Analysis Overview
SHA256
8cdb5bb1b487ca269ff5381d8b026d409fbef4383fbb17b5b1b9013d790fe3f3
Threat Level: Known bad
The file 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.zip was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Modifies extensions of user files
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-26 09:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-26 09:39
Reported
2023-05-26 09:42
Platform
win7-20230220-en
Max time kernel
28s
Max time network
32s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe
"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
Network
Files
\Users\Admin\AppData\Local\Temp\MsMpEng.exe
| MD5 | 8cc83221870dd07144e63df594c391d9 |
| SHA1 | 3d409b39b8502fcd23335a878f2cbdaf6d721995 |
| SHA256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a |
| SHA512 | e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c |
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
| MD5 | 8cc83221870dd07144e63df594c391d9 |
| SHA1 | 3d409b39b8502fcd23335a878f2cbdaf6d721995 |
| SHA256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a |
| SHA512 | e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c |
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
| MD5 | 8cc83221870dd07144e63df594c391d9 |
| SHA1 | 3d409b39b8502fcd23335a878f2cbdaf6d721995 |
| SHA256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a |
| SHA512 | e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c |
C:\Users\Admin\AppData\Local\Temp\mpsvc.dll
| MD5 | 78066a1c4e075941272a86d4a8e49471 |
| SHA1 | 6ee656604df8760981db003ae9dce5232d01da72 |
| SHA256 | cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922 |
| SHA512 | 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a |
\Users\Admin\AppData\Local\Temp\MpSvc.dll
| MD5 | 78066a1c4e075941272a86d4a8e49471 |
| SHA1 | 6ee656604df8760981db003ae9dce5232d01da72 |
| SHA256 | cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922 |
| SHA512 | 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a |
memory/1732-62-0x0000000000190000-0x00000000001B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-26 09:39
Reported
2023-05-26 09:42
Platform
win10v2004-20230220-en
Max time kernel
108s
Max time network
153s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConvertToCheckpoint.tiff => \??\c:\users\admin\pictures\ConvertToCheckpoint.tiff.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnterConvert.raw => \??\c:\users\admin\pictures\EnterConvert.raw.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitAdd.crw => \??\c:\users\admin\pictures\SubmitAdd.crw.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockResume.tiff => \??\c:\users\admin\pictures\UnblockResume.tiff.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\ConvertToCheckpoint.tiff | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressStop.tiff => \??\c:\users\admin\pictures\CompressStop.tiff.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupConnect.raw => \??\c:\users\admin\pictures\GroupConnect.raw.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveUnlock.tif => \??\c:\users\admin\pictures\MoveUnlock.tif.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectSuspend.png => \??\c:\users\admin\pictures\ProtectSuspend.png.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\UnblockResume.tiff | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseWatch.crw => \??\c:\users\admin\pictures\UseWatch.crw.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchRepair.png => \??\c:\users\admin\pictures\WatchRepair.png.k8z5720t7 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\CompressStop.tiff | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t6fr94ykor.bmp" | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files\k8z5720t7-read.txt | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\ConfirmGrant.ppt | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\RedoStep.rle | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\RequestConvertFrom.rmi | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\RequestSend.mhtml | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\SwitchStop.ini | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\UndoCopy.au3 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\EnableFormat.pot | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\MergeSync.xlsm | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\PopGrant.wax | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\UninstallInvoke.mpv2 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\UnregisterConfirm.vstx | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File created | \??\c:\program files (x86)\k8z5720t7-read.txt | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\EditClear.xltx | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\OptimizeRepair.css | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\PingSearch.vbe | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\ResetAdd.mhtml | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\SyncJoin.wma | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\CheckpointDisable.mid | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\ConnectMove.raw | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\InstallOptimize.svg | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\JoinDismount.mpp | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\MountConnect.mpeg3 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\OpenConnect.vsdx | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| File opened for modification | \??\c:\program files\StepGet.mp3 | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3516 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3516 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3620 wrote to memory of 4016 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe |
| PID 3620 wrote to memory of 4016 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe |
| PID 3620 wrote to memory of 4016 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe
"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 20.189.173.11:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
| MD5 | 8cc83221870dd07144e63df594c391d9 |
| SHA1 | 3d409b39b8502fcd23335a878f2cbdaf6d721995 |
| SHA256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a |
| SHA512 | e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c |
C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe
| MD5 | 8cc83221870dd07144e63df594c391d9 |
| SHA1 | 3d409b39b8502fcd23335a878f2cbdaf6d721995 |
| SHA256 | 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a |
| SHA512 | e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c |
C:\Users\Admin\AppData\Local\Temp\mpsvc.dll
| MD5 | 78066a1c4e075941272a86d4a8e49471 |
| SHA1 | 6ee656604df8760981db003ae9dce5232d01da72 |
| SHA256 | cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922 |
| SHA512 | 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a |
C:\Users\Admin\AppData\Local\Temp\MpSvc.dll
| MD5 | 78066a1c4e075941272a86d4a8e49471 |
| SHA1 | 6ee656604df8760981db003ae9dce5232d01da72 |
| SHA256 | cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922 |
| SHA512 | 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a |
memory/4016-141-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-142-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-157-0x0000000001540000-0x0000000001561000-memory.dmp
C:\Program Files (x86)\k8z5720t7-read.txt
| MD5 | c0e62a1bed833df87866b081da4c6e90 |
| SHA1 | 7517d3b28f329f4e321067b439730f839e46c3bd |
| SHA256 | 54ae68ba19305f82e1314ccc50c9b37b81ab2fbb43d6ba3aa7da6ef112d1fb6c |
| SHA512 | 9e47508b97d93b12be7ab687f695f82d2162b329541b03308111d8b6eb9194bf2f5168a5d1df62a3cebbd50258bd39431bcf2228e802265dae1c56655d8acd4d |
memory/4016-190-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-526-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-538-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-541-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-546-0x0000000001540000-0x0000000001561000-memory.dmp
memory/4016-548-0x0000000001540000-0x0000000001561000-memory.dmp