pictures\FormatPing.tiff => \??\c:\users\admin\pictures\FormatPing.tiff.9gd02lg850 rundll32.exe File renamed C:\Users\Admin\Pictures\MeasureMerge.crw => \??\c:\users\admin\pictures\MeasureMerge.crw.9gd02lg850 rundll32.exe File renamed C:\Users\Admin\Pictures\RedoSwitch.tiff => \??\c:\users\admin\pictures\RedoSwitch.tiff.9gd02lg850 rundll32.exe File renamed C:\Users\Admin\Pictures\WaitUninstall.tif => \??\c:\users\admin\pictures\WaitUninstall.tif.9gd02lg850 rundll32.exe File opened for modification \??\c:\users\admin\pictures\ConvertFromBlock.tiff rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n0881u0ak2.bmp" rundll32.exe -
Drops file in Program Files directory 25 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\AddSet.reg rundll32.exe File opened for modification \??\c:\program files\ProtectBlock.WTV rundll32.exe File opened for modification \??\c:\program files\ResetDisconnect.rmi rundll32.exe File opened for modification \??\c:\program files\ResetInstall.mht rundll32.exe File opened for modification \??\c:\program files\SkipStep.tif rundll32.exe File opened for modification \??\c:\program files\UpdateFormat.html rundll32.exe File created \??\c:\program files (x86)\9gd02lg850-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompleteRename.easmx rundll32.exe File opened for modification \??\c:\program files\CompressStep.pptm rundll32.exe File opened for modification \??\c:\program files\CompressUnregister.au rundll32.exe File opened for modification \??\c:\program files\OutEdit.MTS rundll32.exe File opened for modification \??\c:\program files\PushCompare.mht rundll32.exe File opened for modification \??\c:\program files\ConnectUnregister.wmv rundll32.exe File opened for modification \??\c:\program files\ConvertToOpen.mht rundll32.exe File opened for modification \??\c:\program files\DenyStop.rtf rundll32.exe File opened for modification \??\c:\program files\RegisterReceive.m1v rundll32.exe File opened for modification \??\c:\program files\RepairConvert.mp2v rundll32.exe File opened for modification \??\c:\program files\SavePop.mpv2 rundll32.exe File opened for modification \??\c:\program files\WriteGet.svgz rundll32.exe File created \??\c:\program files\9gd02lg850-readme.txt rundll32.exe File opened for modification \??\c:\program files\ApproveAssert.gif rundll32.exe File opened for modification \??\c:\program files\EnterRepair.wmv rundll32.exe File opened for modification \??\c:\program files\PingDismount.vsw rundll32.exe File opened for modification \??\c:\program files\UnprotectRestore.mid rundll32.exe File opened for modification \??\c:\program files\UpdateUninstall.mp4 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 1204 rundll32.exe 1204 rundll32.exe 204 powershell.exe 204 powershell.exe 204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1204 rundll32.exe Token: SeDebugPrivilege 204 powershell.exe Token: SeBackupPrivilege 3828 vssvc.exe Token: SeRestorePrivilege 3828 vssvc.exe Token: SeAuditPrivilege 3828 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 64 wrote to memory of 1204 64 rundll32.exe rundll32.exe PID 64 wrote to memory of 1204 64 rundll32.exe rundll32.exe PID 64 wrote to memory of 1204 64 rundll32.exe rundll32.exe PID 1204 wrote to memory of 204 1204 rundll32.exe powershell.exe PID 1204 wrote to memory of 204 1204 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#12⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/204-1-0x0000000000000000-mapping.dmp
-
memory/204-2-0x00007FFE6C8A0000-0x00007FFE6D28C000-memory.dmpFilesize
9.9MB
-
memory/204-3-0x000001C119EA0000-0x000001C119EA1000-memory.dmpFilesize
4KB
-
memory/204-4-0x000001C11CBA0000-0x000001C11CBA1000-memory.dmpFilesize
4KB
-
memory/1204-0-0x0000000000000000-mapping.dmp