Analysis
-
max time kernel
120s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a.dll
Resource
win10-en-20211208
General
-
Target
337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a.dll
-
Size
161KB
-
MD5
1a578c9055a1451622017cd253d238f2
-
SHA1
a1b72de550c0012a1c556697ce1d371440fcbc2b
-
SHA256
337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a
-
SHA512
f095c5d8e2ec70ce38de23be00c9dc364b24d85506d205832d225c33fb1cae2b8555cc1b52f055d7b69df7ee42c96d9d80699033cecbc06e4fe65334af720d29
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 288 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 288 1668 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB