Analysis
-
max time kernel
141s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-08-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
REvil_Kaseya/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll
Resource
win10v20210410
Behavioral task
behavioral2
Sample
REvil_Kaseya/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
Resource
win10v20210408
General
-
Target
REvil_Kaseya/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll
-
Size
789KB
-
MD5
a47cf00aedf769d60d58bfe00c0b5421
-
SHA1
656c4d285ea518d90c1b669b79af475db31e30b1
-
SHA256
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
-
SHA512
4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637
Malware Config
Extracted
C:\v6abu3kll-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2523CBC1B2656EAB
http://decoder.re/2523CBC1B2656EAB
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\WriteSplit.png => \??\c:\users\admin\pictures\WriteSplit.png.v6abu3kll rundll32.exe File opened for modification \??\c:\users\admin\pictures\BlockConnect.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\BlockConnect.tiff => \??\c:\users\admin\pictures\BlockConnect.tiff.v6abu3kll rundll32.exe File renamed C:\Users\Admin\Pictures\ConfirmEnter.crw => \??\c:\users\admin\pictures\ConfirmEnter.crw.v6abu3kll rundll32.exe File renamed C:\Users\Admin\Pictures\EditCopy.raw => \??\c:\users\admin\pictures\EditCopy.raw.v6abu3kll rundll32.exe File opened for modification \??\c:\users\admin\pictures\OutWatch.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\OutWatch.tiff => \??\c:\users\admin\pictures\OutWatch.tiff.v6abu3kll rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uwmfpcl6k4339.bmp" rundll32.exe -
Drops file in Program Files directory 23 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\MergeWait.reg rundll32.exe File opened for modification \??\c:\program files\SplitTest.midi rundll32.exe File created \??\c:\program files (x86)\tmp rundll32.exe File created \??\c:\program files (x86)\v6abu3kll-readme.txt rundll32.exe File opened for modification \??\c:\program files\DisableCompare.xltx rundll32.exe File opened for modification \??\c:\program files\GrantTrace.tiff rundll32.exe File opened for modification \??\c:\program files\SubmitGet.mov rundll32.exe File opened for modification \??\c:\program files\UninstallConnect.emf rundll32.exe File created \??\c:\program files\tmp rundll32.exe File opened for modification \??\c:\program files\ImportRequest.xml rundll32.exe File opened for modification \??\c:\program files\InitializeUnblock.cfg rundll32.exe File opened for modification \??\c:\program files\OptimizeRevoke.vstx rundll32.exe File opened for modification \??\c:\program files\GetReset.mpv2 rundll32.exe File opened for modification \??\c:\program files\UnlockResolve.wmf rundll32.exe File opened for modification \??\c:\program files\RemoveDisconnect.dwfx rundll32.exe File opened for modification \??\c:\program files\ResumeAssert.i64 rundll32.exe File opened for modification \??\c:\program files\SearchStep.au3 rundll32.exe File opened for modification \??\c:\program files\SuspendTrace.mpe rundll32.exe File created \??\c:\program files\v6abu3kll-readme.txt rundll32.exe File opened for modification \??\c:\program files\AddUninstall.temp rundll32.exe File opened for modification \??\c:\program files\AssertRedo.i64 rundll32.exe File opened for modification \??\c:\program files\HideRead.xps rundll32.exe File opened for modification \??\c:\program files\SyncSelect.docx rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
rundll32.exepid process 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 2140 rundll32.exe Token: SeTakeOwnershipPrivilege 2140 rundll32.exe Token: SeBackupPrivilege 3988 vssvc.exe Token: SeRestorePrivilege 3988 vssvc.exe Token: SeAuditPrivilege 3988 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3916 wrote to memory of 2140 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 2140 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 2140 3916 rundll32.exe rundll32.exe PID 2140 wrote to memory of 96 2140 rundll32.exe netsh.exe PID 2140 wrote to memory of 96 2140 rundll32.exe netsh.exe PID 2140 wrote to memory of 96 2140 rundll32.exe netsh.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\REvil_Kaseya\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\REvil_Kaseya\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:96
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3164
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988