Analysis
-
max time kernel
142s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
Resource
win10-en-20211208
General
-
Target
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll
-
Size
118KB
-
MD5
4e142923b149ab179984940e1bfb6041
-
SHA1
f20a1803e38b4d7b9437d53a95403fb0b6387f11
-
SHA256
e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606
-
SHA512
6f6ece3f0152811348e44630a3139f2f6ed46fc43de97cceaabe35616abdb2c4e84ddd2e4b2c6350a78a49b8323910d09dc342c5836a2d882e23f76f2aee6fa2
Malware Config
Extracted
C:\i0uddnw1w7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/657C035421994DBD
http://decoder.re/657C035421994DBD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\RequestDeny.crw => \??\c:\users\admin\pictures\RequestDeny.crw.i0uddnw1w7 regsvr32.exe File renamed C:\Users\Admin\Pictures\SyncGrant.png => \??\c:\users\admin\pictures\SyncGrant.png.i0uddnw1w7 regsvr32.exe File renamed C:\Users\Admin\Pictures\ProtectApprove.crw => \??\c:\users\admin\pictures\ProtectApprove.crw.i0uddnw1w7 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe -
Drops file in Program Files directory 21 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\BackupPing.gif regsvr32.exe File opened for modification \??\c:\program files\DisableUndo.clr regsvr32.exe File opened for modification \??\c:\program files\InvokeLock.txt regsvr32.exe File opened for modification \??\c:\program files\ResumeWait.xps regsvr32.exe File opened for modification \??\c:\program files\StartPing.DVR regsvr32.exe File opened for modification \??\c:\program files\CopyRename.dwfx regsvr32.exe File opened for modification \??\c:\program files\OpenResize.cr2 regsvr32.exe File opened for modification \??\c:\program files\SyncGet.ini regsvr32.exe File opened for modification \??\c:\program files\ExpandCheckpoint.m4a regsvr32.exe File opened for modification \??\c:\program files\FindSwitch.reg regsvr32.exe File opened for modification \??\c:\program files\OptimizeSplit.css regsvr32.exe File opened for modification \??\c:\program files\RedoRequest.emz regsvr32.exe File opened for modification \??\c:\program files\UseSplit.jpg regsvr32.exe File opened for modification \??\c:\program files\CompleteAdd.contact regsvr32.exe File opened for modification \??\c:\program files\CopyStep.tmp regsvr32.exe File opened for modification \??\c:\program files\DismountGroup.dwfx regsvr32.exe File opened for modification \??\c:\program files\ProtectConvertTo.mhtml regsvr32.exe File opened for modification \??\c:\program files\RegisterOut.3gp regsvr32.exe File opened for modification \??\c:\program files\ResumeTest.mpg regsvr32.exe File opened for modification \??\c:\program files\StopMount.TS regsvr32.exe File opened for modification \??\c:\program files\SuspendSearch.ini regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1344 regsvr32.exe 1344 regsvr32.exe 1344 regsvr32.exe 1344 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1344 regsvr32.exe Token: SeTakeOwnershipPrivilege 1344 regsvr32.exe Token: SeBackupPrivilege 1060 vssvc.exe Token: SeRestorePrivilege 1060 vssvc.exe Token: SeAuditPrivilege 1060 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2268 wrote to memory of 1344 2268 regsvr32.exe regsvr32.exe PID 2268 wrote to memory of 1344 2268 regsvr32.exe regsvr32.exe PID 2268 wrote to memory of 1344 2268 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e5bbe16980677d0336ae0e6830ac887bf072c70caa6d9536ba146e0809bfa606.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1188
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060