Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91.dll
Resource
win10-en-20211208
General
-
Target
d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91.dll
-
Size
161KB
-
MD5
d04208e8499134779820f61c15d2ff37
-
SHA1
56770b21d974922a42c6dc80e433490d1aba8624
-
SHA256
d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91
-
SHA512
4443dce1f06c9ab3843f50546f4d192e6cceeb483ec8d468574e6d555dc560e4abd7405d058e4d6f21601876f63c8146f167e6d25bd3e1a2c46d75bb4e416d70
Malware Config
Extracted
C:\ig8279qtv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48F85223740646D5
http://decryptor.top/48F85223740646D5
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\MoveAdd.raw => \??\c:\users\admin\pictures\MoveAdd.raw.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\WatchClose.raw => \??\c:\users\admin\pictures\WatchClose.raw.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\PingApprove.crw => \??\c:\users\admin\pictures\PingApprove.crw.ig8279qtv rundll32.exe File opened for modification \??\c:\users\admin\pictures\CheckpointResolve.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\AddDeny.tiff => \??\c:\users\admin\pictures\AddDeny.tiff.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\CheckpointResolve.tiff => \??\c:\users\admin\pictures\CheckpointResolve.tiff.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\ConnectClose.png => \??\c:\users\admin\pictures\ConnectClose.png.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\UnprotectReset.tiff => \??\c:\users\admin\pictures\UnprotectReset.tiff.ig8279qtv rundll32.exe File opened for modification \??\c:\users\admin\pictures\AddDeny.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\CompleteTrace.tiff rundll32.exe File opened for modification \??\c:\users\admin\pictures\UnprotectReset.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\SubmitCopy.crw => \??\c:\users\admin\pictures\SubmitCopy.crw.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\CompleteTrace.tiff => \??\c:\users\admin\pictures\CompleteTrace.tiff.ig8279qtv rundll32.exe File renamed C:\Users\Admin\Pictures\ResolveNew.tif => \??\c:\users\admin\pictures\ResolveNew.tif.ig8279qtv rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe -
Drops file in Program Files directory 25 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\SelectEnable.mp4 rundll32.exe File opened for modification \??\c:\program files\SyncResume.snd rundll32.exe File opened for modification \??\c:\program files\TestLock.zip rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll rundll32.exe File opened for modification \??\c:\program files\ExitTest.wax rundll32.exe File opened for modification \??\c:\program files\RegisterUse.ini rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll rundll32.exe File opened for modification \??\c:\program files\SearchDisconnect.i64 rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\ig8279qtv-readme.txt rundll32.exe File opened for modification \??\c:\program files\EnableUndo.edrwx rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\ig8279qtv-readme.txt rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceer35EN.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceqp35.dll rundll32.exe File created \??\c:\program files\ig8279qtv-readme.txt rundll32.exe File created \??\c:\program files (x86)\ig8279qtv-readme.txt rundll32.exe File opened for modification \??\c:\program files\GroupExport.odt rundll32.exe File opened for modification \??\c:\program files\ShowJoin.emf rundll32.exe File opened for modification \??\c:\program files\UpdateBackup.inf rundll32.exe File opened for modification \??\c:\program files\WriteRegister.mpeg rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\ig8279qtv-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressRegister.txt rundll32.exe File opened for modification \??\c:\program files\ExportBlock.xsl rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 616 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 656 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1296 vssvc.exe Token: SeRestorePrivilege 1296 vssvc.exe Token: SeAuditPrivilege 1296 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.execmd.exedescription pid process target process PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 656 1404 rundll32.exe rundll32.exe PID 656 wrote to memory of 1152 656 rundll32.exe cmd.exe PID 656 wrote to memory of 1152 656 rundll32.exe cmd.exe PID 656 wrote to memory of 1152 656 rundll32.exe cmd.exe PID 656 wrote to memory of 1152 656 rundll32.exe cmd.exe PID 1152 wrote to memory of 616 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 616 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 616 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 616 1152 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB