Analysis
-
max time kernel
29s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-03-2021 18:01
Static task
static1
Behavioral task
behavioral1
Sample
7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27.bin.dll
Resource
win10v20201028
General
-
Target
7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27.bin.dll
-
Size
115KB
-
MD5
803ce5006616c1343e73ce4500a2b3e2
-
SHA1
0634757441799167f618d1ede75abe95c20765c0
-
SHA256
7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27
-
SHA512
8b549e55e270bc2ede09332faed4e2a98e47ec6afcb32d0c41cff338f9892d103a1924ba2af9d1c0129b2f65e750e9ec6bfdc37657c67ac72000f2898b301200
Malware Config
Extracted
C:\8031u0o4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D9524DC62885FC24
http://decryptor.cc/D9524DC62885FC24
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandApprove.tif => \??\c:\users\admin\pictures\ExpandApprove.tif.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\PublishJoin.tif => \??\c:\users\admin\pictures\PublishJoin.tif.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\SearchRestart.raw => \??\c:\users\admin\pictures\SearchRestart.raw.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\SetRevoke.crw => \??\c:\users\admin\pictures\SetRevoke.crw.8031u0o4 rundll32.exe File opened for modification \??\c:\users\admin\pictures\DisconnectReset.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\DisconnectReset.tiff => \??\c:\users\admin\pictures\DisconnectReset.tiff.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\ResizeBackup.raw => \??\c:\users\admin\pictures\ResizeBackup.raw.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\SelectGrant.crw => \??\c:\users\admin\pictures\SelectGrant.crw.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\SubmitAdd.crw => \??\c:\users\admin\pictures\SubmitAdd.crw.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\WriteConfirm.crw => \??\c:\users\admin\pictures\WriteConfirm.crw.8031u0o4 rundll32.exe File renamed C:\Users\Admin\Pictures\BlockSwitch.crw => \??\c:\users\admin\pictures\BlockSwitch.crw.8031u0o4 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Drops file in Program Files directory 29 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\CopyUndo.easmx rundll32.exe File opened for modification \??\c:\program files\MeasureExpand.aifc rundll32.exe File opened for modification \??\c:\program files\RedoTrace.mid rundll32.exe File opened for modification \??\c:\program files\RegisterSplit.tiff rundll32.exe File opened for modification \??\c:\program files\OutRename.xps rundll32.exe File opened for modification \??\c:\program files\FormatWait.wvx rundll32.exe File opened for modification \??\c:\program files\SaveResume.ps1xml rundll32.exe File opened for modification \??\c:\program files\SelectSuspend.dwfx rundll32.exe File opened for modification \??\c:\program files\FindPing.mp4v rundll32.exe File opened for modification \??\c:\program files\NewDisconnect.mp4 rundll32.exe File created \??\c:\program files\8031u0o4-readme.txt rundll32.exe File created \??\c:\program files (x86)\8031u0o4-readme.txt rundll32.exe File opened for modification \??\c:\program files\BackupMount.m3u rundll32.exe File opened for modification \??\c:\program files\DisableGrant.m4v rundll32.exe File opened for modification \??\c:\program files\CompressExit.dotm rundll32.exe File opened for modification \??\c:\program files\OutStep.DVR rundll32.exe File opened for modification \??\c:\program files\WriteAssert.csv rundll32.exe File opened for modification \??\c:\program files\StepGrant.wmf rundll32.exe File opened for modification \??\c:\program files\CompleteAdd.wmf rundll32.exe File opened for modification \??\c:\program files\ExpandResolve.7z rundll32.exe File opened for modification \??\c:\program files\FindSkip.wmv rundll32.exe File opened for modification \??\c:\program files\RegisterRepair.rle rundll32.exe File opened for modification \??\c:\program files\AssertCompress.pub rundll32.exe File opened for modification \??\c:\program files\GrantConnect.mpe rundll32.exe File opened for modification \??\c:\program files\MergeInitialize.i64 rundll32.exe File opened for modification \??\c:\program files\RegisterRemove.M2TS rundll32.exe File opened for modification \??\c:\program files\BlockJoin.reg rundll32.exe File opened for modification \??\c:\program files\ConvertFromUndo.vsdm rundll32.exe File opened for modification \??\c:\program files\ExpandDisable.xls rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 1000 rundll32.exe 1000 rundll32.exe 692 powershell.exe 692 powershell.exe 692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1000 rundll32.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe Token: SeTakeOwnershipPrivilege 1000 rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1400 wrote to memory of 1000 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1000 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1000 1400 rundll32.exe rundll32.exe PID 1000 wrote to memory of 692 1000 rundll32.exe powershell.exe PID 1000 wrote to memory of 692 1000 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b97fd1218c37c7014a6aef117927cb36f848ad93d53c408e6c080d0cf0aec27.bin.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-3-0x0000000000000000-mapping.dmp
-
memory/692-4-0x00007FF98AA00000-0x00007FF98B3EC000-memory.dmpFilesize
9.9MB
-
memory/692-5-0x000002741CDF0000-0x000002741CDF1000-memory.dmpFilesize
4KB
-
memory/692-6-0x000002741D8E0000-0x000002741D8E1000-memory.dmpFilesize
4KB
-
memory/692-7-0x000002741C420000-0x000002741C422000-memory.dmpFilesize
8KB
-
memory/692-8-0x000002741C423000-0x000002741C425000-memory.dmpFilesize
8KB
-
memory/692-9-0x000002741C426000-0x000002741C428000-memory.dmpFilesize
8KB
-
memory/1000-2-0x0000000000000000-mapping.dmp