Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-06-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79.bin.sample.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79.bin.sample.dll
Resource
win10v20210410
General
-
Target
6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79.bin.sample.dll
-
Size
122KB
-
MD5
3bd469353983cd9ae85eae534a84a668
-
SHA1
e0556ea1335207f0bf0a12a8b947d9c04ef69d52
-
SHA256
6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79
-
SHA512
0d5ebd7edead562fefeaad840ef1fe421adfe2e4dc2123637cad75226571f253c333c5991ce8935c144b3f0e89a7b60839a62cc9823ddea1491ee4c4d8fe2184
Malware Config
Extracted
C:\d62705-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/508996C823A90E2C
http://decoder.re/508996C823A90E2C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupStop.raw => \??\c:\users\admin\pictures\BackupStop.raw.d62705 regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectMeasure.crw => \??\c:\users\admin\pictures\SelectMeasure.crw.d62705 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8vvq8ayr832.bmp" regsvr32.exe -
Drops file in Program Files directory 33 IoCs
Processes:
regsvr32.exedescription ioc process File created \??\c:\program files\tmp regsvr32.exe File opened for modification \??\c:\program files\BlockCompress.cfg regsvr32.exe File opened for modification \??\c:\program files\ClearFind.pcx regsvr32.exe File opened for modification \??\c:\program files\JoinStart.jpeg regsvr32.exe File opened for modification \??\c:\program files\RegisterStart.mht regsvr32.exe File created \??\c:\program files\d62705-readme.txt regsvr32.exe File opened for modification \??\c:\program files\RenameSend.wps regsvr32.exe File opened for modification \??\c:\program files\MeasureBlock.7z regsvr32.exe File opened for modification \??\c:\program files\ResolveDismount.mpv2 regsvr32.exe File opened for modification \??\c:\program files\EnableUninstall.aifc regsvr32.exe File opened for modification \??\c:\program files\ExitInitialize.wma regsvr32.exe File opened for modification \??\c:\program files\ReceiveUnregister.contact regsvr32.exe File opened for modification \??\c:\program files\RenameClear.mp4v regsvr32.exe File opened for modification \??\c:\program files\GetComplete.3g2 regsvr32.exe File opened for modification \??\c:\program files\RemoveExpand.css regsvr32.exe File created \??\c:\program files (x86)\tmp regsvr32.exe File created \??\c:\program files (x86)\d62705-readme.txt regsvr32.exe File opened for modification \??\c:\program files\CheckpointInstall.WTV regsvr32.exe File opened for modification \??\c:\program files\CompressNew.pptx regsvr32.exe File opened for modification \??\c:\program files\DebugUnblock.TTS regsvr32.exe File opened for modification \??\c:\program files\FormatConvertTo.AAC regsvr32.exe File opened for modification \??\c:\program files\SubmitOpen.shtml regsvr32.exe File opened for modification \??\c:\program files\TestSend.M2V regsvr32.exe File opened for modification \??\c:\program files\UnregisterRestore.asx regsvr32.exe File opened for modification \??\c:\program files\ProtectRequest.TTS regsvr32.exe File opened for modification \??\c:\program files\SyncInstall.mhtml regsvr32.exe File opened for modification \??\c:\program files\SuspendRename.mpp regsvr32.exe File opened for modification \??\c:\program files\AddRestart.vdx regsvr32.exe File opened for modification \??\c:\program files\CloseUnblock.odt regsvr32.exe File opened for modification \??\c:\program files\ImportShow.DVR regsvr32.exe File opened for modification \??\c:\program files\InitializeSet.jtx regsvr32.exe File opened for modification \??\c:\program files\PopResolve.tif regsvr32.exe File opened for modification \??\c:\program files\SetLock.pub regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
regsvr32.exepid process 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe 2888 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 2888 regsvr32.exe Token: SeTakeOwnershipPrivilege 2888 regsvr32.exe Token: SeBackupPrivilege 2248 vssvc.exe Token: SeRestorePrivilege 2248 vssvc.exe Token: SeAuditPrivilege 2248 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3700 wrote to memory of 2888 3700 regsvr32.exe regsvr32.exe PID 3700 wrote to memory of 2888 3700 regsvr32.exe regsvr32.exe PID 3700 wrote to memory of 2888 3700 regsvr32.exe regsvr32.exe PID 2888 wrote to memory of 2200 2888 regsvr32.exe netsh.exe PID 2888 wrote to memory of 2200 2888 regsvr32.exe netsh.exe PID 2888 wrote to memory of 2200 2888 regsvr32.exe netsh.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79.bin.sample.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\6de45c62ce1024829017e4e46177ee4df4b79f296c519bba0755963aecc92f79.bin.sample.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:2200
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2720
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248