analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dump1.bin

Full analysis: https://app.any.run/tasks/02d1efaa-995e-426e-8ff3-db9f9352461c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: October 05, 2022, 02:13:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

F0C97DCB65A030A214F6DD33CF4A8566

SHA1:

B23175FA1D3989BAA2E3D8B5C7192554C24ABF18

SHA256:

ED49B23DF7DEFAB3DF933C778183B12C019AB253330090F214F4BB5C2F89BCBC

SSDEEP:

3072:AZPM0OGdUKV10OTed7/kBazzFbULOHOiPyH53ZV6:AZPMnGZVyO6F/M4qyPU53Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 1976)
      • WerFault.exe (PID: 2200)
    • Sodinokibi keys found

      • rundll32.exe (PID: 1976)
    • Deletes shadow copies

      • cmd.exe (PID: 3412)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3412)
    • Sodinokibi ransom note found

      • rundll32.exe (PID: 1976)
    • Renames files like Ransomware

      • rundll32.exe (PID: 1976)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 3456)
    • Application launched itself

      • rundll32.exe (PID: 3456)
    • Executed via COM

      • unsecapp.exe (PID: 1328)
    • Reads Environment values

      • rundll32.exe (PID: 1976)
    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 1976)
    • Checks supported languages

      • cmd.exe (PID: 3412)
    • Executed as Windows Service

      • vssvc.exe (PID: 4040)
    • Creates files in the program directory

      • rundll32.exe (PID: 1976)
    • Creates files like Ransomware instruction

      • rundll32.exe (PID: 1976)
  • INFO

    • Loads main object executable

      • rundll32.exe (PID: 3456)
    • Checks supported languages

      • rundll32.exe (PID: 3456)
      • rundll32.exe (PID: 1976)
      • WerFault.exe (PID: 2200)
      • unsecapp.exe (PID: 1328)
      • vssadmin.exe (PID: 1320)
      • vssvc.exe (PID: 4040)
      • bcdedit.exe (PID: 2544)
      • bcdedit.exe (PID: 2580)
    • Reads the computer name

      • rundll32.exe (PID: 3456)
      • WerFault.exe (PID: 2200)
      • rundll32.exe (PID: 1976)
      • unsecapp.exe (PID: 1328)
      • vssvc.exe (PID: 4040)
      • vssadmin.exe (PID: 1320)
    • Reads settings of System Certificates

      • rundll32.exe (PID: 1976)
    • Dropped object may contain TOR URL's

      • rundll32.exe (PID: 1976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2019-Jul-08 14:33:00

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 248

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2019-Jul-08 14:33:00
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
44100
44544
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.54199
.rdata
49152
11100
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.89161
.data
61440
59024
58368
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99241
.z4p395l
122880
51200
51200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.06584
.reloc
176128
1528
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65359

Imports

KERNEL32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe #SODINOKIBI rundll32.exe werfault.exe no specs unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3456"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\dump1.bin.dll", #1C:\Windows\System32\rundll32.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1976"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\dump1.bin.dll, #1 C:\Windows\System32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2200C:\Windows\system32\WerFault.exe -u -p 3456 -s 632C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1328C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3412"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1320vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
3 502
Read events
3 464
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
259
Text files
3
Unknown types
8

Dropped files

PID
Process
Filename
Type
1976rundll32.exeC:\users\public\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\program files\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\users\admin\music\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\users\admin\links\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\users\admin\pictures\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\users\admin\contacts\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi.129n2binary
MD5:687AFBEDA7A4FD0E817670328F1BD42E
SHA256:02C214BA6FA38D8B7011358CA36217A81B794379081861AB42032F04842E9810
1976rundll32.exeC:\users\default\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
1976rundll32.exeC:\users\admin\.oracle_jre_usage\129n2-readme.txtbinary
MD5:5AA5F41ED949712C24E20774D2A10295
SHA256:4AD7881F364686BA8AA1BC72D5513B6F5EF9910E6EC5DD9168A472FA0931D4EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
13
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1976
rundll32.exe
172.67.193.13:443
gaearoyals.com
CLOUDFLARENET
US
suspicious
1976
rundll32.exe
77.72.4.226:443
georgemuncey.com
Krystal Hosting Ltd
GB
malicious
18.206.50.87:443
placermonticello.com
AMAZON-AES
US
suspicious
1976
rundll32.exe
135.125.16.232:443
pourlabretagne.bzh
OVH SAS
FR
suspicious
1976
rundll32.exe
35.213.151.161:443
trainiumacademy.com
GOOGLE
SG
suspicious
1976
rundll32.exe
50.87.236.3:443
mindsparkescape.com
UNIFIEDLAYER-AS-1
US
suspicious
1976
rundll32.exe
85.214.155.19:443
daveystownhouse.com
Strato AG
DE
suspicious
1976
rundll32.exe
94.231.103.59:443
arthakapitalforvaltning.dk
team.blue Denmark A/S
DK
suspicious
1976
rundll32.exe
5.79.100.182:443
molade.nl
LeaseWeb Netherlands B.V.
NL
suspicious
1976
rundll32.exe
149.210.170.218:443
artvark.nl
Signet B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
gaearoyals.com
  • 172.67.193.13
  • 104.21.76.103
unknown
georgemuncey.com
  • 77.72.4.226
malicious
arthakapitalforvaltning.dk
  • 94.231.103.59
suspicious
placermonticello.com
  • 18.206.50.87
suspicious
pourlabretagne.bzh
  • 135.125.16.232
suspicious
daveystownhouse.com
  • 85.214.155.19
suspicious
gavelmasters.com
whitelisted
descargandoprogramas.com
malicious
trainiumacademy.com
  • 35.213.151.161
suspicious
mindsparkescape.com
  • 50.87.236.3
suspicious

Threats

PID
Process
Class
Message
1976
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1976
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1976
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1976
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1976
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info