Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
Resource
win10-en-20211208
General
-
Target
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
-
Size
118KB
-
MD5
4e142923b149ab179984940e1bfb6041
-
SHA1
f20a1803e38b4d7b9437d53a95403fb0b6387f11
-
SHA256
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606
-
SHA512
6f6ece3f0152811348e44630a3139f2f6ed46fc43de97cceaabe35616abdb2c4e84ddd2e4b2c6350a78a49b8323910d09dc342c5836a2d882e23f76f2aee6fa2
Malware Config
Extracted
C:\e5488n840d-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D2FE04015D326B1
http://decoder.re/5D2FE04015D326B1
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\NewUnblock.tiff => \??\c:\users\admin\pictures\NewUnblock.tiff.e5488n840d regsvr32.exe File renamed C:\Users\Admin\Pictures\RedoLimit.tif => \??\c:\users\admin\pictures\RedoLimit.tif.e5488n840d regsvr32.exe File renamed C:\Users\Admin\Pictures\SearchConnect.png => \??\c:\users\admin\pictures\SearchConnect.png.e5488n840d regsvr32.exe File opened for modification \??\c:\users\admin\pictures\SelectWrite.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\ClearSave.tif => \??\c:\users\admin\pictures\ClearSave.tif.e5488n840d regsvr32.exe File renamed C:\Users\Admin\Pictures\RestoreCompare.raw => \??\c:\users\admin\pictures\RestoreCompare.raw.e5488n840d regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectWrite.tiff => \??\c:\users\admin\pictures\SelectWrite.tiff.e5488n840d regsvr32.exe File opened for modification \??\c:\users\admin\pictures\NewUnblock.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.png => \??\c:\users\admin\pictures\InstallConvertTo.png.e5488n840d regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x50k6f.bmp" regsvr32.exe -
Drops file in Program Files directory 23 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\PublishOut.jpeg regsvr32.exe File opened for modification \??\c:\program files\DenyInvoke.mhtml regsvr32.exe File opened for modification \??\c:\program files\DisconnectRename.cfg regsvr32.exe File opened for modification \??\c:\program files\DisconnectSync.tif regsvr32.exe File opened for modification \??\c:\program files\InstallEnter.bmp regsvr32.exe File opened for modification \??\c:\program files\ReceiveWatch.kix regsvr32.exe File opened for modification \??\c:\program files\ResumePush.wav regsvr32.exe File opened for modification \??\c:\program files\TraceBackup.clr regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\e5488n840d-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ImportOut.xlsb regsvr32.exe File opened for modification \??\c:\program files\OpenComplete.3gp regsvr32.exe File opened for modification \??\c:\program files\PingSync.tiff regsvr32.exe File opened for modification \??\c:\program files\PushStart.js regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\e5488n840d-readme.txt regsvr32.exe File opened for modification \??\c:\program files\UnlockTrace.wma regsvr32.exe File opened for modification \??\c:\program files\DenyImport.tif regsvr32.exe File opened for modification \??\c:\program files\EditRename.svgz regsvr32.exe File opened for modification \??\c:\program files\SendConvertFrom.wax regsvr32.exe File opened for modification \??\c:\program files\SplitRemove.m4a regsvr32.exe File opened for modification \??\c:\program files\MoveConfirm.001 regsvr32.exe File opened for modification \??\c:\program files\PublishCopy.ppt regsvr32.exe File opened for modification \??\c:\program files\RevokeLimit.html regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\e5488n840d-readme.txt regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1380 regsvr32.exe 1380 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1380 regsvr32.exe Token: SeTakeOwnershipPrivilege 1380 regsvr32.exe Token: SeBackupPrivilege 336 vssvc.exe Token: SeRestorePrivilege 336 vssvc.exe Token: SeAuditPrivilege 336 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1380 1672 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336