Analysis
-
max time kernel
11s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-06-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0.bin.sample.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0.bin.sample.dll
Resource
win10v20210410
General
-
Target
8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0.bin.sample.dll
-
Size
119KB
-
MD5
741a67164cae752512afe51a9e3a8acd
-
SHA1
f47e11135534cc7c1af923f3f351471278ed60aa
-
SHA256
8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0
-
SHA512
175142b22d473cdd7b2a41e0284b7140e299985e7ac27cd2dbf8c312f0cd6b52de2be96939bb3d4eb0b7a5e3af6577b5f76242f7d13ca91d8bbaf47b5faaec1c
Malware Config
Extracted
C:\12a52sp-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B1BAD4A3763E0A10
http://decryptor.cc/B1BAD4A3763E0A10
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3972 rundll32.exe 3972 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 3972 rundll32.exe Token: SeTakeOwnershipPrivilege 3972 rundll32.exe Token: SeBackupPrivilege 3112 vssvc.exe Token: SeRestorePrivilege 3112 vssvc.exe Token: SeAuditPrivilege 3112 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3424 wrote to memory of 3972 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 3972 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 3972 3424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0.bin.sample.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8913d9474fb91ba5f1d76740b08828b93f55022c5cc9d908ec3fc1abd0da98e0.bin.sample.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3972-114-0x0000000000000000-mapping.dmp