Malware Analysis Report

2025-01-18 20:08

Sample ID 220124-bgnxpahcc8
Target c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a
SHA256 c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a
Tags
41 1384 sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a

Threat Level: Known bad

The file c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a was found to be: Known bad.

Malicious Activity Summary

41 1384 sodinokibi

Sodinokibi/Revil sample

Suspicious use of NtCreateProcessExOtherParentProcess

Sodinokibi family

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:07

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:23

Platform

win7-en-20211208

Max time kernel

119s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

Network

N/A

Files

memory/652-54-0x0000000076001000-0x0000000076003000-memory.dmp

memory/652-56-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/652-57-0x0000000000200000-0x0000000000201000-memory.dmp

memory/652-58-0x0000000000250000-0x0000000000251000-memory.dmp

memory/652-59-0x0000000000260000-0x0000000000261000-memory.dmp

memory/652-55-0x0000000002110000-0x00000000021D9000-memory.dmp

memory/652-60-0x0000000000CDA000-0x0000000000CF1000-memory.dmp

memory/652-61-0x00000000023D0000-0x00000000024FD000-memory.dmp

memory/652-62-0x0000000000710000-0x000000000072F000-memory.dmp

memory/652-64-0x00000000002B0000-0x00000000002B6000-memory.dmp

memory/652-63-0x0000000003130000-0x0000000003239000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:23

Platform

win10-en-20211208

Max time kernel

171s

Max time network

181s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 2252 created 920 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 800 wrote to memory of 920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c53fa5f8345c7e15220f445f5babe995d7f49d8319fe99c5ebca4dc0b6d3c03a.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 792

Network

Country Destination Domain Proto
US 8.8.8.8:53 oneocsp.microsoft.com udp
US 204.79.197.203:80 oneocsp.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.123.41.162:80 www.microsoft.com tcp

Files

memory/920-118-0x0000000003350000-0x000000000335A000-memory.dmp

memory/920-119-0x0000000004DE0000-0x0000000004E03000-memory.dmp

memory/920-120-0x0000000004DE0000-0x0000000004E03000-memory.dmp

memory/920-121-0x0000000004F90000-0x0000000004F91000-memory.dmp

memory/920-122-0x0000000004FA0000-0x0000000004FA6000-memory.dmp