Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
Resource
win10-en-20211208
General
-
Target
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll
-
Size
116KB
-
MD5
fbdecce06dbb41237f8623a2e50daf59
-
SHA1
41a8190bae6dc95c2ee1bf536367a8edf3740765
-
SHA256
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf
-
SHA512
7966ca39638ddeb2d75ea1635cec515a540c18c2a56139ba7a8c5c7c81af3cb70c7b2a8123f4da4635f5171c6a31eb6a1e280152c0581a13b3655d88cfb061b1
Malware Config
Extracted
C:\vn00i-read-me.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B2A46E5D3BC71392
http://decryptor.cc/B2A46E5D3BC71392
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Drops file in Program Files directory 37 IoCs
description ioc Process File opened for modification \??\c:\program files\UnlockClear.wps rundll32.exe File opened for modification \??\c:\program files\UnprotectExit.reg rundll32.exe File opened for modification \??\c:\program files\GetEnable.mpp rundll32.exe File opened for modification \??\c:\program files\CopyConfirm.mov rundll32.exe File opened for modification \??\c:\program files\DisconnectRemove.xsl rundll32.exe File opened for modification \??\c:\program files\FormatExpand.xps rundll32.exe File opened for modification \??\c:\program files\ResetRevoke.asf rundll32.exe File opened for modification \??\c:\program files\SubmitTest.mpg rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\vn00i-read-me.txt rundll32.exe File opened for modification \??\c:\program files\CheckpointSubmit.docx rundll32.exe File opened for modification \??\c:\program files\ResetUninstall.ttc rundll32.exe File opened for modification \??\c:\program files\ResolveRequest.ods rundll32.exe File opened for modification \??\c:\program files\StartDisconnect.7z rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vn00i-read-me.txt rundll32.exe File opened for modification \??\c:\program files\AddInitialize.mpeg3 rundll32.exe File opened for modification \??\c:\program files\CompleteCheckpoint.pptm rundll32.exe File opened for modification \??\c:\program files\ConvertToNew.TS rundll32.exe File opened for modification \??\c:\program files\GroupResume.js rundll32.exe File opened for modification \??\c:\program files\NewBlock.xml rundll32.exe File opened for modification \??\c:\program files\PopOut.vssm rundll32.exe File opened for modification \??\c:\program files\RevokeDebug.rtf rundll32.exe File created \??\c:\program files\vn00i-read-me.txt rundll32.exe File opened for modification \??\c:\program files\InstallShow.htm rundll32.exe File opened for modification \??\c:\program files\PingPush.svgz rundll32.exe File opened for modification \??\c:\program files\RedoSplit.TTS rundll32.exe File opened for modification \??\c:\program files\RequestPublish.gif rundll32.exe File opened for modification \??\c:\program files\ResetDebug.ex_ rundll32.exe File opened for modification \??\c:\program files\StepRestore.odt rundll32.exe File opened for modification \??\c:\program files\UnlockBlock.easmx rundll32.exe File opened for modification \??\c:\program files\EditSwitch.ttf rundll32.exe File opened for modification \??\c:\program files\MountNew.mpg rundll32.exe File opened for modification \??\c:\program files\RemoveInitialize.ppt rundll32.exe File opened for modification \??\c:\program files\ClosePush.M2TS rundll32.exe File opened for modification \??\c:\program files\ConvertEdit.jfif rundll32.exe File opened for modification \??\c:\program files\ConvertToSync.pptm rundll32.exe File opened for modification \??\c:\program files\InvokeUpdate.dotx rundll32.exe File created \??\c:\program files (x86)\vn00i-read-me.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1100 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1100 rundll32.exe Token: SeTakeOwnershipPrivilege 1100 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27 PID 956 wrote to memory of 1100 956 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-