Analysis
-
max time kernel
40s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-02-2021 08:21
Static task
static1
Behavioral task
behavioral1
Sample
test.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
test.bin.dll
Resource
win10v20201028
General
-
Target
test.bin.dll
-
Size
218KB
-
MD5
12998ead3767b8e2a7d3172432c2347a
-
SHA1
21c8fb727afbb4d7078a2ce25eaf569c28afb308
-
SHA256
e275c0b13ef51066e1a5a8d9a3e9f2859d091560dd3c5eac8cd7920bdf3dcbd6
-
SHA512
252f3159a90dddd528b23d0f6f09ea56eb3470b1c674faa87f20e453f6db2c5939b462dd6a7a77bad2903476aa84efc9ff9c79ef1484e89c2c257820b190c3cb
Malware Config
Extracted
C:\56gg4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3937D9EA5842B85
http://decoder.re/A3937D9EA5842B85
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddRestart.raw => \??\c:\users\admin\pictures\AddRestart.raw.56gg4 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\ConfirmRedo.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\ConfirmRedo.tiff => \??\c:\users\admin\pictures\ConfirmRedo.tiff.56gg4 regsvr32.exe File renamed C:\Users\Admin\Pictures\DismountGrant.tif => \??\c:\users\admin\pictures\DismountGrant.tif.56gg4 regsvr32.exe File renamed C:\Users\Admin\Pictures\JoinConvertTo.tif => \??\c:\users\admin\pictures\JoinConvertTo.tif.56gg4 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctm06h4e6.bmp" regsvr32.exe -
Drops file in Program Files directory 32 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\MergeRegister.mov regsvr32.exe File opened for modification \??\c:\program files\DebugPush.dxf regsvr32.exe File opened for modification \??\c:\program files\EnableSync.vdx regsvr32.exe File opened for modification \??\c:\program files\MeasureConvertTo.ram regsvr32.exe File opened for modification \??\c:\program files\RenameHide.wpl regsvr32.exe File opened for modification \??\c:\program files\SwitchAssert.3gp2 regsvr32.exe File opened for modification \??\c:\program files\UnpublishDebug.xml regsvr32.exe File opened for modification \??\c:\program files\ConvertRead.rtf regsvr32.exe File opened for modification \??\c:\program files\ImportWatch.xhtml regsvr32.exe File opened for modification \??\c:\program files\MoveComplete.xlt regsvr32.exe File opened for modification \??\c:\program files\OptimizeResize.clr regsvr32.exe File opened for modification \??\c:\program files\StopExpand.vssx regsvr32.exe File opened for modification \??\c:\program files\UninstallClear.potm regsvr32.exe File opened for modification \??\c:\program files\UninstallRevoke.ods regsvr32.exe File opened for modification \??\c:\program files\UnlockDisconnect.png regsvr32.exe File opened for modification \??\c:\program files\ConvertToSplit.ini regsvr32.exe File opened for modification \??\c:\program files\SkipPop.kix regsvr32.exe File opened for modification \??\c:\program files\UnregisterExit.TS regsvr32.exe File opened for modification \??\c:\program files\CopyPing.m3u regsvr32.exe File opened for modification \??\c:\program files\InitializeLock.mp3 regsvr32.exe File opened for modification \??\c:\program files\MountRevoke.MTS regsvr32.exe File opened for modification \??\c:\program files\MoveDisconnect.rtf regsvr32.exe File opened for modification \??\c:\program files\PopWait.tif regsvr32.exe File opened for modification \??\c:\program files\RestoreResume.wm regsvr32.exe File opened for modification \??\c:\program files\SelectConvertFrom.rm regsvr32.exe File opened for modification \??\c:\program files\ConfirmBackup.xltm regsvr32.exe File opened for modification \??\c:\program files\InstallRevoke.wvx regsvr32.exe File opened for modification \??\c:\program files\MeasureProtect.csv regsvr32.exe File opened for modification \??\c:\program files\SaveSkip.xls regsvr32.exe File opened for modification \??\c:\program files\StopTest.mpeg3 regsvr32.exe File opened for modification \??\c:\program files\UnprotectWrite.3gpp regsvr32.exe File opened for modification \??\c:\program files\UseInitialize.ppsm regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1256 regsvr32.exe 1256 regsvr32.exe 1256 regsvr32.exe 1256 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1256 regsvr32.exe Token: SeTakeOwnershipPrivilege 1256 regsvr32.exe Token: SeBackupPrivilege 4052 vssvc.exe Token: SeRestorePrivilege 4052 vssvc.exe Token: SeAuditPrivilege 4052 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 416 wrote to memory of 1256 416 regsvr32.exe regsvr32.exe PID 416 wrote to memory of 1256 416 regsvr32.exe regsvr32.exe PID 416 wrote to memory of 1256 416 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\test.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\test.bin.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2380
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\56gg4-readme.txt1⤵PID:4056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\56gg4-readme.txtMD5
127895542fbab32cbee743d6d6e36224
SHA1595e809213f3fb36b6dc07f0ab1c1a87053b9acb
SHA2563b918df3d6eb2c9795677a44982e441d690ec05113d330937ec2beeee55f59dc
SHA512d43bd6a04b3326d79f37176c02b8631b7163aaa5e5c1e28bcc6859a9d26a2c7548edfe3b4c225689b2b5240d2c0dbd8148a5e7c4c8cb490d3dec72ab70d0aabd
-
memory/1256-2-0x0000000000000000-mapping.dmp
-
memory/1256-3-0x0000000000681000-0x000000000068A000-memory.dmpFilesize
36KB
-
memory/1256-4-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1256-5-0x0000000000680000-0x00000000006C5000-memory.dmpFilesize
276KB