Analysis Overview
SHA256
c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f
Threat Level: Known bad
The file c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Sodinokibi/Revil sample
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:07
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:24
Platform
win10-en-20211208
Max time kernel
170s
Max time network
170s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 420 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 420 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 420 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3028 wrote to memory of 3656 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 3028 wrote to memory of 3656 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 3028 wrote to memory of 3656 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe
"C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:24
Platform
win7-en-20211208
Max time kernel
126s
Max time network
168s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\OpenRestore.crw => \??\c:\users\admin\pictures\OpenRestore.crw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\InvokeSearch.tiff | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushInitialize.crw => \??\c:\users\admin\pictures\PushInitialize.crw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadUndo.crw => \??\c:\users\admin\pictures\ReadUndo.crw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendGrant.raw => \??\c:\users\admin\pictures\SuspendGrant.raw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitClose.png => \??\c:\users\admin\pictures\ExitClose.png.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveEnter.tiff => \??\c:\users\admin\pictures\ResolveEnter.tiff.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncLimit.png => \??\c:\users\admin\pictures\SyncLimit.png.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestSkip.tif => \??\c:\users\admin\pictures\TestSkip.tif.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromGet.crw => \??\c:\users\admin\pictures\ConvertFromGet.crw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableClose.raw => \??\c:\users\admin\pictures\EnableClose.raw.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeSearch.tiff => \??\c:\users\admin\pictures\InvokeSearch.tiff.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveRename.png => \??\c:\users\admin\pictures\ReceiveRename.png.t6mw9ft | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\ResolveEnter.tiff | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89ggc030oqn.bmp" | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe
"C:\Users\Admin\AppData\Local\Temp\c3a9d8de3247814aa681fc4ceed0e22b47872b4c767807534665df762335c58f.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | floweringsun.org | udp |
| US | 15.197.142.173:443 | floweringsun.org | tcp |
| US | 3.33.152.147:443 | floweringsun.org | tcp |
| US | 8.8.8.8:53 | imajyuku-sozoku.com | udp |
| US | 45.77.147.229:443 | imajyuku-sozoku.com | tcp |
Files
memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmp