Analysis
-
max time kernel
98s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 18:15
Static task
static1
Behavioral task
behavioral1
Sample
0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef.dll
Resource
win10v2004-20220414-en
General
-
Target
0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef.dll
-
Size
158KB
-
MD5
b2959275b12e672da9e2a5b0fd807028
-
SHA1
12394ae5f1c4118101928efc2ad6e3aa69d4be06
-
SHA256
0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef
-
SHA512
65cf4f49863661dd3b468ffa08b3888f77eb4c1f4609277d3876adff8a92151ca0aaf00fad5bf9b69f00bd16aaa309d9a05c0789e169596521680fcb5abe1995
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1200 rundll32.exe 1200 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4116 wrote to memory of 1200 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 1200 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 1200 4116 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea3ec3dd5176d2b82514bc7a54547ed1652cc7df069130d55b4f4edd1fd08ef.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1200-130-0x0000000000000000-mapping.dmp