Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
040818b1_by_Libranalysis.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
040818b1_by_Libranalysis.dll
Resource
win10v20210408
General
-
Target
040818b1_by_Libranalysis.dll
-
Size
813KB
-
MD5
040818b1b3c9b1bf8245f5bcb4eebbbc
-
SHA1
c0f569fc22cb5dd8e02e44f85168b4b72a6669c3
-
SHA256
0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402
-
SHA512
bf4dcfb3c7cac05776560e751414a8babfa25fb8703768d0264133d4964f841055cfcab9f30d9854e422642855b4452b9fbf431889cb70a37ecbca7564f638c1
Malware Config
Extracted
C:\11ou37c-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CC63D271CF22A3AE
http://decoder.re/CC63D271CF22A3AE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 28 4896 rundll32.exe 30 4896 rundll32.exe 33 4896 rundll32.exe 35 4896 rundll32.exe 37 4896 rundll32.exe 39 4896 rundll32.exe 41 4896 rundll32.exe 43 4896 rundll32.exe 45 4896 rundll32.exe 47 4896 rundll32.exe 49 4896 rundll32.exe 51 4896 rundll32.exe 53 4896 rundll32.exe 55 4896 rundll32.exe 57 4896 rundll32.exe 59 4896 rundll32.exe 61 4896 rundll32.exe 63 4896 rundll32.exe 65 4896 rundll32.exe 67 4896 rundll32.exe 69 4896 rundll32.exe 71 4896 rundll32.exe 73 4896 rundll32.exe 75 4896 rundll32.exe 77 4896 rundll32.exe 79 4896 rundll32.exe 81 4896 rundll32.exe 83 4896 rundll32.exe 85 4896 rundll32.exe 87 4896 rundll32.exe 89 4896 rundll32.exe 90 4896 rundll32.exe 92 4896 rundll32.exe 94 4896 rundll32.exe 96 4896 rundll32.exe 99 4896 rundll32.exe 101 4896 rundll32.exe 103 4896 rundll32.exe 105 4896 rundll32.exe 107 4896 rundll32.exe 109 4896 rundll32.exe 111 4896 rundll32.exe 113 4896 rundll32.exe 115 4896 rundll32.exe 118 4896 rundll32.exe 120 4896 rundll32.exe 122 4896 rundll32.exe 124 4896 rundll32.exe 126 4896 rundll32.exe 128 4896 rundll32.exe 130 4896 rundll32.exe 132 4896 rundll32.exe 134 4896 rundll32.exe 136 4896 rundll32.exe 138 4896 rundll32.exe 139 4896 rundll32.exe 140 4896 rundll32.exe 142 4896 rundll32.exe 145 4896 rundll32.exe 147 4896 rundll32.exe 149 4896 rundll32.exe 150 4896 rundll32.exe 152 4896 rundll32.exe 154 4896 rundll32.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\SaveUnblock.tif => \??\c:\users\admin\pictures\SaveUnblock.tif.11ou37c rundll32.exe File renamed C:\Users\Admin\Pictures\PublishPush.png => \??\c:\users\admin\pictures\PublishPush.png.11ou37c rundll32.exe File renamed C:\Users\Admin\Pictures\ReceiveConvert.png => \??\c:\users\admin\pictures\ReceiveConvert.png.11ou37c rundll32.exe File renamed C:\Users\Admin\Pictures\ShowLimit.png => \??\c:\users\admin\pictures\ShowLimit.png.11ou37c rundll32.exe File opened for modification \??\c:\users\admin\pictures\ClearMeasure.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\ClearMeasure.tiff => \??\c:\users\admin\pictures\ClearMeasure.tiff.11ou37c rundll32.exe File opened for modification \??\c:\users\admin\pictures\CompressCheckpoint.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\CompressCheckpoint.tiff => \??\c:\users\admin\pictures\CompressCheckpoint.tiff.11ou37c rundll32.exe File renamed C:\Users\Admin\Pictures\EnterRead.png => \??\c:\users\admin\pictures\EnterRead.png.11ou37c rundll32.exe File renamed C:\Users\Admin\Pictures\SkipGet.crw => \??\c:\users\admin\pictures\SkipGet.crw.11ou37c rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\S: rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kb5.bmp" rundll32.exe -
Drops file in Program Files directory 21 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\ConvertToRevoke.m1v rundll32.exe File opened for modification \??\c:\program files\PushDeny.i64 rundll32.exe File opened for modification \??\c:\program files\RestartConvertFrom.mp2v rundll32.exe File opened for modification \??\c:\program files\WatchBackup.bmp rundll32.exe File opened for modification \??\c:\program files\UseGrant.wma rundll32.exe File opened for modification \??\c:\program files\WaitGrant.aifc rundll32.exe File created \??\c:\program files\11ou37c-readme.txt rundll32.exe File created \??\c:\program files (x86)\11ou37c-readme.txt rundll32.exe File opened for modification \??\c:\program files\InvokeLimit.vsd rundll32.exe File opened for modification \??\c:\program files\ResizeConnect.iso rundll32.exe File opened for modification \??\c:\program files\SyncDisable.rmi rundll32.exe File opened for modification \??\c:\program files\BackupShow.jpe rundll32.exe File opened for modification \??\c:\program files\MergeCompress.TS rundll32.exe File opened for modification \??\c:\program files\ResizeOptimize.3gpp rundll32.exe File opened for modification \??\c:\program files\UsePush.mpeg rundll32.exe File opened for modification \??\c:\program files\UnregisterGroup.xml rundll32.exe File opened for modification \??\c:\program files\DismountWait.clr rundll32.exe File opened for modification \??\c:\program files\FormatStep.3g2 rundll32.exe File opened for modification \??\c:\program files\LimitBackup.WTV rundll32.exe File opened for modification \??\c:\program files\OpenDisconnect.bmp rundll32.exe File opened for modification \??\c:\program files\TraceCopy.wmf rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rundll32.exepid process 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 4896 rundll32.exe Token: SeTakeOwnershipPrivilege 4896 rundll32.exe Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4808 wrote to memory of 4896 4808 rundll32.exe rundll32.exe PID 4808 wrote to memory of 4896 4808 rundll32.exe rundll32.exe PID 4808 wrote to memory of 4896 4808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\040818b1_by_Libranalysis.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\040818b1_by_Libranalysis.dll,#12⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4212
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804