Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637.dll
Resource
win10-en-20211208
General
-
Target
8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637.dll
-
Size
161KB
-
MD5
90570c7611046d48f8d3c437c38b0639
-
SHA1
ab4ec0060856f376ab560631c33deb879ee76578
-
SHA256
8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637
-
SHA512
b7dc0ef470c5ce2914ba95dcdf65a5f26393281c361c7fe66a08330f351c43f2dd04b44db1945b2c8822f26fecb0a4049a3d8c73d811efbe4246c3e8cb1796c4
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 368 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1600 rundll32.exe 1600 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1652 vssvc.exe Token: SeRestorePrivilege 1652 vssvc.exe Token: SeAuditPrivilege 1652 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 1600 1700 rundll32.exe rundll32.exe PID 1600 wrote to memory of 752 1600 rundll32.exe cmd.exe PID 1600 wrote to memory of 752 1600 rundll32.exe cmd.exe PID 1600 wrote to memory of 752 1600 rundll32.exe cmd.exe PID 1600 wrote to memory of 752 1600 rundll32.exe cmd.exe PID 752 wrote to memory of 368 752 cmd.exe vssadmin.exe PID 752 wrote to memory of 368 752 cmd.exe vssadmin.exe PID 752 wrote to memory of 368 752 cmd.exe vssadmin.exe PID 752 wrote to memory of 368 752 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8b100ab70a13a925db6de213db99b34edcb93075f3841b7922c8cb4f1b251637.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1600-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1600-57-0x0000000003070000-0x000000000319D000-memory.dmpFilesize
1.2MB
-
memory/1600-58-0x00000000007D0000-0x00000000007EF000-memory.dmpFilesize
124KB
-
memory/1600-59-0x0000000000130000-0x000000000013A000-memory.dmpFilesize
40KB
-
memory/1600-60-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1600-62-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1600-63-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/1600-61-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1600-64-0x00000000033C0000-0x00000000034C9000-memory.dmpFilesize
1.0MB