Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501.dll
Resource
win10-en-20211208
General
-
Target
90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501.dll
-
Size
160KB
-
MD5
524fa132dfb6611ff5bb48486274ee8f
-
SHA1
97f9ecdcf448d694ac8f8d27954f791d5ed0cf54
-
SHA256
90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501
-
SHA512
60ae5c9672cba7d024e39bd6b6f4ada17a388dc4a7fa032516a8c45ca5850d5e5702a33fe065602aff81bfbdeeebe27434e94e7091f96b3a689f7b2142c7a908
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1304 rundll32.exe 1304 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1304 948 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB
-
memory/1304-57-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1304-58-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1304-59-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1304-60-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1304-56-0x0000000002280000-0x0000000002349000-memory.dmpFilesize
804KB
-
memory/1304-62-0x0000000002FF0000-0x000000000311D000-memory.dmpFilesize
1.2MB
-
memory/1304-63-0x0000000000330000-0x000000000034F000-memory.dmpFilesize
124KB
-
memory/1304-64-0x0000000003400000-0x0000000003509000-memory.dmpFilesize
1.0MB
-
memory/1304-65-0x0000000000170000-0x0000000000176000-memory.dmpFilesize
24KB