Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:46
Static task
static1
Behavioral task
behavioral1
Sample
eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3.dll
Resource
win10-en-20211208
General
-
Target
eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3.dll
-
Size
119KB
-
MD5
e9329f1fcd4f2bcd9a283b3308f4b552
-
SHA1
52ff05217b158ef4df9dca6a8cf14f1e003a4d45
-
SHA256
eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3
-
SHA512
4d3eebaf20486bacb7c13cdab4653496162bde433016e85e60ef59963ba834c0a21f3e8d057ddc014547bf671c24bf9d89a95c1004fe909a414c546ca40a3775
Malware Config
Extracted
C:\8hiuv77a0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8883FFF8357D343D
http://decoder.re/8883FFF8357D343D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe -
Drops file in Program Files directory 25 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\FindSend.rle regsvr32.exe File opened for modification \??\c:\program files\ReceiveHide.dwfx regsvr32.exe File opened for modification \??\c:\program files\UninstallUpdate.ps1xml regsvr32.exe File created \??\c:\program files\8hiuv77a0-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ApproveFind.xlsm regsvr32.exe File opened for modification \??\c:\program files\ResetDeny.3gpp regsvr32.exe File opened for modification \??\c:\program files\UnprotectDismount.au regsvr32.exe File opened for modification \??\c:\program files\UseTest.ini regsvr32.exe File opened for modification \??\c:\program files\WaitWatch.mpeg regsvr32.exe File opened for modification \??\c:\program files\WriteMeasure.docx regsvr32.exe File created \??\c:\program files (x86)\8hiuv77a0-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ConvertExport.wm regsvr32.exe File opened for modification \??\c:\program files\MountUpdate.aifc regsvr32.exe File opened for modification \??\c:\program files\RegisterTrace.midi regsvr32.exe File opened for modification \??\c:\program files\WaitBlock.js regsvr32.exe File opened for modification \??\c:\program files\RevokeConvert.aif regsvr32.exe File opened for modification \??\c:\program files\RevokeRepair.sql regsvr32.exe File opened for modification \??\c:\program files\SendUnlock.wm regsvr32.exe File opened for modification \??\c:\program files\ExpandComplete.3g2 regsvr32.exe File opened for modification \??\c:\program files\InstallSwitch.rm regsvr32.exe File opened for modification \??\c:\program files\PopMerge.asf regsvr32.exe File opened for modification \??\c:\program files\ResetGet.mp4 regsvr32.exe File opened for modification \??\c:\program files\ResizeFind.xlt regsvr32.exe File opened for modification \??\c:\program files\TestUse.xlt regsvr32.exe File opened for modification \??\c:\program files\UnblockConvert.7z regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 980 regsvr32.exe 980 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 980 regsvr32.exe Token: SeTakeOwnershipPrivilege 980 regsvr32.exe Token: SeBackupPrivilege 660 vssvc.exe Token: SeRestorePrivilege 660 vssvc.exe Token: SeAuditPrivilege 660 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3760 wrote to memory of 980 3760 regsvr32.exe regsvr32.exe PID 3760 wrote to memory of 980 3760 regsvr32.exe regsvr32.exe PID 3760 wrote to memory of 980 3760 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\eac0fb771a2da0172395a5b21d02ce5ee6ae6d0e949214195e3fe4f46df566d3.dll2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:660