Analysis
-
max time kernel
12s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-04-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682.dll
Resource
win10v20210410
General
-
Target
d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682.dll
-
Size
116KB
-
MD5
c75f4c8e053f5aeafdf0169698b7823e
-
SHA1
be6cc1941aeae4ba84715d5f197089fbacecb788
-
SHA256
d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682
-
SHA512
83787bd850c6ce35fd1fbb511204b60a6cf9e8ba1b9b08af812608e45f6b1e8aef371e2c7e5eaca662ee8f86bcf41f01bbce47cb685b32c138de12e8998a427e
Malware Config
Extracted
C:\w5813-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A50E2C07329F83E2
http://decryptor.cc/A50E2C07329F83E2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Drops file in Program Files directory 17 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\ConvertToCompare.docm rundll32.exe File opened for modification \??\c:\program files\SubmitPop.xps rundll32.exe File opened for modification \??\c:\program files\TestSave.xlt rundll32.exe File created \??\c:\program files (x86)\w5813-readme.txt rundll32.exe File opened for modification \??\c:\program files\RestoreDisable.vbs rundll32.exe File opened for modification \??\c:\program files\EnterSuspend.avi rundll32.exe File opened for modification \??\c:\program files\AddSync.zip rundll32.exe File opened for modification \??\c:\program files\HideDisable.bmp rundll32.exe File opened for modification \??\c:\program files\ReadEnter.mpeg2 rundll32.exe File opened for modification \??\c:\program files\SelectSwitch.ex_ rundll32.exe File created \??\c:\program files\w5813-readme.txt rundll32.exe File opened for modification \??\c:\program files\ConvertFromPing.dwg rundll32.exe File opened for modification \??\c:\program files\RenameExit.php rundll32.exe File opened for modification \??\c:\program files\RequestRemove.au3 rundll32.exe File opened for modification \??\c:\program files\UnblockUndo.wax rundll32.exe File opened for modification \??\c:\program files\UndoRemove.otf rundll32.exe File opened for modification \??\c:\program files\BackupUnregister.svg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1972 rundll32.exe 1972 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1972 rundll32.exe Token: SeTakeOwnershipPrivilege 1972 rundll32.exe Token: SeBackupPrivilege 3684 vssvc.exe Token: SeRestorePrivilege 3684 vssvc.exe Token: SeAuditPrivilege 3684 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4012 wrote to memory of 1972 4012 rundll32.exe rundll32.exe PID 4012 wrote to memory of 1972 4012 rundll32.exe rundll32.exe PID 4012 wrote to memory of 1972 4012 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fcfddfcfffdc2236e7cf7ece8579c7c104a333ad0697304392ad0629541682.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-114-0x0000000000000000-mapping.dmp