Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 18:32
Static task
static1
Behavioral task
behavioral1
Sample
svhost.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
svhost.bin.exe
Resource
win10v20201028
General
-
Target
svhost.bin.exe
-
Size
117KB
-
MD5
a9f731de650ee1ba0ef91e1386ac2dad
-
SHA1
60f6ad3ec25581bb53dac56634cff820e0d6fd81
-
SHA256
5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4
-
SHA512
248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0
Malware Config
Extracted
C:\xc2687b5h-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/287288C1BC46DBD4
http://decryptor.cc/287288C1BC46DBD4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svhost.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmRevoke.raw => \??\c:\users\admin\pictures\ConfirmRevoke.raw.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\UnregisterDisable.png => \??\c:\users\admin\pictures\UnregisterDisable.png.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\DisconnectInvoke.tif => \??\c:\users\admin\pictures\DisconnectInvoke.tif.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\FindResize.tiff => \??\c:\users\admin\pictures\FindResize.tiff.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\PublishRestart.raw => \??\c:\users\admin\pictures\PublishRestart.raw.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\PushDisable.tiff => \??\c:\users\admin\pictures\PushDisable.tiff.xc2687b5h svhost.bin.exe File renamed C:\Users\Admin\Pictures\SubmitOpen.tif => \??\c:\users\admin\pictures\SubmitOpen.tif.xc2687b5h svhost.bin.exe File opened for modification \??\c:\users\admin\pictures\FindResize.tiff svhost.bin.exe File opened for modification \??\c:\users\admin\pictures\PushDisable.tiff svhost.bin.exe File renamed C:\Users\Admin\Pictures\CompressDisable.raw => \??\c:\users\admin\pictures\CompressDisable.raw.xc2687b5h svhost.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svhost.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FxHrkpLpWn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.bin.exe" svhost.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svhost.bin.exedescription ioc process File opened (read-only) \??\L: svhost.bin.exe File opened (read-only) \??\N: svhost.bin.exe File opened (read-only) \??\V: svhost.bin.exe File opened (read-only) \??\O: svhost.bin.exe File opened (read-only) \??\Q: svhost.bin.exe File opened (read-only) \??\R: svhost.bin.exe File opened (read-only) \??\A: svhost.bin.exe File opened (read-only) \??\B: svhost.bin.exe File opened (read-only) \??\E: svhost.bin.exe File opened (read-only) \??\F: svhost.bin.exe File opened (read-only) \??\G: svhost.bin.exe File opened (read-only) \??\S: svhost.bin.exe File opened (read-only) \??\W: svhost.bin.exe File opened (read-only) \??\X: svhost.bin.exe File opened (read-only) \??\Z: svhost.bin.exe File opened (read-only) \??\I: svhost.bin.exe File opened (read-only) \??\J: svhost.bin.exe File opened (read-only) \??\T: svhost.bin.exe File opened (read-only) \??\U: svhost.bin.exe File opened (read-only) \??\D: svhost.bin.exe File opened (read-only) \??\H: svhost.bin.exe File opened (read-only) \??\K: svhost.bin.exe File opened (read-only) \??\M: svhost.bin.exe File opened (read-only) \??\P: svhost.bin.exe File opened (read-only) \??\Y: svhost.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svhost.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\an2q9.bmp" svhost.bin.exe -
Drops file in Program Files directory 33 IoCs
Processes:
svhost.bin.exedescription ioc process File opened for modification \??\c:\program files\EditSubmit.eprtx svhost.bin.exe File opened for modification \??\c:\program files\MeasureWatch.mp4v svhost.bin.exe File opened for modification \??\c:\program files\SplitStop.dib svhost.bin.exe File opened for modification \??\c:\program files\RenameRestart.wpl svhost.bin.exe File opened for modification \??\c:\program files\AddClear.jpeg svhost.bin.exe File opened for modification \??\c:\program files\AssertGet.cr2 svhost.bin.exe File opened for modification \??\c:\program files\EditTest.wvx svhost.bin.exe File opened for modification \??\c:\program files\StepSend.mpe svhost.bin.exe File opened for modification \??\c:\program files\CompleteResize.ini svhost.bin.exe File opened for modification \??\c:\program files\DismountAdd.rmi svhost.bin.exe File opened for modification \??\c:\program files\SplitReceive.ini svhost.bin.exe File opened for modification \??\c:\program files\CheckpointConvert.xsl svhost.bin.exe File opened for modification \??\c:\program files\CompleteGet.css svhost.bin.exe File opened for modification \??\c:\program files\SearchSuspend.mpeg svhost.bin.exe File opened for modification \??\c:\program files\WatchRegister.scf svhost.bin.exe File opened for modification \??\c:\program files\CompleteFind.html svhost.bin.exe File opened for modification \??\c:\program files\ConvertToOpen.vdx svhost.bin.exe File opened for modification \??\c:\program files\InvokePing.ADTS svhost.bin.exe File opened for modification \??\c:\program files\StartSave.TS svhost.bin.exe File created \??\c:\program files (x86)\xc2687b5h-readme.txt svhost.bin.exe File opened for modification \??\c:\program files\ReadInvoke.wav svhost.bin.exe File opened for modification \??\c:\program files\RestoreUnregister.asp svhost.bin.exe File opened for modification \??\c:\program files\ReceiveUnprotect.mpp svhost.bin.exe File opened for modification \??\c:\program files\SendAssert.au svhost.bin.exe File opened for modification \??\c:\program files\ShowOut.DVR svhost.bin.exe File created \??\c:\program files\xc2687b5h-readme.txt svhost.bin.exe File opened for modification \??\c:\program files\MeasureFormat.wm svhost.bin.exe File opened for modification \??\c:\program files\OpenClear.xlt svhost.bin.exe File opened for modification \??\c:\program files\InstallRemove.xlsm svhost.bin.exe File opened for modification \??\c:\program files\PublishDisconnect.ppsx svhost.bin.exe File opened for modification \??\c:\program files\ApproveDebug.wma svhost.bin.exe File opened for modification \??\c:\program files\EnterPush.asp svhost.bin.exe File opened for modification \??\c:\program files\ImportOptimize.tif svhost.bin.exe -
Processes:
svhost.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB svhost.bin.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\E6A3B45B062D509B3382282D196EFE97D5956CCB\Blob = 030000000100000014000000e6a3b45b062d509b3382282d196efe97d5956ccb140000000100000014000000a84a6a63047dddbae6d139b7a64565eff3a8eca1040000000100000010000000b15409274f54ad8f023d3b85a5ecec5d0f00000001000000200000003e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db8381900000001000000100000007ea7d53d76b46eea695a589c2bdbfdc65c0000000100000004000000000800001800000001000000100000006cf252fec3e8f20996de5d4dd9aef424200000000100000096040000308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d01010b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442 svhost.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svhost.bin.exepid process 580 svhost.bin.exe 580 svhost.bin.exe 580 svhost.bin.exe 580 svhost.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svhost.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 580 svhost.bin.exe Token: SeTakeOwnershipPrivilege 580 svhost.bin.exe Token: SeBackupPrivilege 200 vssvc.exe Token: SeRestorePrivilege 200 vssvc.exe Token: SeAuditPrivilege 200 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken