Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-06-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
svhostdbg.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
svhostdbg.bin.exe
Resource
win10v20210408
General
-
Target
svhostdbg.bin.exe
-
Size
139KB
-
MD5
182bea50b4725eafc928da19e30f41a9
-
SHA1
50f2cdf24acd67e16ce7ebe55a19c629e2ad0a3b
-
SHA256
d9c3e675971499e4a2c0677b5ae96cd5582900e7cbfc16a00555ec90335aaebf
-
SHA512
a7f2ec428411a018647071bfa81a083c648ab2ce30718dec66880fe82ae40e352bc4dd7dc4efa6eee96a1a956466a577f84378a698ef3eb401eeab2af3ea878e
Malware Config
Extracted
C:\b67houibri-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8324FB1D7DC458BC
http://decryptor.cc/8324FB1D7DC458BC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svhostdbg.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearConvertFrom.tif => \??\c:\users\admin\pictures\ClearConvertFrom.tif.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\EnableUnlock.crw => \??\c:\users\admin\pictures\EnableUnlock.crw.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\MergeSearch.tiff => \??\c:\users\admin\pictures\MergeSearch.tiff.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\MergeTrace.raw => \??\c:\users\admin\pictures\MergeTrace.raw.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\OptimizeApprove.png => \??\c:\users\admin\pictures\OptimizeApprove.png.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\WaitPop.tif => \??\c:\users\admin\pictures\WaitPop.tif.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\CompareRevoke.tif => \??\c:\users\admin\pictures\CompareRevoke.tif.b67houibri svhostdbg.bin.exe File opened for modification \??\c:\users\admin\pictures\MergeSearch.tiff svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\ShowDisconnect.tif => \??\c:\users\admin\pictures\ShowDisconnect.tif.b67houibri svhostdbg.bin.exe File renamed C:\Users\Admin\Pictures\UnlockTest.png => \??\c:\users\admin\pictures\UnlockTest.png.b67houibri svhostdbg.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhostdbg.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svhostdbg.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FxHrkpLpWn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhostdbg.bin.exe" svhostdbg.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svhostdbg.bin.exedescription ioc process File opened (read-only) \??\A: svhostdbg.bin.exe File opened (read-only) \??\E: svhostdbg.bin.exe File opened (read-only) \??\J: svhostdbg.bin.exe File opened (read-only) \??\M: svhostdbg.bin.exe File opened (read-only) \??\O: svhostdbg.bin.exe File opened (read-only) \??\T: svhostdbg.bin.exe File opened (read-only) \??\Y: svhostdbg.bin.exe File opened (read-only) \??\H: svhostdbg.bin.exe File opened (read-only) \??\I: svhostdbg.bin.exe File opened (read-only) \??\N: svhostdbg.bin.exe File opened (read-only) \??\X: svhostdbg.bin.exe File opened (read-only) \??\D: svhostdbg.bin.exe File opened (read-only) \??\F: svhostdbg.bin.exe File opened (read-only) \??\G: svhostdbg.bin.exe File opened (read-only) \??\P: svhostdbg.bin.exe File opened (read-only) \??\Q: svhostdbg.bin.exe File opened (read-only) \??\U: svhostdbg.bin.exe File opened (read-only) \??\W: svhostdbg.bin.exe File opened (read-only) \??\Z: svhostdbg.bin.exe File opened (read-only) \??\B: svhostdbg.bin.exe File opened (read-only) \??\K: svhostdbg.bin.exe File opened (read-only) \??\L: svhostdbg.bin.exe File opened (read-only) \??\R: svhostdbg.bin.exe File opened (read-only) \??\S: svhostdbg.bin.exe File opened (read-only) \??\V: svhostdbg.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svhostdbg.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k6pn8g6.bmp" svhostdbg.bin.exe -
Drops file in Program Files directory 29 IoCs
Processes:
svhostdbg.bin.exedescription ioc process File opened for modification \??\c:\program files\SetGrant.shtml svhostdbg.bin.exe File opened for modification \??\c:\program files\UninstallBackup.js svhostdbg.bin.exe File opened for modification \??\c:\program files\BackupCompress.tiff svhostdbg.bin.exe File opened for modification \??\c:\program files\EnterShow.asx svhostdbg.bin.exe File opened for modification \??\c:\program files\PingHide.mov svhostdbg.bin.exe File opened for modification \??\c:\program files\RemoveConvertTo.WTV svhostdbg.bin.exe File created \??\c:\program files (x86)\b67houibri-readme.txt svhostdbg.bin.exe File opened for modification \??\c:\program files\ConvertShow.ps1xml svhostdbg.bin.exe File opened for modification \??\c:\program files\PushSelect.mpeg svhostdbg.bin.exe File opened for modification \??\c:\program files\GrantPop.M2T svhostdbg.bin.exe File opened for modification \??\c:\program files\GroupRead.jpe svhostdbg.bin.exe File opened for modification \??\c:\program files\JoinPop.xht svhostdbg.bin.exe File opened for modification \??\c:\program files\InvokePop.vsw svhostdbg.bin.exe File opened for modification \??\c:\program files\RestartSet.bmp svhostdbg.bin.exe File opened for modification \??\c:\program files\UnblockFind.xps svhostdbg.bin.exe File opened for modification \??\c:\program files\BlockReceive.pub svhostdbg.bin.exe File opened for modification \??\c:\program files\ConnectNew.htm svhostdbg.bin.exe File opened for modification \??\c:\program files\CompressEnter.i64 svhostdbg.bin.exe File opened for modification \??\c:\program files\CopyBackup.xltm svhostdbg.bin.exe File opened for modification \??\c:\program files\InvokeSet.easmx svhostdbg.bin.exe File opened for modification \??\c:\program files\SubmitLimit.rtf svhostdbg.bin.exe File opened for modification \??\c:\program files\UnregisterResume.vsdx svhostdbg.bin.exe File opened for modification \??\c:\program files\CompleteRedo.mp3 svhostdbg.bin.exe File opened for modification \??\c:\program files\DenyDebug.doc svhostdbg.bin.exe File opened for modification \??\c:\program files\LockResume.mp3 svhostdbg.bin.exe File opened for modification \??\c:\program files\ResetApprove.mov svhostdbg.bin.exe File created \??\c:\program files\b67houibri-readme.txt svhostdbg.bin.exe File opened for modification \??\c:\program files\ConnectRead.asx svhostdbg.bin.exe File opened for modification \??\c:\program files\DenyEnable.aif svhostdbg.bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhostdbg.bin.exepid process 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe 656 svhostdbg.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svhostdbg.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 656 svhostdbg.bin.exe Token: SeTakeOwnershipPrivilege 656 svhostdbg.bin.exe Token: SeBackupPrivilege 1312 vssvc.exe Token: SeRestorePrivilege 1312 vssvc.exe Token: SeAuditPrivilege 1312 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhostdbg.bin.exe"C:\Users\Admin\AppData\Local\Temp\svhostdbg.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2372
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312