Malware Analysis Report

2024-10-19 10:36

Sample ID 230508-wdvlaabh88
Target VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94
SHA256 ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83
Tags
ransomware spyware stealer $2a$12$qklalwfyuokhualovb5leuiilrpmgdl4kq9ex9lpdbeioqwegg09c 8506 sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83

Threat Level: Known bad

The file VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94 was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer $2a$12$qklalwfyuokhualovb5leuiilrpmgdl4kq9ex9lpdbeioqwegg09c 8506 sodinokibi

Sodinokibi family

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-08 17:48

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-08 17:48

Reported

2023-05-08 17:51

Platform

win7-20230220-en

Max time kernel

31s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-08 17:48

Reported

2023-05-08 17:51

Platform

win10v2004-20230220-en

Max time kernel

123s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConnectCheckpoint.png => \??\c:\users\admin\pictures\ConnectCheckpoint.png.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\users\admin\pictures\NewConvertFrom.tiff C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendHide.raw => \??\c:\users\admin\pictures\SuspendHide.raw.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishBlock.raw => \??\c:\users\admin\pictures\UnpublishBlock.raw.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\users\admin\pictures\UnpublishRedo.tiff C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishRedo.tiff => \??\c:\users\admin\pictures\UnpublishRedo.tiff.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\CompareFind.crw => \??\c:\users\admin\pictures\CompareFind.crw.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\NewConvertFrom.tiff => \??\c:\users\admin\pictures\NewConvertFrom.tiff.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\SplitResolve.tif => \??\c:\users\admin\pictures\SplitResolve.tif.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\TraceResize.tif => \??\c:\users\admin\pictures\TraceResize.tif.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockRepair.crw => \??\c:\users\admin\pictures\UnblockRepair.crw.8e2y81 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6157fd78j5.bmp" C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ImportLimit.mpeg2 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\ResolveUpdate.wdp C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\SubmitSend.vdx C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\ConfirmComplete.vst C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\InitializeRequest.vsw C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\PushSave.vsw C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\RestoreMount.m1v C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\CheckpointMeasure.mp3 C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\DenyPop.mpe C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\StopSend.gif C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\PublishReset.otf C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\UnpublishUninstall.m4a C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File created \??\c:\program files\8e2y81-readme.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File created \??\c:\program files (x86)\8e2y81-readme.txt C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\ClearRepair.inf C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
File opened for modification \??\c:\program files\CloseConfirm.search-ms C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 52.182.141.63:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Recovery\8e2y81-readme.txt

MD5 2c8cff78b31a71ce1688b3345cb31c37
SHA1 61fb194030b3b95cfb968736d0a193c3c83c40d7
SHA256 d104919ccabb105907a06d0c91e7385c3d9bd047cdec13964db2651ebf8f0d85
SHA512 046c0b7ed1c67ef743b744b57109f61f0f5954ffb9b5d963fd1bcf9e41804940c0c949ff7337db4198b0e06a12f90632434ef8310b8d551a5623c722361848f8