Analysis
-
max time kernel
90s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 13:51
Behavioral task
behavioral1
Sample
c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd.dll
Resource
win10v2004-20240802-en
General
-
Target
c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd.dll
-
Size
164KB
-
MD5
81d10b00af8c31044ea7aa32e4958625
-
SHA1
2ae88e4d130eb6e57f6b03a8264f11d1a6fdfdcf
-
SHA256
c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd
-
SHA512
aabd830b5a342cbb67fbc76afe9d87acf1088b0309d4350b7bc28ba7d214f2cc667a790cba9e6fd283773180daab37e0d42ef4bacccb4ad1a493fa7675f8bb3e
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfDPGPWuUgR:veoUeZR2TRCWQFfDGMg
Malware Config
Extracted
C:\Users\82rrs-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/633CE5B8AB4B7FC2
http://decryptor.cc/633CE5B8AB4B7FC2
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification \??\c:\program files\ClearUninstall.m4a rundll32.exe File opened for modification \??\c:\program files\GetLock.mov rundll32.exe File opened for modification \??\c:\program files\LockLimit.vsx rundll32.exe File opened for modification \??\c:\program files\SaveTest.vsdm rundll32.exe File opened for modification \??\c:\program files\WriteGroup.mht rundll32.exe File created \??\c:\program files\82rrs-readme.txt rundll32.exe File created \??\c:\program files (x86)\82rrs-readme.txt rundll32.exe File opened for modification \??\c:\program files\ClearPing.odp rundll32.exe File opened for modification \??\c:\program files\DisconnectUse.pps rundll32.exe File opened for modification \??\c:\program files\EnableRename.vsw rundll32.exe File opened for modification \??\c:\program files\InitializeCheckpoint.potm rundll32.exe File opened for modification \??\c:\program files\ResizeDisable.pcx rundll32.exe File opened for modification \??\c:\program files\UndoSend.rle rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3592 rundll32.exe 3592 rundll32.exe 3276 powershell.exe 3276 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3592 rundll32.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeBackupPrivilege 716 vssvc.exe Token: SeRestorePrivilege 716 vssvc.exe Token: SeAuditPrivilege 716 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3592 3192 rundll32.exe 84 PID 3192 wrote to memory of 3592 3192 rundll32.exe 84 PID 3192 wrote to memory of 3592 3192 rundll32.exe 84 PID 3592 wrote to memory of 3276 3592 rundll32.exe 85 PID 3592 wrote to memory of 3276 3592 rundll32.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c35f35a9e54f35375bc2f72842d038c4121a5cc6314ac7cbabca6a8dc463cfcd.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4900
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a3afc927c3c8aad451f4d1516c5a27fd
SHA117ba6af26f14f5c5cb0eb426b6a25a6ddea6ed9d
SHA2562b2588985390bde219aa097914b1e90493613cbfbf86ab79b5ef63ec930a5543
SHA5124e1fd5bdcb990ecb3e7e1f05d65598adefb2d377687d7fd751fdb0ec13bb9b07de8bc02e566ba7fd81de3b73f2777895b92abb881e3a215d63a1ed2419348401
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82