Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-02-2021 21:18
Static task
static1
Behavioral task
behavioral1
Sample
d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9.bin.dll
Resource
win10v20201028
General
-
Target
d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9.bin.dll
-
Size
118KB
-
MD5
c9b3946c7408aac0c307aabb90881908
-
SHA1
bed3433d677c3ceddab2a7c927cfc3cf336dc172
-
SHA256
d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9
-
SHA512
5f839954c71d350bf13610933875459bda9d955c7b9d2828ddc28668a60b7625db94131a04ce1b567a2bf98b96703ac038f6ed0364cf415abc0b880b7e13c9d3
Malware Config
Extracted
C:\4z5x872y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/214D9B37DEF128DC
http://decoder.re/214D9B37DEF128DC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClosePing.tiff => \??\c:\users\admin\pictures\ClosePing.tiff.4z5x872y regsvr32.exe File renamed C:\Users\Admin\Pictures\DismountResize.raw => \??\c:\users\admin\pictures\DismountResize.raw.4z5x872y regsvr32.exe File renamed C:\Users\Admin\Pictures\MoveAdd.raw => \??\c:\users\admin\pictures\MoveAdd.raw.4z5x872y regsvr32.exe File opened for modification \??\c:\users\admin\pictures\ClosePing.tiff regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vk4.bmp" regsvr32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\EditBlock.jfif regsvr32.exe File opened for modification \??\c:\program files\EnableTrace.m3u regsvr32.exe File opened for modification \??\c:\program files\ExportLimit.gif regsvr32.exe File opened for modification \??\c:\program files\RegisterResume.ini regsvr32.exe File opened for modification \??\c:\program files\ComparePublish.rle regsvr32.exe File opened for modification \??\c:\program files\ConfirmConnect.mpeg2 regsvr32.exe File opened for modification \??\c:\program files\ConvertToMount.vbs regsvr32.exe File opened for modification \??\c:\program files\UnlockConfirm.odt regsvr32.exe File opened for modification \??\c:\program files\UpdateLimit.aiff regsvr32.exe File opened for modification \??\c:\program files\CompressDisable.svg regsvr32.exe File opened for modification \??\c:\program files\ImportGroup.rar regsvr32.exe File opened for modification \??\c:\program files\RedoResize.docm regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1460 regsvr32.exe Token: SeTakeOwnershipPrivilege 1460 regsvr32.exe Token: SeBackupPrivilege 2904 vssvc.exe Token: SeRestorePrivilege 2904 vssvc.exe Token: SeAuditPrivilege 2904 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1924 wrote to memory of 1460 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1460 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1460 1924 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d2ea89e73804efccefceaa193c80ef4a8454f7db638c0d3502530652a8a430e9.bin.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1460-2-0x0000000000000000-mapping.dmp