Malware Analysis Report

2025-01-18 20:21

Sample ID 220127-xyhmwshdel
Target 5162f14d75e96edb914d1756349d6e11583db0b0
SHA256 d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
Tags
sodinokibi $2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq 8254 evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Threat Level: Known bad

The file 5162f14d75e96edb914d1756349d6e11583db0b0 was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq 8254 evasion ransomware

Sodin,Sodinokibi,REvil

Modifies Windows Firewall

Modifies extensions of user files

Executes dropped EXE

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-27 19:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-27 19:15

Reported

2022-01-27 19:18

Platform

win10-en-20211208

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5162f14d75e96edb914d1756349d6e11583db0b0.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\MsMpEng.exe N/A

Modifies Windows Firewall

evasion

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnpublishUnblock.tif => \??\c:\users\admin\pictures\UnpublishUnblock.tif.r2s4lbk C:\Windows\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\FindConnect.raw => \??\c:\users\admin\pictures\FindConnect.raw.r2s4lbk C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\users\admin\pictures\PushUnregister.tiff C:\Windows\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\PushUnregister.tiff => \??\c:\users\admin\pictures\PushUnregister.tiff.r2s4lbk C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\users\admin\pictures\ResetMove.tiff C:\Windows\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\ResetMove.tiff => \??\c:\users\admin\pictures\ResetMove.tiff.r2s4lbk C:\Windows\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishDebug.tif => \??\c:\users\admin\pictures\UnpublishDebug.tif.r2s4lbk C:\Windows\MsMpEng.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\R: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\Z: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\G: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\O: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\N: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\Q: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\U: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\D: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\B: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\K: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\J: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\L: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\T: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\V: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\W: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\A: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\F: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\I: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\M: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\S: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\X: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\Y: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\E: C:\Windows\MsMpEng.exe N/A
File opened (read-only) \??\H: C:\Windows\MsMpEng.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bin90808g7f.bmp" C:\Windows\MsMpEng.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ApproveExport.htm C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\JoinSkip.vb C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\PopSelect.ini C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\DismountCompare.mp3 C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\InitializeReceive.wmx C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\EnterGet.jtx C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\LockConnect.m1v C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ReadDeny.midi C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\BackupSkip.emz C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\DisconnectExit.ogg C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\SearchSend.jtx C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\StartUnprotect.cfg C:\Windows\MsMpEng.exe N/A
File created \??\c:\program files\tmp C:\Windows\MsMpEng.exe N/A
File created \??\c:\program files (x86)\tmp C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ClearPing.7z C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ConvertFromFormat.au C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ProtectTest.asf C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\GroupCopy.xltm C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\NewSwitch.AAC C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ShowUnpublish.au3 C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\TestApprove.vbs C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\JoinClose.vbe C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\PushWait.dib C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\RestoreSearch.xhtml C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\RevokeDebug.htm C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\SkipStep.vbs C:\Windows\MsMpEng.exe N/A
File created \??\c:\program files\r2s4lbk-readme.txt C:\Windows\MsMpEng.exe N/A
File created \??\c:\program files (x86)\r2s4lbk-readme.txt C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\FormatSync.csv C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\GrantUninstall.vstx C:\Windows\MsMpEng.exe N/A
File opened for modification \??\c:\program files\SearchDisable.wma C:\Windows\MsMpEng.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MsMpEng.exe C:\Users\Admin\AppData\Local\Temp\5162f14d75e96edb914d1756349d6e11583db0b0.exe N/A
File created C:\Windows\rescache\_merged\1974107395\4149693858.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\3623239459\11870838.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\mpsvc.dll C:\Users\Admin\AppData\Local\Temp\5162f14d75e96edb914d1756349d6e11583db0b0.exe N/A
File created C:\Windows\rescache\_merged\1476457207\3533431084.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\2483382631\828754195.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\4183903823\97717462.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\1301087654\4010849688.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\423379043\3468251582.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\81479705\3092222186.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\3418783148\3128450559.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\4185669309\1202008662.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\2878165772\1123312451.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\4272278488\30062976.pri C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\rescache\_merged\1601268389\1361672858.pri C:\Windows\SysWOW64\netsh.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A
N/A N/A C:\Windows\MsMpEng.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\MsMpEng.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\MsMpEng.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5162f14d75e96edb914d1756349d6e11583db0b0.exe

"C:\Users\Admin\AppData\Local\Temp\5162f14d75e96edb914d1756349d6e11583db0b0.exe"

C:\Windows\MsMpEng.exe

"C:\Windows\MsMpEng.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
BE 67.27.153.126:80 tcp

Files

C:\Windows\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Windows\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Windows\mpsvc.dll

MD5 a47cf00aedf769d60d58bfe00c0b5421
SHA1 656c4d285ea518d90c1b669b79af475db31e30b1
SHA256 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
SHA512 4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637

memory/3564-118-0x0000000000B70000-0x0000000000B92000-memory.dmp