Analysis
-
max time kernel
59s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-02-2021 13:22
Static task
static1
Behavioral task
behavioral1
Sample
B40CA0BFB7AEC1C1B4218B98529B580B.file.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
B40CA0BFB7AEC1C1B4218B98529B580B.file.dll
Resource
win10v20201028
General
-
Target
B40CA0BFB7AEC1C1B4218B98529B580B.file.dll
-
Size
745KB
-
MD5
b40ca0bfb7aec1c1b4218b98529b580b
-
SHA1
5615f11ca85cdf2d5cd186028c60a21fdb6d7f72
-
SHA256
188b6a98ef67f6d79300062641e73e9ee5ec1c4172fe1cd91c7e7de7434c24dc
-
SHA512
69c4e6f306bb4e254c49b687ff227f93aa649444be29b7de2ed8f0b09637970b2d4e7bc10d6cfbec1ab753db23b41d56bb4e947159319790a9f1bf31ebf24611
Malware Config
Extracted
C:\8rj1l91g-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5371DADB7A7051A
http://decoder.re/B5371DADB7A7051A
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindPublish.tif => \??\c:\users\admin\pictures\FindPublish.tif.8rj1l91g regsvr32.exe File renamed C:\Users\Admin\Pictures\JoinRepair.tif => \??\c:\users\admin\pictures\JoinRepair.tif.8rj1l91g regsvr32.exe File opened for modification \??\c:\users\admin\pictures\RequestRegister.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\RequestRegister.tiff => \??\c:\users\admin\pictures\RequestRegister.tiff.8rj1l91g regsvr32.exe File renamed C:\Users\Admin\Pictures\SyncConvertFrom.crw => \??\c:\users\admin\pictures\SyncConvertFrom.crw.8rj1l91g regsvr32.exe File opened for modification \??\c:\users\admin\pictures\WaitRestart.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\WaitRestart.tiff => \??\c:\users\admin\pictures\WaitRestart.tiff.8rj1l91g regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p9272s027n4a3.bmp" regsvr32.exe -
Drops file in Program Files directory 26 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\MergeDeny.ttf regsvr32.exe File opened for modification \??\c:\program files\MountResolve.dotx regsvr32.exe File opened for modification \??\c:\program files\SuspendSubmit.mpv2 regsvr32.exe File opened for modification \??\c:\program files\ExportEnable.m4v regsvr32.exe File opened for modification \??\c:\program files\HideDismount.svgz regsvr32.exe File opened for modification \??\c:\program files\InvokeApprove.mht regsvr32.exe File opened for modification \??\c:\program files\JoinOpen.potm regsvr32.exe File opened for modification \??\c:\program files\ResolveConvert.mpv2 regsvr32.exe File opened for modification \??\c:\program files\SendOpen.wmf regsvr32.exe File opened for modification \??\c:\program files\UnlockLimit.dotx regsvr32.exe File opened for modification \??\c:\program files\UnprotectApprove.wm regsvr32.exe File opened for modification \??\c:\program files\DebugOpen.vstx regsvr32.exe File opened for modification \??\c:\program files\OptimizeSwitch.M2TS regsvr32.exe File opened for modification \??\c:\program files\RemovePop.mpeg2 regsvr32.exe File opened for modification \??\c:\program files\RenameEdit.xlsm regsvr32.exe File opened for modification \??\c:\program files\UpdateGrant.ADTS regsvr32.exe File opened for modification \??\c:\program files\GrantSuspend.mhtml regsvr32.exe File opened for modification \??\c:\program files\ImportCompare.search-ms regsvr32.exe File opened for modification \??\c:\program files\SyncMeasure.mp4 regsvr32.exe File opened for modification \??\c:\program files\UnlockInvoke.pps regsvr32.exe File opened for modification \??\c:\program files\UnprotectNew.html regsvr32.exe File opened for modification \??\c:\program files\UseClose.docm regsvr32.exe File opened for modification \??\c:\program files\BackupClear.wax regsvr32.exe File opened for modification \??\c:\program files\DismountDisable.docx regsvr32.exe File opened for modification \??\c:\program files\FormatInitialize.dib regsvr32.exe File opened for modification \??\c:\program files\OutGet.vb regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1808 regsvr32.exe 1808 regsvr32.exe 1808 regsvr32.exe 1808 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1808 regsvr32.exe Token: SeTakeOwnershipPrivilege 1808 regsvr32.exe Token: SeBackupPrivilege 2284 vssvc.exe Token: SeRestorePrivilege 2284 vssvc.exe Token: SeAuditPrivilege 2284 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3116 wrote to memory of 1808 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1808 3116 regsvr32.exe regsvr32.exe PID 3116 wrote to memory of 1808 3116 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\B40CA0BFB7AEC1C1B4218B98529B580B.file.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\B40CA0BFB7AEC1C1B4218B98529B580B.file.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3348
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284