Analysis Overview
SHA256
c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a
Threat Level: Known bad
The file c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a was found to be: Known bad.
Malicious Activity Summary
Sodinokibi/Revil sample
Suspicious use of NtCreateProcessExOtherParentProcess
Sodinokibi family
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:07
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:23
Platform
win7-en-20211208
Max time kernel
119s
Max time network
144s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1
Network
Files
memory/652-54-0x0000000076001000-0x0000000076003000-memory.dmp
memory/652-56-0x00000000001F0000-0x00000000001FA000-memory.dmp
memory/652-57-0x0000000000200000-0x0000000000201000-memory.dmp
memory/652-58-0x0000000000250000-0x0000000000251000-memory.dmp
memory/652-59-0x0000000000260000-0x0000000000261000-memory.dmp
memory/652-55-0x0000000002110000-0x00000000021D9000-memory.dmp
memory/652-60-0x0000000000CDA000-0x0000000000CF1000-memory.dmp
memory/652-61-0x00000000023D0000-0x00000000024FD000-memory.dmp
memory/652-62-0x0000000000710000-0x000000000072F000-memory.dmp
memory/652-64-0x00000000002B0000-0x00000000002B6000-memory.dmp
memory/652-63-0x0000000003130000-0x0000000003239000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:23
Platform
win10-en-20211208
Max time kernel
171s
Max time network
181s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2252 created 920 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 800 wrote to memory of 920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 800 wrote to memory of 920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 792
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oneocsp.microsoft.com | udp |
| US | 204.79.197.203:80 | oneocsp.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.123.41.162:80 | www.microsoft.com | tcp |
Files
memory/920-118-0x0000000003350000-0x000000000335A000-memory.dmp
memory/920-119-0x0000000004DE0000-0x0000000004E03000-memory.dmp
memory/920-120-0x0000000004DE0000-0x0000000004E03000-memory.dmp
memory/920-121-0x0000000004F90000-0x0000000004F91000-memory.dmp
memory/920-122-0x0000000004FA0000-0x0000000004FA6000-memory.dmp