Malware Analysis Report

2024-10-19 10:36

Sample ID 230526-lmzw9aeh23
Target 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.zip
SHA256 8cdb5bb1b487ca269ff5381d8b026d409fbef4383fbb17b5b1b9013d790fe3f3
Tags
sodinokibi $2a$12$l4/dnshgqodznkcm0fyzke6taice.tk6cqsrt9y0x6xcl.5fn2d7k 7422 ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cdb5bb1b487ca269ff5381d8b026d409fbef4383fbb17b5b1b9013d790fe3f3

Threat Level: Known bad

The file 66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.zip was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$12$l4/dnshgqodznkcm0fyzke6taice.tk6cqsrt9y0x6xcl.5fn2d7k 7422 ransomware spyware stealer

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-26 09:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-26 09:39

Reported

2023-05-26 09:42

Platform

win7-20230220-en

Max time kernel

28s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe

"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Users\Admin\AppData\Local\Temp\mpsvc.dll

MD5 78066a1c4e075941272a86d4a8e49471
SHA1 6ee656604df8760981db003ae9dce5232d01da72
SHA256 cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922
SHA512 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a

\Users\Admin\AppData\Local\Temp\MpSvc.dll

MD5 78066a1c4e075941272a86d4a8e49471
SHA1 6ee656604df8760981db003ae9dce5232d01da72
SHA256 cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922
SHA512 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a

memory/1732-62-0x0000000000190000-0x00000000001B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-26 09:39

Reported

2023-05-26 09:42

Platform

win10v2004-20230220-en

Max time kernel

108s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertToCheckpoint.tiff => \??\c:\users\admin\pictures\ConvertToCheckpoint.tiff.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\EnterConvert.raw => \??\c:\users\admin\pictures\EnterConvert.raw.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitAdd.crw => \??\c:\users\admin\pictures\SubmitAdd.crw.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockResume.tiff => \??\c:\users\admin\pictures\UnblockResume.tiff.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\users\admin\pictures\ConvertToCheckpoint.tiff C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\CompressStop.tiff => \??\c:\users\admin\pictures\CompressStop.tiff.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\GroupConnect.raw => \??\c:\users\admin\pictures\GroupConnect.raw.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\MoveUnlock.tif => \??\c:\users\admin\pictures\MoveUnlock.tif.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectSuspend.png => \??\c:\users\admin\pictures\ProtectSuspend.png.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\users\admin\pictures\UnblockResume.tiff C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\UseWatch.crw => \??\c:\users\admin\pictures\UseWatch.crw.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File renamed C:\Users\Admin\Pictures\WatchRepair.png => \??\c:\users\admin\pictures\WatchRepair.png.k8z5720t7 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\users\admin\pictures\CompressStop.tiff C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\t6fr94ykor.bmp" C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\k8z5720t7-read.txt C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ConfirmGrant.ppt C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\RedoStep.rle C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\RequestConvertFrom.rmi C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\RequestSend.mhtml C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\SwitchStop.ini C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\UndoCopy.au3 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\EnableFormat.pot C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\MergeSync.xlsm C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\PopGrant.wax C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\UninstallInvoke.mpv2 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\UnregisterConfirm.vstx C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File created \??\c:\program files (x86)\k8z5720t7-read.txt C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\EditClear.xltx C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\OptimizeRepair.css C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\PingSearch.vbe C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ResetAdd.mhtml C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\SyncJoin.wma C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\CheckpointDisable.mid C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\ConnectMove.raw C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\InstallOptimize.svg C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\JoinDismount.mpp C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\MountConnect.mpeg3 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\OpenConnect.vsdx C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
File opened for modification \??\c:\program files\StepGet.mp3 C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe

"C:\Users\Admin\AppData\Local\Temp\66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Users\Admin\AppData\Local\Temp\MsMpEng.exe

MD5 8cc83221870dd07144e63df594c391d9
SHA1 3d409b39b8502fcd23335a878f2cbdaf6d721995
SHA256 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
SHA512 e7f964a10a8799310a519fa569d264f652e13cc7ea199792dc6a5c0507dec4a12844a87bf8bab714255dce717839908ed5d967ce8f65f5520fe4e7f9d25a622c

C:\Users\Admin\AppData\Local\Temp\mpsvc.dll

MD5 78066a1c4e075941272a86d4a8e49471
SHA1 6ee656604df8760981db003ae9dce5232d01da72
SHA256 cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922
SHA512 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a

C:\Users\Admin\AppData\Local\Temp\MpSvc.dll

MD5 78066a1c4e075941272a86d4a8e49471
SHA1 6ee656604df8760981db003ae9dce5232d01da72
SHA256 cbfb6099868eef636f97847fb509527894938c8768028935e658b121b8372922
SHA512 9bca159273fc397343f4555c3fbf882301fdb9bfe7f8d130212033e76dfdbad31fdd978292b8a029f7521dfa3eeac7c0a76c9833cc2fca8312de4a651284284a

memory/4016-141-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-142-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-157-0x0000000001540000-0x0000000001561000-memory.dmp

C:\Program Files (x86)\k8z5720t7-read.txt

MD5 c0e62a1bed833df87866b081da4c6e90
SHA1 7517d3b28f329f4e321067b439730f839e46c3bd
SHA256 54ae68ba19305f82e1314ccc50c9b37b81ab2fbb43d6ba3aa7da6ef112d1fb6c
SHA512 9e47508b97d93b12be7ab687f695f82d2162b329541b03308111d8b6eb9194bf2f5168a5d1df62a3cebbd50258bd39431bcf2228e802265dae1c56655d8acd4d

memory/4016-190-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-526-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-538-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-541-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-546-0x0000000001540000-0x0000000001561000-memory.dmp

memory/4016-548-0x0000000001540000-0x0000000001561000-memory.dmp