Analysis
-
max time kernel
144s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144.dll
Resource
win10v2004-20220414-en
General
-
Target
0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144.dll
-
Size
161KB
-
MD5
31ad353de714f97cf9b68e95a2b9bdc9
-
SHA1
a5d3e3fe680820f5cf13997836e4cc35f6a57fa0
-
SHA256
0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144
-
SHA512
4d1050d8267cbfcc37de08ed2a47e704b4022c683f2a87dd7a53974ed96912b023b70286f6702c674cb8cdab1770ec347bcd3a063300b45b6f8ebaa0c157bfbb
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3984 rundll32.exe 3984 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4020 wrote to memory of 3984 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 3984 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 3984 4020 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ca73ef4f3610b37b5418d8406d8f5187c187ae97f8967f1c6af3479b5eb0144.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3984-130-0x0000000000000000-mapping.dmp