Malware Analysis Report

2025-01-18 19:05

Sample ID 220130-js4raahagl
Target 2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf
SHA256 2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf
Tags
$2a$10$stgq3c7xmfrwmwrfj7fsner.1eashczlo7dsn3nyev6liwdcopszq 5242 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf

Threat Level: Known bad

The file 2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf was found to be: Known bad.

Malicious Activity Summary

$2a$10$stgq3c7xmfrwmwrfj7fsner.1eashczlo7dsn3nyev6liwdcopszq 5242 sodinokibi ransomware

Sodin,Sodinokibi,REvil

Sodinokibi family

Enumerates connected drives

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 07:56

Signatures

Sodinokibi family

sodinokibi

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 07:56

Reported

2022-01-30 13:09

Platform

win7-en-20211208

Max time kernel

120s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\UnlockClear.wps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\UnprotectExit.reg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\GetEnable.mpp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\CopyConfirm.mov C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\DisconnectRemove.xsl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\FormatExpand.xps C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ResetRevoke.asf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\SubmitTest.mpg C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\vn00i-read-me.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\CheckpointSubmit.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ResetUninstall.ttc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ResolveRequest.ods C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\StartDisconnect.7z C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vn00i-read-me.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\AddInitialize.mpeg3 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\CompleteCheckpoint.pptm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ConvertToNew.TS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\GroupResume.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\NewBlock.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\PopOut.vssm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\RevokeDebug.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files\vn00i-read-me.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\InstallShow.htm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\PingPush.svgz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\RedoSplit.TTS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\RequestPublish.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ResetDebug.ex_ C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\StepRestore.odt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\UnlockBlock.easmx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\EditSwitch.ttf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\MountNew.mpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\RemoveInitialize.ppt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ClosePush.M2TS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ConvertEdit.jfif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ConvertToSync.pptm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\InvokeUpdate.dotx C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\vn00i-read-me.txt C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

Network

N/A

Files

memory/1100-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 07:56

Reported

2022-01-30 13:10

Platform

win10-en-20211208

Max time kernel

122s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp

Files

N/A