Analysis
-
max time kernel
117s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:59
Static task
static1
Behavioral task
behavioral1
Sample
d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e.dll
Resource
win10-en-20211208
General
-
Target
d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e.dll
-
Size
158KB
-
MD5
b7c3012609c927d8728e4359b2e159ec
-
SHA1
145316b8ce8d4ebaf0408eecbfd06766cf301d8a
-
SHA256
d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e
-
SHA512
c523faf51a1494797cf834be13536bf891595f84a0f911da08e5e07c5097e6b42d927b391d3b50217462e3803e00d00c7dfa93c334f548781be850975d26109b
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1288 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1288 836 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef14d7cc28231bd5b725ac5aea9527d6d75d2934f079219055c89ab39e6a4e.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1288-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB