Analysis
-
max time kernel
31s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 21:23
Static task
static1
Behavioral task
behavioral1
Sample
9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6.bin.dll
Resource
win10v20201028
General
-
Target
9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6.bin.dll
-
Size
322KB
-
MD5
7c6e8b2aac5f2706a3d7660fbfb43c37
-
SHA1
4f4e68abbdd7d5af55e4a9e25611cc535cc5820e
-
SHA256
9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6
-
SHA512
d324997e2e01e57afeea96d81fbc1d18b1af97823d26a650957665a3172061e623988c7c8cede8a1da887b766cef833f8bd428fbbd08b7346559cdb680ac46eb
Malware Config
Extracted
C:\lm96a7rms-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B90DFD600C366616
http://decoder.re/B90DFD600C366616
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendSearch.tif => \??\c:\users\admin\pictures\SendSearch.tif.lm96a7rms regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8vrg.bmp" regsvr32.exe -
Drops file in Program Files directory 29 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\FormatWrite.eprtx regsvr32.exe File opened for modification \??\c:\program files\JoinExit.inf regsvr32.exe File opened for modification \??\c:\program files\StartBackup.pdf regsvr32.exe File opened for modification \??\c:\program files\LimitPublish.m4v regsvr32.exe File opened for modification \??\c:\program files\StopMeasure.TTS regsvr32.exe File opened for modification \??\c:\program files\ExportConvertFrom.rtf regsvr32.exe File opened for modification \??\c:\program files\OutResize.dwfx regsvr32.exe File opened for modification \??\c:\program files\UnregisterRestart.MTS regsvr32.exe File opened for modification \??\c:\program files\UnregisterMerge.dotx regsvr32.exe File opened for modification \??\c:\program files\WatchAssert.potx regsvr32.exe File created \??\c:\program files\lm96a7rms-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ApproveRegister.pptm regsvr32.exe File opened for modification \??\c:\program files\DebugUse.pptm regsvr32.exe File opened for modification \??\c:\program files\FormatConfirm.TS regsvr32.exe File opened for modification \??\c:\program files\ProtectFormat.xlt regsvr32.exe File opened for modification \??\c:\program files\ProtectPing.pps regsvr32.exe File opened for modification \??\c:\program files\ResolveInstall.aiff regsvr32.exe File opened for modification \??\c:\program files\UnpublishStart.potm regsvr32.exe File opened for modification \??\c:\program files\UnregisterResize.docx regsvr32.exe File created \??\c:\program files (x86)\lm96a7rms-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ClearInstall.ini regsvr32.exe File opened for modification \??\c:\program files\ClearRestore.potm regsvr32.exe File opened for modification \??\c:\program files\DisconnectUnpublish.emf regsvr32.exe File opened for modification \??\c:\program files\ExpandJoin.jpeg regsvr32.exe File opened for modification \??\c:\program files\SavePublish.search-ms regsvr32.exe File opened for modification \??\c:\program files\ConfirmConvert.xltm regsvr32.exe File opened for modification \??\c:\program files\MeasureGroup.7z regsvr32.exe File opened for modification \??\c:\program files\SyncResolve.inf regsvr32.exe File opened for modification \??\c:\program files\UnlockDebug.js regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 2128 regsvr32.exe 2128 regsvr32.exe 2128 regsvr32.exe 2128 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 2128 regsvr32.exe Token: SeTakeOwnershipPrivilege 2128 regsvr32.exe Token: SeBackupPrivilege 2588 vssvc.exe Token: SeRestorePrivilege 2588 vssvc.exe Token: SeAuditPrivilege 2588 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1052 wrote to memory of 2128 1052 regsvr32.exe regsvr32.exe PID 1052 wrote to memory of 2128 1052 regsvr32.exe regsvr32.exe PID 1052 wrote to memory of 2128 1052 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6.bin.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588