Analysis
-
max time kernel
155s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
Resource
win10-en-20211208
General
-
Target
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll
-
Size
119KB
-
MD5
98b6a07962de11c389e8f420eb4f0fe4
-
SHA1
ab9c70eff25fb0cc189d4950809822aaa05f7b86
-
SHA256
16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193
-
SHA512
950c5728b11295c86a0d3ca6cd8716175d28c9cf6affc340acfaef477dc24b52c51a649bf556d998ace6ae395c9e1f2ab732bff6e49f0aa97fcaad349866ab50
Malware Config
Extracted
C:\94kpkghj09-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4F22F43A57C5D56D
http://decoder.re/4F22F43A57C5D56D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmSwitch.raw => \??\c:\users\admin\pictures\ConfirmSwitch.raw.94kpkghj09 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\DebugTrace.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\PingDismount.raw => \??\c:\users\admin\pictures\PingDismount.raw.94kpkghj09 regsvr32.exe File renamed C:\Users\Admin\Pictures\ResumeSet.crw => \??\c:\users\admin\pictures\ResumeSet.crw.94kpkghj09 regsvr32.exe File renamed C:\Users\Admin\Pictures\ConfirmDebug.raw => \??\c:\users\admin\pictures\ConfirmDebug.raw.94kpkghj09 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\CopyUndo.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\CopyUndo.tiff => \??\c:\users\admin\pictures\CopyUndo.tiff.94kpkghj09 regsvr32.exe File renamed C:\Users\Admin\Pictures\DebugTrace.tiff => \??\c:\users\admin\pictures\DebugTrace.tiff.94kpkghj09 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\UnregisterRestore.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\UnregisterRestore.tiff => \??\c:\users\admin\pictures\UnregisterRestore.tiff.94kpkghj09 regsvr32.exe File renamed C:\Users\Admin\Pictures\CheckpointPublish.tif => \??\c:\users\admin\pictures\CheckpointPublish.tif.94kpkghj09 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe -
Drops file in Program Files directory 36 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\AssertOptimize.rmi regsvr32.exe File opened for modification \??\c:\program files\ConvertProtect.fon regsvr32.exe File opened for modification \??\c:\program files\FindMount.fon regsvr32.exe File opened for modification \??\c:\program files\MountInvoke.jtx regsvr32.exe File opened for modification \??\c:\program files\ResetRedo.rtf regsvr32.exe File opened for modification \??\c:\program files\UnblockApprove.xla regsvr32.exe File opened for modification \??\c:\program files\DebugMove.avi regsvr32.exe File opened for modification \??\c:\program files\InvokeStep.jpeg regsvr32.exe File opened for modification \??\c:\program files\LimitGrant.vbs regsvr32.exe File opened for modification \??\c:\program files\OutGrant.i64 regsvr32.exe File created \??\c:\program files\94kpkghj09-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ReceiveRegister.M2TS regsvr32.exe File opened for modification \??\c:\program files\RestoreNew.aif regsvr32.exe File opened for modification \??\c:\program files\RevokeProtect.dxf regsvr32.exe File opened for modification \??\c:\program files\SetInstall.dxf regsvr32.exe File opened for modification \??\c:\program files\SuspendBlock.ods regsvr32.exe File opened for modification \??\c:\program files\EnablePing.ex_ regsvr32.exe File opened for modification \??\c:\program files\ExitRestart.odp regsvr32.exe File opened for modification \??\c:\program files\AddDisconnect.midi regsvr32.exe File opened for modification \??\c:\program files\InitializeConvert.3gpp regsvr32.exe File opened for modification \??\c:\program files\LockDisable.dot regsvr32.exe File opened for modification \??\c:\program files\RenameConvertTo.pot regsvr32.exe File opened for modification \??\c:\program files\ExpandCheckpoint.xml regsvr32.exe File opened for modification \??\c:\program files\MeasureMerge.ex_ regsvr32.exe File opened for modification \??\c:\program files\OptimizeMeasure.m1v regsvr32.exe File opened for modification \??\c:\program files\ReadSkip.mid regsvr32.exe File opened for modification \??\c:\program files\StepResolve.scf regsvr32.exe File opened for modification \??\c:\program files\UnregisterClear.potm regsvr32.exe File opened for modification \??\c:\program files\ConvertToExpand.raw regsvr32.exe File opened for modification \??\c:\program files\ExportConnect.asf regsvr32.exe File opened for modification \??\c:\program files\SkipEnable.fon regsvr32.exe File opened for modification \??\c:\program files\WatchEnable.TTS regsvr32.exe File created \??\c:\program files (x86)\94kpkghj09-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ConnectUnlock.xht regsvr32.exe File opened for modification \??\c:\program files\ExpandRestart.avi regsvr32.exe File opened for modification \??\c:\program files\TraceSet.3gp2 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 3064 regsvr32.exe Token: SeTakeOwnershipPrivilege 3064 regsvr32.exe Token: SeBackupPrivilege 604 vssvc.exe Token: SeRestorePrivilege 604 vssvc.exe Token: SeAuditPrivilege 604 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2692 wrote to memory of 3064 2692 regsvr32.exe regsvr32.exe PID 2692 wrote to memory of 3064 2692 regsvr32.exe regsvr32.exe PID 2692 wrote to memory of 3064 2692 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\16afea7cb64bcbf0a8a8da5e67120dec851068d421caa79ac197c804a2e9c193.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604