Malware Analysis Report

2025-01-18 19:24

Sample ID 220130-jse3xshafk
Target 292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f
SHA256 292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f
Tags
16 1328 sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f

Threat Level: Known bad

The file 292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f was found to be: Known bad.

Malicious Activity Summary

16 1328 sodinokibi

Sodinokibi family

Sodinokibi/Revil sample

Suspicious use of NtCreateProcessExOtherParentProcess

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-30 07:55

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 07:55

Reported

2022-01-30 13:08

Platform

win7-en-20211208

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

Network

N/A

Files

memory/1128-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/1128-56-0x0000000002C9A000-0x0000000002CB1000-memory.dmp

memory/1128-58-0x0000000000320000-0x000000000033F000-memory.dmp

memory/1128-59-0x0000000003530000-0x0000000003639000-memory.dmp

memory/1128-60-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/1128-61-0x0000000000270000-0x0000000000276000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 07:55

Reported

2022-01-30 13:09

Platform

win10-en-20211208

Max time kernel

118s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 2484 created 788 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\292a1fa19c845a2639eb4b62401d17950c99fb31d7916f83a8ab24c974489e4f.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 752

Network

Files

memory/788-115-0x0000000000680000-0x00000000006A3000-memory.dmp

memory/788-116-0x0000000000680000-0x00000000006A3000-memory.dmp

memory/788-117-0x0000000000EB0000-0x0000000000ED3000-memory.dmp