Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-03-2021 00:37
Static task
static1
Behavioral task
behavioral1
Sample
68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin.dll
Resource
win10v20201028
General
-
Target
68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin.dll
-
Size
119KB
-
MD5
fbd2a737bfd8a83dcdc9b9359e2ca68f
-
SHA1
8ef5072dc4351e49c11241f332577c7630656c95
-
SHA256
68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca
-
SHA512
450a883d139f0a18d278b87b6810e73e97ed8e02a2e48256bdcbca25988ea440bbfa1977df728564f5c1c6db30b11c84f5f3f3dcb0a24febcddd868442a7453c
Malware Config
Extracted
C:\754v6cngk3-read-me-GLOBAL.txt
sodinokibi
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeBlock.crw => \??\c:\users\admin\pictures\InitializeBlock.crw.754v6cngk3 regsvr32.exe File renamed C:\Users\Admin\Pictures\PublishStart.png => \??\c:\users\admin\pictures\PublishStart.png.754v6cngk3 regsvr32.exe File renamed C:\Users\Admin\Pictures\StepImport.tif => \??\c:\users\admin\pictures\StepImport.tif.754v6cngk3 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a51.bmp" regsvr32.exe -
Drops file in Program Files directory 22 IoCs
Processes:
regsvr32.exedescription ioc process File created \??\c:\program files\754v6cngk3-read-me-GLOBAL.txt regsvr32.exe File opened for modification \??\c:\program files\ApproveClose.search-ms regsvr32.exe File opened for modification \??\c:\program files\LockRestore.htm regsvr32.exe File opened for modification \??\c:\program files\ShowDebug.jpe regsvr32.exe File opened for modification \??\c:\program files\SubmitUnlock.jpeg regsvr32.exe File opened for modification \??\c:\program files\DismountClose.xml regsvr32.exe File opened for modification \??\c:\program files\EnableExport.dxf regsvr32.exe File opened for modification \??\c:\program files\SendBackup.avi regsvr32.exe File opened for modification \??\c:\program files\SendExport.xla regsvr32.exe File opened for modification \??\c:\program files\ConvertToUnblock.eprtx regsvr32.exe File opened for modification \??\c:\program files\EnterUpdate.wmx regsvr32.exe File opened for modification \??\c:\program files\LockDisconnect.gif regsvr32.exe File opened for modification \??\c:\program files\SyncStep.css regsvr32.exe File opened for modification \??\c:\program files\RequestWait.avi regsvr32.exe File opened for modification \??\c:\program files\ResetSkip.tif regsvr32.exe File opened for modification \??\c:\program files\SubmitConvertFrom.vssx regsvr32.exe File created \??\c:\program files (x86)\754v6cngk3-read-me-GLOBAL.txt regsvr32.exe File opened for modification \??\c:\program files\GetImport.php regsvr32.exe File opened for modification \??\c:\program files\PublishExpand.i64 regsvr32.exe File opened for modification \??\c:\program files\RedoClose.tmp regsvr32.exe File opened for modification \??\c:\program files\RemoveSearch.rtf regsvr32.exe File opened for modification \??\c:\program files\WriteExpand.sql regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 2280 regsvr32.exe 2280 regsvr32.exe 2280 regsvr32.exe 2280 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 2280 regsvr32.exe Token: SeTakeOwnershipPrivilege 2280 regsvr32.exe Token: SeBackupPrivilege 2016 vssvc.exe Token: SeRestorePrivilege 2016 vssvc.exe Token: SeAuditPrivilege 2016 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1052 wrote to memory of 2280 1052 regsvr32.exe regsvr32.exe PID 1052 wrote to memory of 2280 1052 regsvr32.exe regsvr32.exe PID 1052 wrote to memory of 2280 1052 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2280-2-0x0000000000000000-mapping.dmp