Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 14:57
Static task
static1
Behavioral task
behavioral1
Sample
svhostdbg.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
svhostdbg.bin.exe
Resource
win10v20201028
General
-
Target
svhostdbg.bin.exe
-
Size
139KB
-
MD5
182bea50b4725eafc928da19e30f41a9
-
SHA1
50f2cdf24acd67e16ce7ebe55a19c629e2ad0a3b
-
SHA256
d9c3e675971499e4a2c0677b5ae96cd5582900e7cbfc16a00555ec90335aaebf
-
SHA512
a7f2ec428411a018647071bfa81a083c648ab2ce30718dec66880fe82ae40e352bc4dd7dc4efa6eee96a1a956466a577f84378a698ef3eb401eeab2af3ea878e
Malware Config
Extracted
C:\98t6wfdx9s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/514C784A4C7C324D
http://decryptor.cc/514C784A4C7C324D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svhostdbg.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\LockSwitch.raw => \??\c:\users\admin\pictures\LockSwitch.raw.98t6wfdx9s svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\PingInstall.crw => \??\c:\users\admin\pictures\PingInstall.crw.98t6wfdx9s svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\ProtectMerge.tif => \??\c:\users\admin\pictures\ProtectMerge.tif.98t6wfdx9s svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveSend.png => \??\c:\users\admin\pictures\ReceiveSend.png.98t6wfdx9s svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\DenyProtect.png => \??\c:\users\admin\pictures\DenyProtect.png.98t6wfdx9s svhostdbg.bin.exe File opened for modification \??\c:\users\admin\pictures\DismountResize.tiff svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\DismountResize.tiff => \??\c:\users\admin\pictures\DismountResize.tiff.98t6wfdx9s svhostdbg.bin.exe File opened for modification \??\c:\users\admin\pictures\UnlockLock.tiff svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\UnlockLock.tiff => \??\c:\users\admin\pictures\UnlockLock.tiff.98t6wfdx9s svhostdbg.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhostdbg.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svhostdbg.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FxHrkpLpWn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhostdbg.bin.exe" svhostdbg.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svhostdbg.bin.exedescription ioc process File opened (read-only) \??\U: svhostdbg.bin.exe File opened (read-only) \??\Y: svhostdbg.bin.exe File opened (read-only) \??\B: svhostdbg.bin.exe File opened (read-only) \??\F: svhostdbg.bin.exe File opened (read-only) \??\N: svhostdbg.bin.exe File opened (read-only) \??\S: svhostdbg.bin.exe File opened (read-only) \??\K: svhostdbg.bin.exe File opened (read-only) \??\O: svhostdbg.bin.exe File opened (read-only) \??\V: svhostdbg.bin.exe File opened (read-only) \??\D: svhostdbg.bin.exe File opened (read-only) \??\G: svhostdbg.bin.exe File opened (read-only) \??\H: svhostdbg.bin.exe File opened (read-only) \??\I: svhostdbg.bin.exe File opened (read-only) \??\J: svhostdbg.bin.exe File opened (read-only) \??\A: svhostdbg.bin.exe File opened (read-only) \??\L: svhostdbg.bin.exe File opened (read-only) \??\P: svhostdbg.bin.exe File opened (read-only) \??\T: svhostdbg.bin.exe File opened (read-only) \??\W: svhostdbg.bin.exe File opened (read-only) \??\X: svhostdbg.bin.exe File opened (read-only) \??\Z: svhostdbg.bin.exe File opened (read-only) \??\E: svhostdbg.bin.exe File opened (read-only) \??\M: svhostdbg.bin.exe File opened (read-only) \??\Q: svhostdbg.bin.exe File opened (read-only) \??\R: svhostdbg.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svhostdbg.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c73mq22.bmp" svhostdbg.bin.exe -
Drops file in Program Files directory 17 IoCs
Processes:
svhostdbg.bin.exedescription ioc process File opened for modification \??\c:\program files\OpenSplit.rmi svhostdbg.bin.exe File opened for modification \??\c:\program files\InitializePop.txt svhostdbg.bin.exe File opened for modification \??\c:\program files\ReadLimit.pcx svhostdbg.bin.exe File created \??\c:\program files\98t6wfdx9s-readme.txt svhostdbg.bin.exe File opened for modification \??\c:\program files\DisconnectCompress.3gp svhostdbg.bin.exe File opened for modification \??\c:\program files\FindDebug.mht svhostdbg.bin.exe File opened for modification \??\c:\program files\GrantPop.wmv svhostdbg.bin.exe File opened for modification \??\c:\program files\GrantUnblock.au3 svhostdbg.bin.exe File created \??\c:\program files (x86)\98t6wfdx9s-readme.txt svhostdbg.bin.exe File opened for modification \??\c:\program files\CompleteRedo.mp4 svhostdbg.bin.exe File opened for modification \??\c:\program files\DismountReceive.xlsm svhostdbg.bin.exe File opened for modification \??\c:\program files\EnterUnlock.pdf svhostdbg.bin.exe File opened for modification \??\c:\program files\OutPublish.tiff svhostdbg.bin.exe File opened for modification \??\c:\program files\PingDeny.ttc svhostdbg.bin.exe File opened for modification \??\c:\program files\RevokeUse.jpe svhostdbg.bin.exe File opened for modification \??\c:\program files\SyncMount.wma svhostdbg.bin.exe File opened for modification \??\c:\program files\CompareBackup.snd svhostdbg.bin.exe -
Suspicious behavior: EnumeratesProcesses 76 IoCs
Processes:
svhostdbg.bin.exepid process 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe 4696 svhostdbg.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svhostdbg.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 4696 svhostdbg.bin.exe Token: SeTakeOwnershipPrivilege 4696 svhostdbg.bin.exe Token: SeBackupPrivilege 4204 vssvc.exe Token: SeRestorePrivilege 4204 vssvc.exe Token: SeAuditPrivilege 4204 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhostdbg.bin.exe"C:\Users\Admin\AppData\Local\Temp\svhostdbg.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken