Malware Analysis Report

2025-01-18 20:26

Sample ID 220130-jxmcsshgg3
Target 11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33
SHA256 11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33
Tags
$2a$10$vkx4eeiefubdw5x8qvhhzo6stbausdhisk8euoylawzrwsyf9xblw 5246 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33

Threat Level: Known bad

The file 11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33 was found to be: Known bad.

Malicious Activity Summary

$2a$10$vkx4eeiefubdw5x8qvhhzo6stbausdhisk8euoylawzrwsyf9xblw 5246 sodinokibi ransomware

Sodinokibi family

Sodin,Sodinokibi,REvil

Enumerates connected drives

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 08:02

Signatures

Sodinokibi family

sodinokibi

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 08:02

Reported

2022-01-30 13:32

Platform

win7-en-20211208

Max time kernel

118s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\FindReset.3g2 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ImportLimit.xlsb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\RestoreSubmit.ADTS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\SplitCopy.vssm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\SuspendCompress.mhtml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\UninstallUnprotect.xltm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\DisableDeny.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ExitMove.vbe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\NewOut.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\PushFind.sql C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\SelectLock.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\SkipTest.ppsm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\WatchGrant.xlsb C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\z3i0gd73a-readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\DisconnectStop.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\InitializeInvoke.vdx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ResumePublish.aifc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ShowWrite.ods C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\UnpublishInitialize.xlt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\WaitUninstall.xml C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\z3i0gd73a-readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files\z3i0gd73a-readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\FormatOut.aiff C:\Windows\SysWOW64\rundll32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\z3i0gd73a-readme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\ConvertFromStop.mp2 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\program files\OpenRepair.emf C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1100-55-0x0000000075421000-0x0000000075423000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 08:02

Reported

2022-01-30 13:33

Platform

win10-en-20211208

Max time kernel

128s

Max time network

216s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

Network

Files

N/A