Analysis
-
max time kernel
140s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-02-2021 18:35
Static task
static1
Behavioral task
behavioral1
Sample
bbdd.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bbdd.dll
Resource
win10v20201028
General
-
Target
bbdd.dll
-
Size
599KB
-
MD5
fd6d16ef09a96897604557faf17ac1f9
-
SHA1
8b702da8f8426af9f501ba546f273c2d5f79f75d
-
SHA256
3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a
-
SHA512
d68c63366abcf5b19417d165e4b483cd660235e8ce1b4abaf943e1f2985d8c58f71a03da90c55dc73e4c95945baed3d78d23bda00122ee5bf230e43ef751f34e
Malware Config
Extracted
C:\p97w46w9t-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/81F9B0D2E6549CCF
http://decoder.re/81F9B0D2E6549CCF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 1316 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1316 regsvr32.exe Token: SeTakeOwnershipPrivilege 1316 regsvr32.exe Token: SeBackupPrivilege 324 vssvc.exe Token: SeRestorePrivilege 324 vssvc.exe Token: SeAuditPrivilege 324 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe PID 1812 wrote to memory of 1316 1812 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bbdd.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\bbdd.dll2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1316-3-0x0000000000000000-mapping.dmp
-
memory/1316-4-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1316-6-0x0000000000A10000-0x0000000000AB7000-memory.dmpFilesize
668KB
-
memory/1316-5-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1812-2-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmpFilesize
8KB