Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-06-2021 11:15
Static task
static1
Behavioral task
behavioral1
Sample
1.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v20210410
General
-
Target
1.dll
-
Size
74KB
-
MD5
d21ed47d54b873960867a6415f0df8e1
-
SHA1
5a965bba445a7b7e97f129845a5f280d91b23f50
-
SHA256
d7f5bd1e080f36eb2c3892e72d7dca07521ae7a6f556453d8e38a3d74105754c
-
SHA512
4f850d659def63e705b8b6d99dd2ef6a392c95f947bb314519dc33880d5bda42c19bba39bcae04aed89d1d6600db59028f33f7d3fd0d6b3b91cdb6d1f8b15cf7
Malware Config
Extracted
C:\31ui3b93da-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/64F9D9A943E5E574
http://decoder.re/64F9D9A943E5E574
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportBlock.raw => \??\c:\users\admin\pictures\ExportBlock.raw.31ui3b93da regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectUnpublish.crw => \??\c:\users\admin\pictures\SelectUnpublish.crw.31ui3b93da regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\31ui3b93da-readme.txt regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m055s89324680.bmp" regsvr32.exe -
Drops file in Program Files directory 33 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\PublishImport.gif regsvr32.exe File opened for modification \??\c:\program files\RestartResolve.jpg regsvr32.exe File opened for modification \??\c:\program files\ResumeRead.docx regsvr32.exe File opened for modification \??\c:\program files\ShowComplete.docm regsvr32.exe File opened for modification \??\c:\program files\UseOut.jfif regsvr32.exe File created \??\c:\program files (x86)\31ui3b93da-readme.txt regsvr32.exe File opened for modification \??\c:\program files\PingPop.xsl regsvr32.exe File opened for modification \??\c:\program files\RequestPop.mov regsvr32.exe File opened for modification \??\c:\program files\UnlockSend.tif regsvr32.exe File opened for modification \??\c:\program files\SelectStop.vst regsvr32.exe File opened for modification \??\c:\program files\UnprotectEdit.001 regsvr32.exe File opened for modification \??\c:\program files\ConvertRegister.tif regsvr32.exe File opened for modification \??\c:\program files\SearchResolve.wmf regsvr32.exe File created \??\c:\program files\31ui3b93da-readme.txt regsvr32.exe File opened for modification \??\c:\program files\PublishUnlock.ppt regsvr32.exe File opened for modification \??\c:\program files\ReceiveUnblock.bmp regsvr32.exe File opened for modification \??\c:\program files\RestoreSave.xml regsvr32.exe File opened for modification \??\c:\program files\ProtectEnable.mid regsvr32.exe File opened for modification \??\c:\program files\ResetDisconnect.vstm regsvr32.exe File opened for modification \??\c:\program files\RestoreInvoke.TS regsvr32.exe File opened for modification \??\c:\program files\RevokeWatch.ttc regsvr32.exe File opened for modification \??\c:\program files\UseMount.ps1xml regsvr32.exe File opened for modification \??\c:\program files\CheckpointReceive.xlt regsvr32.exe File opened for modification \??\c:\program files\MountOut.ppsm regsvr32.exe File opened for modification \??\c:\program files\RepairInitialize.wax regsvr32.exe File opened for modification \??\c:\program files\OptimizeWatch.vsd regsvr32.exe File opened for modification \??\c:\program files\PushUpdate.emf regsvr32.exe File opened for modification \??\c:\program files\ConfirmTrace.docx regsvr32.exe File opened for modification \??\c:\program files\DisableSwitch.vst regsvr32.exe File opened for modification \??\c:\program files\RemoveUnregister.kix regsvr32.exe File opened for modification \??\c:\program files\ShowDeny.midi regsvr32.exe File opened for modification \??\c:\program files\AddConvert.mp3 regsvr32.exe File opened for modification \??\c:\program files\AddEnter.odt regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
regsvr32.exepid process 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 3184 regsvr32.exe Token: SeTakeOwnershipPrivilege 3184 regsvr32.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 772 wrote to memory of 3184 772 regsvr32.exe regsvr32.exe PID 772 wrote to memory of 3184 772 regsvr32.exe regsvr32.exe PID 772 wrote to memory of 3184 772 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1.dll1⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1.dll2⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3148
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3184-114-0x0000000000000000-mapping.dmp