Analysis Overview
SHA256
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83
Threat Level: Known bad
The file VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Modifies extensions of user files
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-08 17:48
Signatures
Sodinokibi family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-08 17:48
Reported
2023-05-08 17:51
Platform
win7-20230220-en
Max time kernel
31s
Max time network
36s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-08 17:48
Reported
2023-05-08 17:51
Platform
win10v2004-20230220-en
Max time kernel
123s
Max time network
150s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConnectCheckpoint.png => \??\c:\users\admin\pictures\ConnectCheckpoint.png.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\NewConvertFrom.tiff | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendHide.raw => \??\c:\users\admin\pictures\SuspendHide.raw.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishBlock.raw => \??\c:\users\admin\pictures\UnpublishBlock.raw.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\UnpublishRedo.tiff | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishRedo.tiff => \??\c:\users\admin\pictures\UnpublishRedo.tiff.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareFind.crw => \??\c:\users\admin\pictures\CompareFind.crw.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewConvertFrom.tiff => \??\c:\users\admin\pictures\NewConvertFrom.tiff.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitResolve.tif => \??\c:\users\admin\pictures\SplitResolve.tif.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TraceResize.tif => \??\c:\users\admin\pictures\TraceResize.tif.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockRepair.crw => \??\c:\users\admin\pictures\UnblockRepair.crw.8e2y81 | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6157fd78j5.bmp" | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 52.182.141.63:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 117.18.232.240:80 | tcp | |
| US | 117.18.232.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Recovery\8e2y81-readme.txt
| MD5 | 2c8cff78b31a71ce1688b3345cb31c37 |
| SHA1 | 61fb194030b3b95cfb968736d0a193c3c83c40d7 |
| SHA256 | d104919ccabb105907a06d0c91e7385c3d9bd047cdec13964db2651ebf8f0d85 |
| SHA512 | 046c0b7ed1c67ef743b744b57109f61f0f5954ffb9b5d963fd1bcf9e41804940c0c949ff7337db4198b0e06a12f90632434ef8310b8d551a5623c722361848f8 |