Analysis Overview
SHA256
11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33
Threat Level: Known bad
The file 11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Enumerates connected drives
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 08:02
Signatures
Sodinokibi family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 08:02
Reported
2022-01-30 13:32
Platform
win7-en-20211208
Max time kernel
118s
Max time network
141s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\FindReset.3g2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ImportLimit.xlsb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\RestoreSubmit.ADTS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\SplitCopy.vssm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\SuspendCompress.mhtml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\UninstallUnprotect.xltm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\DisableDeny.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ExitMove.vbe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\NewOut.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\PushFind.sql | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\SelectLock.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\SkipTest.ppsm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\WatchGrant.xlsb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\z3i0gd73a-readme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\DisconnectStop.zip | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\InitializeInvoke.vdx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ResumePublish.aifc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ShowWrite.ods | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\UnpublishInitialize.xlt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\WaitUninstall.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\z3i0gd73a-readme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files\z3i0gd73a-readme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\FormatOut.aiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\z3i0gd73a-readme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\ConvertFromStop.mp2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | \??\c:\program files\OpenRepair.emf | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1848 wrote to memory of 1100 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1100-55-0x0000000075421000-0x0000000075423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 08:02
Reported
2022-01-30 13:33
Platform
win10-en-20211208
Max time kernel
128s
Max time network
216s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11aaccd9547fd5a71335f33ce8e48ba37381013e16d4e69d01aa4252cfb17a33.dll,#1
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding