Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597.dll
Resource
win10v2004-20220414-en
General
-
Target
7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597.dll
-
Size
158KB
-
MD5
d9e4ac2ba2f449fefb08a056f4a86577
-
SHA1
c9d64052ad833489448964c491b95f4a8a045354
-
SHA256
7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597
-
SHA512
160b6709e93d644b1e8684584aec3c083cce90a7ab0fb0932eaf1e5d9afbec195570f2a7feaba333299715c0d66871354ccceed1263b39f737c6026c33d30bb8
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3208 rundll32.exe 3208 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2520 wrote to memory of 3208 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 3208 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 3208 2520 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1af94061f9bbea1b811992c5c44ca26449586e6587b077e8e05b8888a9a597.dll,#12⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3208-130-0x0000000000000000-mapping.dmp