Analysis
-
max time kernel
117s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
Resource
win10-en-20211208
General
-
Target
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
-
Size
119KB
-
MD5
98b6a07962de11c389e8f420eb4f0fe4
-
SHA1
ab9c70eff25fb0cc189d4950809822aaa05f7b86
-
SHA256
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193
-
SHA512
950c5728b11295c86a0d3ca6cd8716175d28c9cf6affc340acfaef477dc24b52c51a649bf556d998ace6ae395c9e1f2ab732bff6e49f0aa97fcaad349866ab50
Malware Config
Extracted
C:\0pa6980309-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E38FA8B6505BBB2C
http://decoder.re/E38FA8B6505BBB2C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishReset.raw => \??\c:\users\admin\pictures\UnpublishReset.raw.0pa6980309 regsvr32.exe File renamed C:\Users\Admin\Pictures\FormatProtect.tif => \??\c:\users\admin\pictures\FormatProtect.tif.0pa6980309 regsvr32.exe File renamed C:\Users\Admin\Pictures\SwitchConvert.raw => \??\c:\users\admin\pictures\SwitchConvert.raw.0pa6980309 regsvr32.exe File renamed C:\Users\Admin\Pictures\FormatSplit.crw => \??\c:\users\admin\pictures\FormatSplit.crw.0pa6980309 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3t4jibieh65.bmp" regsvr32.exe -
Drops file in Program Files directory 34 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\ProtectLimit.sql regsvr32.exe File opened for modification \??\c:\program files\ResumeDisconnect.ttc regsvr32.exe File opened for modification \??\c:\program files\TraceDisconnect.dib regsvr32.exe File opened for modification \??\c:\program files\WriteRequest.cfg regsvr32.exe File created \??\c:\program files\0pa6980309-readme.txt regsvr32.exe File opened for modification \??\c:\program files\SetSwitch.clr regsvr32.exe File opened for modification \??\c:\program files\SplitUndo.MTS regsvr32.exe File created \??\c:\program files (x86)\0pa6980309-readme.txt regsvr32.exe File opened for modification \??\c:\program files\DisconnectRename.jtx regsvr32.exe File opened for modification \??\c:\program files\ExportCopy.asf regsvr32.exe File opened for modification \??\c:\program files\MergeGroup.3gp regsvr32.exe File opened for modification \??\c:\program files\WaitNew.mpp regsvr32.exe File opened for modification \??\c:\program files\MountRepair.wmf regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\0pa6980309-readme.txt regsvr32.exe File opened for modification \??\c:\program files\WaitReceive.pps regsvr32.exe File opened for modification \??\c:\program files\AssertApprove.pps regsvr32.exe File opened for modification \??\c:\program files\BackupSubmit.html regsvr32.exe File opened for modification \??\c:\program files\DismountConnect.dib regsvr32.exe File opened for modification \??\c:\program files\FormatSync.mpv2 regsvr32.exe File opened for modification \??\c:\program files\PingConnect.3gpp regsvr32.exe File opened for modification \??\c:\program files\LockCompress.html regsvr32.exe File opened for modification \??\c:\program files\SendMount.vssx regsvr32.exe File opened for modification \??\c:\program files\UnlockSync.jpeg regsvr32.exe File opened for modification \??\c:\program files\UpdateRevoke.png regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\0pa6980309-readme.txt regsvr32.exe File opened for modification \??\c:\program files\EditNew.tif regsvr32.exe File opened for modification \??\c:\program files\ExitWait.wm regsvr32.exe File opened for modification \??\c:\program files\RevokeExport.vdw regsvr32.exe File opened for modification \??\c:\program files\SplitRename.m4v regsvr32.exe File opened for modification \??\c:\program files\SubmitWatch.mpeg3 regsvr32.exe File opened for modification \??\c:\program files\ExitUse.vsdx regsvr32.exe File opened for modification \??\c:\program files\MoveLimit.php regsvr32.exe File opened for modification \??\c:\program files\PublishInvoke.edrwx regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\0pa6980309-readme.txt regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1884 regsvr32.exe 1884 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1884 regsvr32.exe Token: SeTakeOwnershipPrivilege 1884 regsvr32.exe Token: SeBackupPrivilege 1064 vssvc.exe Token: SeRestorePrivilege 1064 vssvc.exe Token: SeAuditPrivilege 1064 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe PID 1720 wrote to memory of 1884 1720 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064