Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-02-2021 18:35
Static task
static1
Behavioral task
behavioral1
Sample
bbdd.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bbdd.dll
Resource
win10v20201028
General
-
Target
bbdd.dll
-
Size
599KB
-
MD5
fd6d16ef09a96897604557faf17ac1f9
-
SHA1
8b702da8f8426af9f501ba546f273c2d5f79f75d
-
SHA256
3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a
-
SHA512
d68c63366abcf5b19417d165e4b483cd660235e8ce1b4abaf943e1f2985d8c58f71a03da90c55dc73e4c95945baed3d78d23bda00122ee5bf230e43ef751f34e
Malware Config
Extracted
C:\4509y7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FB713FE8306337B7
http://decoder.re/FB713FE8306337B7
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\MeasureReset.crw => \??\c:\users\admin\pictures\MeasureReset.crw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\ReceiveEdit.raw => \??\c:\users\admin\pictures\ReceiveEdit.raw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectReceive.png => \??\c:\users\admin\pictures\SelectReceive.png.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\WaitStart.png => \??\c:\users\admin\pictures\WaitStart.png.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\AddImport.crw => \??\c:\users\admin\pictures\AddImport.crw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\BlockMove.raw => \??\c:\users\admin\pictures\BlockMove.raw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\CloseMerge.raw => \??\c:\users\admin\pictures\CloseMerge.raw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\CompressUnprotect.raw => \??\c:\users\admin\pictures\CompressUnprotect.raw.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\ResolveResume.tif => \??\c:\users\admin\pictures\ResolveResume.tif.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\DisableSuspend.tif => \??\c:\users\admin\pictures\DisableSuspend.tif.4509y7 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\DisconnectResize.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\DisconnectResize.tiff => \??\c:\users\admin\pictures\DisconnectResize.tiff.4509y7 regsvr32.exe File renamed C:\Users\Admin\Pictures\InvokeSwitch.tif => \??\c:\users\admin\pictures\InvokeSwitch.tif.4509y7 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqo5o1nzj7j.bmp" regsvr32.exe -
Drops file in Program Files directory 25 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\SubmitTest.avi regsvr32.exe File opened for modification \??\c:\program files\ConvertSelect.DVR regsvr32.exe File opened for modification \??\c:\program files\GroupSearch.htm regsvr32.exe File opened for modification \??\c:\program files\InvokeGroup.xltx regsvr32.exe File opened for modification \??\c:\program files\InvokeOpen.mpg regsvr32.exe File opened for modification \??\c:\program files\JoinUninstall.zip regsvr32.exe File opened for modification \??\c:\program files\MoveReceive.vssx regsvr32.exe File opened for modification \??\c:\program files\ProtectStep.ttf regsvr32.exe File opened for modification \??\c:\program files\ConvertFromRequest.mht regsvr32.exe File opened for modification \??\c:\program files\ConvertSkip.ppt regsvr32.exe File opened for modification \??\c:\program files\DebugSave.scf regsvr32.exe File opened for modification \??\c:\program files\ResizeExpand.vsx regsvr32.exe File opened for modification \??\c:\program files\RestoreSplit.rle regsvr32.exe File opened for modification \??\c:\program files\SplitCopy.snd regsvr32.exe File opened for modification \??\c:\program files\AssertResize.mpeg2 regsvr32.exe File opened for modification \??\c:\program files\BackupSkip.jpg regsvr32.exe File opened for modification \??\c:\program files\InvokeConnect.cfg regsvr32.exe File opened for modification \??\c:\program files\MergeSwitch.css regsvr32.exe File opened for modification \??\c:\program files\RegisterUse.vb regsvr32.exe File opened for modification \??\c:\program files\RepairConfirm.gif regsvr32.exe File opened for modification \??\c:\program files\RestoreEdit.xhtml regsvr32.exe File opened for modification \??\c:\program files\StopBackup.vstm regsvr32.exe File opened for modification \??\c:\program files\CompressUnblock.m4a regsvr32.exe File opened for modification \??\c:\program files\DenyMeasure.m3u regsvr32.exe File opened for modification \??\c:\program files\InvokeCompress.css regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 4776 regsvr32.exe 4776 regsvr32.exe 4776 regsvr32.exe 4776 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 4776 regsvr32.exe Token: SeTakeOwnershipPrivilege 4776 regsvr32.exe Token: SeBackupPrivilege 4148 vssvc.exe Token: SeRestorePrivilege 4148 vssvc.exe Token: SeAuditPrivilege 4148 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4636 wrote to memory of 4776 4636 regsvr32.exe regsvr32.exe PID 4636 wrote to memory of 4776 4636 regsvr32.exe regsvr32.exe PID 4636 wrote to memory of 4776 4636 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bbdd.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\bbdd.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148