Analysis Overview
SHA256
f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554
Threat Level: Known bad
The file v2.bin(1).zip was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 23:15
Signatures
Sodinokibi family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 23:15
Reported
2024-11-26 23:17
Platform
win7-20240903-en
Max time kernel
69s
Max time network
74s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\word\startup\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ja38k.bmp" | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\DebugSearch.emz | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\ClearConvertTo.asx | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\CompareSync.sql | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\CompressReceive.pps | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\FormatCheckpoint.css | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\GetUnpublish.aifc | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\GrantMerge.M2TS | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\LimitMove.cr2 | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\ResetPing.TTS | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files (x86)\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\EditSubmit.xhtml | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\SearchSplit.wmv | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\UpdateBackup.htm | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\JoinExpand.mp2 | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\PushDisconnect.easmx | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\9ji5w-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\OutTrace.vst | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\RevokeOpen.odt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\SearchInitialize.otf | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\SelectSync.xlsm | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\BlockSet.wmf | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\ConvertFromSync.mpg | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\GroupRestart.wma | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResolveApprove.WTV.9ji5w
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\9ji5w-readme.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | commercialboatbuilding.com | udp |
| US | 8.8.8.8:53 | parkstreetauto.net | udp |
| US | 8.8.8.8:53 | longislandelderlaw.com | udp |
| US | 8.8.8.8:53 | lbcframingelectrical.com | udp |
| US | 8.8.8.8:53 | assurancesalextrespaille.fr | udp |
Files
C:\Recovery\9ji5w-readme.txt
| MD5 | bce638d1535bf48d1c324b8cb16d9ac6 |
| SHA1 | 150e6537d2c5a5f2dbb8b852da0d0aafc01b0ef0 |
| SHA256 | e3432d71004e613fbc9a9c4d0841e5d73ba7a1fdbd9b4027df63b47c202edca4 |
| SHA512 | e5cf5791765542ebd45aa9f13ccf8203434dd58c5f0e6dcbeb5ffe8dc8bc8b02b5d920a04f4d0de15e892500a08b9ff30c3d8bc2b2e4b3557bb620d62f2b699e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 23:15
Reported
2024-11-26 23:17
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
92s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\word\startup\95xgoqp7-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\ConfirmRestart.wmf | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\RenameCompare.wav | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\InitializePop.css | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files\95xgoqp7-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File created | \??\c:\program files (x86)\95xgoqp7-readme.txt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\AddDebug.wav | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\GrantResolve.DVR | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\SaveProtect.ppt | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\UseMove.mpeg3 | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\CheckpointRevoke.3gpp | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\CloseInitialize.temp | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\LimitGrant.M2V | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\OptimizeUnblock.mp3 | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\InitializeHide.ppsm | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| File opened for modification | \??\c:\program files\WriteUpdate.ex_ | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\v2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Recovery\95xgoqp7-readme.txt
| MD5 | 13117ad457e652112bcd1649d64876a6 |
| SHA1 | 0cf523761a9518018dc4d9f9319af888b85a816c |
| SHA256 | 91e8fd405364252299cf89c56fc198341e91c53fd08396488a14853215390932 |
| SHA512 | f6086b5e2f6b8281f4f5619f5c3819d2246cf4f8586f1a3d9211490a923b50f4211428089bc310bb1f4cd9ed6a440f2051b96cc8cb1fff253059aa26bd6fb5f8 |