Malware Analysis Report

2025-01-18 20:26

Sample ID 220215-mmcx6adhd4
Target dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60
SHA256 dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60
Tags
sodinokibi $2a$10$zh.ylp3n2kd9/nomyjfg2.60olpxhcnipjkls/fffw2wmd130tmku 6033 ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60

Threat Level: Known bad

The file dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60 was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$10$zh.ylp3n2kd9/nomyjfg2.60olpxhcnipjkls/fffw2wmd130tmku 6033 ransomware spyware stealer

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-15 10:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-15 10:34

Reported

2022-02-15 10:49

Platform

win7-en-20211208

Max time kernel

138s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExpandUnpublish.tif => \??\c:\users\admin\pictures\ExpandUnpublish.tif.25394 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File renamed C:\Users\Admin\Pictures\NewConnect.png => \??\c:\users\admin\pictures\NewConnect.png.25394 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File renamed C:\Users\Admin\Pictures\RequestCopy.png => \??\c:\users\admin\pictures\RequestCopy.png.25394 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File renamed C:\Users\Admin\Pictures\SyncRead.raw => \??\c:\users\admin\pictures\SyncRead.raw.25394 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gh33j247t.bmp" C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\AssertBlock.M2T C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\DenyRevoke.7z C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ReceiveHide.svg C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\StepSelect.cfg C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\CompletePush.txt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ResolveInitialize.vssm C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SetExpand.odt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ConvertFromMove.001 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\DenyFind.jtx C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\DisconnectPop.mpeg3 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\FormatSearch.pptx C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SaveRepair.au3 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SendWatch.odt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ConvertFromRestart.wpl C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\JoinImport.wav C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RepairReset.gif C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RevokeConvertFrom.dib C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SkipPop.wpl C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\25394-readme.txt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\MountUninstall.ex_ C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SubmitTest.php C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\HideSwitch.mp3 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\MountExpand.vstx C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\NewResume.wm C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RemoveClear.vsd C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\UninstallRename.rm C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\25394-readme.txt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RestartOpen.vsdm C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RevokeInvoke.dib C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SaveSend.xlt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\UsePublish.search-ms C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\25394-readme.txt C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\CopySearch.mov C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RegisterExpand.001 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe

"C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pier40forall.org udp
US 34.102.136.180:443 pier40forall.org tcp
US 34.102.136.180:443 pier40forall.org tcp
US 8.8.8.8:53 judithjansen.com udp
NL 185.135.241.57:443 judithjansen.com tcp
NL 185.135.241.57:443 judithjansen.com tcp
US 8.8.8.8:53 vesinhnha.com.vn udp
VN 103.74.118.108:443 vesinhnha.com.vn tcp
US 104.18.115.97:80 tcp
US 8.8.8.8:53 sexandfessenjoon.wordpress.com udp
US 192.0.78.12:443 sexandfessenjoon.wordpress.com tcp
US 192.0.78.12:443 sexandfessenjoon.wordpress.com tcp
US 8.8.8.8:53 highimpactoutdoors.net udp
US 72.52.245.6:443 highimpactoutdoors.net tcp
US 72.52.245.6:443 highimpactoutdoors.net tcp
US 8.8.8.8:53 ecoledansemulhouse.fr udp
DE 217.160.0.56:443 ecoledansemulhouse.fr tcp
DE 217.160.0.56:443 ecoledansemulhouse.fr tcp
US 8.8.8.8:53 girlillamarketing.com udp
US 188.114.96.0:443 girlillamarketing.com tcp
US 8.8.8.8:53 n1-headache.com udp
FR 79.137.75.185:443 n1-headache.com tcp
FR 79.137.75.185:443 n1-headache.com tcp
US 8.8.8.8:53 wsoil.com.sg udp
SG 128.199.156.29:443 wsoil.com.sg tcp
SG 128.199.156.29:443 wsoil.com.sg tcp
US 8.8.8.8:53 yassir.pro udp
US 70.188.170.215:443 yassir.pro tcp
US 45.60.0.150:443 yassir.pro tcp
US 70.188.170.215:443 yassir.pro tcp

Files

memory/744-54-0x0000000000D4B000-0x0000000000D60000-memory.dmp

memory/744-56-0x0000000000220000-0x000000000023F000-memory.dmp

memory/744-55-0x0000000000D4B000-0x0000000000D60000-memory.dmp

memory/744-57-0x0000000000400000-0x0000000000421000-memory.dmp

memory/744-58-0x0000000075341000-0x0000000075343000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-15 10:34

Reported

2022-02-15 10:50

Platform

win10v2004-en-20220113

Max time kernel

164s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\MountBlock.jpeg C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\EditResize.DVR C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ExportApprove.otf C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RemoveHide.jpg C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\RestartEnable.mpg C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\SkipSwitch.edrwx C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\CompleteUndo.ttc C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\ConvertToInitialize.jpe C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\LockMeasure.xla C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\TraceDisconnect.xps C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\WatchUse.html C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\LimitPublish.php C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\MergeDeny.m3u C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A
File opened for modification \??\c:\program files\OpenClear.pub C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe

"C:\Users\Admin\AppData\Local\Temp\dbb4da123ae0bffedc7724587732b15db44a78dfc2ddb99a68511ef1b9e44b60.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Files

memory/3408-130-0x0000000000C38000-0x0000000000C4D000-memory.dmp

memory/3408-131-0x0000000000C38000-0x0000000000C4D000-memory.dmp

memory/3408-132-0x0000000000A50000-0x0000000000A6F000-memory.dmp

memory/3408-133-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2292-134-0x000001F146420000-0x000001F146430000-memory.dmp

memory/2292-135-0x000001F146640000-0x000001F146650000-memory.dmp

memory/2292-136-0x000001F148B40000-0x000001F148B44000-memory.dmp