Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
Resource
win10-en-20211208
General
-
Target
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll
-
Size
116KB
-
MD5
693dc51660715ef8392c7f0677e046be
-
SHA1
f194254a742d6fb1d9e2ec01624993257176a01f
-
SHA256
c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95
-
SHA512
a0dbe72b15bfba16be66e6fadd5630d55bb9c16b6eb59b4ffc1a0a830e81b1153be98799d368346031c09e145aa70005dbf3b81545c40369184d2f95107b04d5
Malware Config
Extracted
C:\vqh597u-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/59229BECDEAC9524
http://decryptor.cc/59229BECDEAC9524
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Drops file in Program Files directory 21 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\InitializeUndo.svg rundll32.exe File opened for modification \??\c:\program files\SwitchImport.i64 rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\vqh597u-readme.txt rundll32.exe File opened for modification \??\c:\program files\RedoStop.eps rundll32.exe File opened for modification \??\c:\program files\RenameBackup.jpe rundll32.exe File opened for modification \??\c:\program files\SubmitComplete.php rundll32.exe File opened for modification \??\c:\program files\UnregisterConfirm.jpe rundll32.exe File created \??\c:\program files (x86)\vqh597u-readme.txt rundll32.exe File opened for modification \??\c:\program files\CloseBackup.xps rundll32.exe File opened for modification \??\c:\program files\ConvertFromOut.pptx rundll32.exe File opened for modification \??\c:\program files\EditUse.cr2 rundll32.exe File opened for modification \??\c:\program files\UnregisterDisable.otf rundll32.exe File opened for modification \??\c:\program files\SendProtect.wmf rundll32.exe File opened for modification \??\c:\program files\ShowMount.AAC rundll32.exe File created \??\c:\program files\vqh597u-readme.txt rundll32.exe File opened for modification \??\c:\program files\LockSplit.mpv2 rundll32.exe File opened for modification \??\c:\program files\PushMerge.crw rundll32.exe File opened for modification \??\c:\program files\RedoRevoke.xls rundll32.exe File opened for modification \??\c:\program files\ClearUnpublish.3gp rundll32.exe File opened for modification \??\c:\program files\TraceProtect.mpe rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vqh597u-readme.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 780 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeDebugPrivilege 780 rundll32.exe Token: SeTakeOwnershipPrivilege 780 rundll32.exe Token: SeBackupPrivilege 1072 vssvc.exe Token: SeRestorePrivilege 1072 vssvc.exe Token: SeAuditPrivilege 1072 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe PID 736 wrote to memory of 780 736 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c3aeefb9c2496dc0480e09a71615ec59750a993e4ead901e8afde27807023e95.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB