Malware Analysis Report

2025-01-18 18:20

Sample ID 241126-28wpqa1ndp
Target v2.bin(1).zip
SHA256 f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554
Tags
sodinokibi credential_access discovery ransomware spyware stealer $2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

Threat Level: Known bad

The file v2.bin(1).zip was found to be: Known bad.

Malicious Activity Summary

sodinokibi credential_access discovery ransomware spyware stealer $2a$12$ltqvwf.cqvh9w5jzkak9lo0hmlnifwtufobj86ge.hlzgvclg6xhw 7563

Sodinokibi family

Sodin,Sodinokibi,REvil

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 23:15

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 23:15

Reported

2024-11-26 23:17

Platform

win7-20240903-en

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ja38k.bmp" C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\DebugSearch.emz C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ClearConvertTo.asx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CompareSync.sql C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CompressReceive.pps C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\FormatCheckpoint.css C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GetUnpublish.aifc C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GrantMerge.M2TS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\LimitMove.cr2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ResetPing.TTS C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\EditSubmit.xhtml C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SearchSplit.wmv C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UpdateBackup.htm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\JoinExpand.mp2 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\PushDisconnect.easmx C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\9ji5w-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OutTrace.vst C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RevokeOpen.odt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SearchInitialize.otf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SelectSync.xlsm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\BlockSet.wmf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\ConvertFromSync.mpg C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GroupRestart.wma C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResolveApprove.WTV.9ji5w

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\9ji5w-readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 parkstreetauto.net udp
US 8.8.8.8:53 longislandelderlaw.com udp
US 8.8.8.8:53 lbcframingelectrical.com udp
US 8.8.8.8:53 assurancesalextrespaille.fr udp

Files

C:\Recovery\9ji5w-readme.txt

MD5 bce638d1535bf48d1c324b8cb16d9ac6
SHA1 150e6537d2c5a5f2dbb8b852da0d0aafc01b0ef0
SHA256 e3432d71004e613fbc9a9c4d0841e5d73ba7a1fdbd9b4027df63b47c202edca4
SHA512 e5cf5791765542ebd45aa9f13ccf8203434dd58c5f0e6dcbeb5ffe8dc8bc8b02b5d920a04f4d0de15e892500a08b9ff30c3d8bc2b2e4b3557bb620d62f2b699e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 23:15

Reported

2024-11-26 23:17

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\95xgoqp7-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ConfirmRestart.wmf C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\RenameCompare.wav C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\InitializePop.css C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files\95xgoqp7-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File created \??\c:\program files (x86)\95xgoqp7-readme.txt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\AddDebug.wav C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\GrantResolve.DVR C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\SaveProtect.ppt C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\UseMove.mpeg3 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CheckpointRevoke.3gpp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\CloseInitialize.temp C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\LimitGrant.M2V C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\OptimizeUnblock.mp3 C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\InitializeHide.ppsm C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
File opened for modification \??\c:\program files\WriteUpdate.ex_ C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\v2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\v2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\v2.exe

"C:\Users\Admin\AppData\Local\Temp\v2.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Recovery\95xgoqp7-readme.txt

MD5 13117ad457e652112bcd1649d64876a6
SHA1 0cf523761a9518018dc4d9f9319af888b85a816c
SHA256 91e8fd405364252299cf89c56fc198341e91c53fd08396488a14853215390932
SHA512 f6086b5e2f6b8281f4f5619f5c3819d2246cf4f8586f1a3d9211490a923b50f4211428089bc310bb1f4cd9ed6a440f2051b96cc8cb1fff253059aa26bd6fb5f8