Analysis Overview
SHA256
2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf
Threat Level: Known bad
The file 2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Enumerates connected drives
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 07:56
Signatures
Sodinokibi family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 07:56
Reported
2022-01-30 13:09
Platform
win7-en-20211208
Max time kernel
120s
Max time network
135s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\UnlockClear.wps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\UnprotectExit.reg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\GetEnable.mpp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\CopyConfirm.mov | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\DisconnectRemove.xsl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\FormatExpand.xps | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ResetRevoke.asf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\SubmitTest.mpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\vn00i-read-me.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\CheckpointSubmit.docx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ResetUninstall.ttc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ResolveRequest.ods | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\StartDisconnect.7z | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vn00i-read-me.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\AddInitialize.mpeg3 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\CompleteCheckpoint.pptm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ConvertToNew.TS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\GroupResume.js | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\NewBlock.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\PopOut.vssm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\RevokeDebug.rtf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files\vn00i-read-me.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\InstallShow.htm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\PingPush.svgz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\RedoSplit.TTS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\RequestPublish.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ResetDebug.ex_ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\StepRestore.odt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\UnlockBlock.easmx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\EditSwitch.ttf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\MountNew.mpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\RemoveInitialize.ppt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ClosePush.M2TS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ConvertEdit.jfif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ConvertToSync.pptm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\InvokeUpdate.dotx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\vn00i-read-me.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 956 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
Network
Files
memory/1100-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 07:56
Reported
2022-01-30 13:10
Platform
win10-en-20211208
Max time kernel
122s
Max time network
155s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 3548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3488 wrote to memory of 3548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3488 wrote to memory of 3548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp |