Analysis
-
max time kernel
61s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 21:15
Behavioral task
behavioral1
Sample
8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5.dll
Resource
win10v2004-20220721-en
General
-
Target
8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5.dll
-
Size
164KB
-
MD5
efc1be291659662c42f4b2b932001ed7
-
SHA1
71aa4fe042965fe89a49ddfc5105a4a68614b480
-
SHA256
8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5
-
SHA512
65978609dc50e4b1579312fde2d3475dd7caffff063630f2a96816b9c8b63778dd2b22d02e0571beab3104d0b8ffb2d2eac4cc5f4d1feaf619b2fad802a6b924
Malware Config
Extracted
C:\9kzbjbb-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/59E06C75D8AFA031
http://decryptor.top/59E06C75D8AFA031
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Drops file in Program Files directory 40 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\program files (x86)\9kzbjbb-readme.txt rundll32.exe File opened for modification \??\c:\program files\CheckpointDisable.midi rundll32.exe File opened for modification \??\c:\program files\DisconnectSwitch.3g2 rundll32.exe File created \??\c:\program files\9kzbjbb-readme.txt rundll32.exe File opened for modification \??\c:\program files\PingSelect.mht rundll32.exe File opened for modification \??\c:\program files\RegisterPush.docm rundll32.exe File opened for modification \??\c:\program files\RemoveConfirm.dwg rundll32.exe File opened for modification \??\c:\program files\FormatSkip.rtf rundll32.exe File opened for modification \??\c:\program files\ImportEdit.vssm rundll32.exe File opened for modification \??\c:\program files\LimitProtect.m3u rundll32.exe File opened for modification \??\c:\program files\UnregisterExpand.easmx rundll32.exe File opened for modification \??\c:\program files\AddInstall.wvx rundll32.exe File opened for modification \??\c:\program files\ApproveBackup.ini rundll32.exe File opened for modification \??\c:\program files\NewGrant.htm rundll32.exe File opened for modification \??\c:\program files\SyncSend.TS rundll32.exe File opened for modification \??\c:\program files\JoinHide.css rundll32.exe File opened for modification \??\c:\program files\LockCompress.aiff rundll32.exe File opened for modification \??\c:\program files\PopDisconnect.mov rundll32.exe File opened for modification \??\c:\program files\RestoreEnable.M2V rundll32.exe File opened for modification \??\c:\program files\SetDismount.ini rundll32.exe File opened for modification \??\c:\program files\UseRename.vstx rundll32.exe File opened for modification \??\c:\program files\GetFormat.crw rundll32.exe File opened for modification \??\c:\program files\InstallNew.easmx rundll32.exe File opened for modification \??\c:\program files\PushSync.js rundll32.exe File opened for modification \??\c:\program files\ResetMerge.mhtml rundll32.exe File opened for modification \??\c:\program files\SelectBackup.M2V rundll32.exe File opened for modification \??\c:\program files\SubmitCompare.raw rundll32.exe File opened for modification \??\c:\program files\TraceShow.aifc rundll32.exe File opened for modification \??\c:\program files\WaitMount.emf rundll32.exe File opened for modification \??\c:\program files\UninstallConvertFrom.DVR-MS rundll32.exe File opened for modification \??\c:\program files\ConfirmExport.odt rundll32.exe File opened for modification \??\c:\program files\ConfirmMount.DVR rundll32.exe File opened for modification \??\c:\program files\ConvertNew.htm rundll32.exe File opened for modification \??\c:\program files\ExportImport.vsx rundll32.exe File opened for modification \??\c:\program files\MeasureDisable.au rundll32.exe File opened for modification \??\c:\program files\MountPublish.wpl rundll32.exe File opened for modification \??\c:\program files\PublishClose.mhtml rundll32.exe File opened for modification \??\c:\program files\UnlockWatch.xsl rundll32.exe File opened for modification \??\c:\program files\UnpublishBackup.xltm rundll32.exe File opened for modification \??\c:\program files\UnregisterStart.rm rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 4452 rundll32.exe 4452 rundll32.exe 944 powershell.exe 944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 944 powershell.exe Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4428 wrote to memory of 4452 4428 rundll32.exe rundll32.exe PID 4428 wrote to memory of 4452 4428 rundll32.exe rundll32.exe PID 4428 wrote to memory of 4452 4428 rundll32.exe rundll32.exe PID 4452 wrote to memory of 944 4452 rundll32.exe powershell.exe PID 4452 wrote to memory of 944 4452 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8db51157db6c7a55c9ea007a093cb626cfc7e5538d53b8c7dafd0cb8dc50dff5.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/944-131-0x0000000000000000-mapping.dmp
-
memory/944-132-0x000002315EE10000-0x000002315EE32000-memory.dmpFilesize
136KB
-
memory/944-133-0x00007FFBFF300000-0x00007FFBFFDC1000-memory.dmpFilesize
10.8MB
-
memory/944-134-0x00007FFBFF300000-0x00007FFBFFDC1000-memory.dmpFilesize
10.8MB
-
memory/4452-130-0x0000000000000000-mapping.dmp