Analysis Overview
SHA256
c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa
Threat Level: Known bad
The file c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Modifies extensions of user files
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:06
Signatures
Sodinokibi family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:06
Reported
2022-01-24 01:22
Platform
win7-en-20211208
Max time kernel
147s
Max time network
160s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\GrantAssert.crw => \??\c:\users\admin\pictures\GrantAssert.crw.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupOut.png => \??\c:\users\admin\pictures\GroupOut.png.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartUndo.tiff => \??\c:\users\admin\pictures\StartUndo.tiff.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetRegister.raw => \??\c:\users\admin\pictures\SetRegister.raw.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\SkipPing.tiff | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipPing.tiff => \??\c:\users\admin\pictures\SkipPing.tiff.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\StartUndo.tiff | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoRepair.raw => \??\c:\users\admin\pictures\UndoRepair.raw.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeSet.raw => \??\c:\users\admin\pictures\InitializeSet.raw.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\MeasureDebug.tiff | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureDebug.tiff => \??\c:\users\admin\pictures\MeasureDebug.tiff.24zsb065b | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PtwlDkH6xQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe" | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17x1h0a25.bmp" | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe
"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smhydro.com.pl | udp |
| PL | 89.161.222.203:443 | smhydro.com.pl | tcp |
| PL | 89.161.222.203:443 | smhydro.com.pl | tcp |
| US | 8.8.8.8:53 | xoabigail.com | udp |
| US | 8.8.8.8:53 | mercantedifiori.com | udp |
| US | 170.178.168.203:443 | mercantedifiori.com | tcp |
Files
memory/1576-54-0x00000000754B1000-0x00000000754B3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:06
Reported
2022-01-24 01:22
Platform
win10-en-20211208
Max time kernel
177s
Max time network
134s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PtwlDkH6xQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe" | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe
"C:\Users\Admin\AppData\Local\Temp\c5fc72abf66af20feec1f23538fb7f876546d0dcfee7033fa7a3c4257e0122aa.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe