Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1704s -
max time network
1719s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/REvil_08_04_2021_121KB.exe
-
Size
120KB
-
MD5
2075566e7855679d66705741dabe82b4
-
SHA1
136443e2746558b403ae6fc9d9b40bfa92b23420
-
SHA256
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
-
SHA512
312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
-
SSDEEP
1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa
Malware Config
Extracted
C:\077f8fey81-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73D59F437BA22B7D
http://decoder.re/73D59F437BA22B7D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SearchCheckpoint.tiff => \??\c:\users\admin\pictures\SearchCheckpoint.tiff.077f8fey81 REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\UnprotectSave.tiff => \??\c:\users\admin\pictures\UnprotectSave.tiff.077f8fey81 REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\WaitCompress.tif => \??\c:\users\admin\pictures\WaitCompress.tif.077f8fey81 REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\CheckpointSend.raw => \??\c:\users\admin\pictures\CheckpointSend.raw.077f8fey81 REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\ConvertUnpublish.tiff => \??\c:\users\admin\pictures\ConvertUnpublish.tiff.077f8fey81 REvil_08_04_2021_121KB.exe File opened for modification \??\c:\users\admin\pictures\SearchCheckpoint.tiff REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\ReceiveMove.png => \??\c:\users\admin\pictures\ReceiveMove.png.077f8fey81 REvil_08_04_2021_121KB.exe File opened for modification \??\c:\users\admin\pictures\UnprotectSave.tiff REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\AssertOut.raw => \??\c:\users\admin\pictures\AssertOut.raw.077f8fey81 REvil_08_04_2021_121KB.exe File opened for modification \??\c:\users\admin\pictures\ConvertUnpublish.tiff REvil_08_04_2021_121KB.exe File renamed C:\Users\Admin\Pictures\DisableCompress.raw => \??\c:\users\admin\pictures\DisableCompress.raw.077f8fey81 REvil_08_04_2021_121KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: REvil_08_04_2021_121KB.exe File opened (read-only) \??\G: REvil_08_04_2021_121KB.exe File opened (read-only) \??\J: REvil_08_04_2021_121KB.exe File opened (read-only) \??\L: REvil_08_04_2021_121KB.exe File opened (read-only) \??\N: REvil_08_04_2021_121KB.exe File opened (read-only) \??\Y: REvil_08_04_2021_121KB.exe File opened (read-only) \??\X: REvil_08_04_2021_121KB.exe File opened (read-only) \??\B: REvil_08_04_2021_121KB.exe File opened (read-only) \??\F: REvil_08_04_2021_121KB.exe File opened (read-only) \??\K: REvil_08_04_2021_121KB.exe File opened (read-only) \??\Q: REvil_08_04_2021_121KB.exe File opened (read-only) \??\R: REvil_08_04_2021_121KB.exe File opened (read-only) \??\T: REvil_08_04_2021_121KB.exe File opened (read-only) \??\V: REvil_08_04_2021_121KB.exe File opened (read-only) \??\A: REvil_08_04_2021_121KB.exe File opened (read-only) \??\I: REvil_08_04_2021_121KB.exe File opened (read-only) \??\M: REvil_08_04_2021_121KB.exe File opened (read-only) \??\P: REvil_08_04_2021_121KB.exe File opened (read-only) \??\D: REvil_08_04_2021_121KB.exe File opened (read-only) \??\H: REvil_08_04_2021_121KB.exe File opened (read-only) \??\O: REvil_08_04_2021_121KB.exe File opened (read-only) \??\S: REvil_08_04_2021_121KB.exe File opened (read-only) \??\U: REvil_08_04_2021_121KB.exe File opened (read-only) \??\W: REvil_08_04_2021_121KB.exe File opened (read-only) \??\Z: REvil_08_04_2021_121KB.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v8cxky.bmp" REvil_08_04_2021_121KB.exe -
Drops file in Program Files directory 38 IoCs
description ioc Process File opened for modification \??\c:\program files\ApproveRepair.xhtml REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ConvertToBackup.wma REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\RenameDismount.png REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ResizeRequest.tiff REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\UninstallDisable.doc REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\InvokeRepair.otf REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SkipRequest.vbs REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SyncUpdate.M2TS REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\CloseSelect.WTV REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ImportRead.scf REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\LockSearch.avi REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SaveUnblock.iso REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\GrantFormat.ppsm REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\InstallWatch.gif REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\OptimizeResolve.mp2v REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\PushSuspend.contact REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\UnlockReceive.tiff REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\CompareHide.asx REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SyncUnprotect.mp4 REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\UnregisterCompare.iso REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\FormatWrite.vdw REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\MeasureSearch.ttc REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\OutDisconnect.eprtx REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ShowExpand.php REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\StepCheckpoint.mp4v REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\RenameSearch.vdx REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SplitRead.emf REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\SyncInstall.dot REvil_08_04_2021_121KB.exe File created \??\c:\program files (x86)\077f8fey81-readme.txt REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\BackupDismount.avi REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\CloseRevoke.wpl REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\DenyUnblock.mp3 REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ReadUnregister.xps REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\TestConnect.wmx REvil_08_04_2021_121KB.exe File created \??\c:\program files\077f8fey81-readme.txt REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\ConvertWait.vst REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\MeasureStart.clr REvil_08_04_2021_121KB.exe File opened for modification \??\c:\program files\RegisterTrace.m4v REvil_08_04_2021_121KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4148 REvil_08_04_2021_121KB.exe 4148 REvil_08_04_2021_121KB.exe 4148 REvil_08_04_2021_121KB.exe 4148 REvil_08_04_2021_121KB.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4148 REvil_08_04_2021_121KB.exe Token: SeTakeOwnershipPrivilege 4148 REvil_08_04_2021_121KB.exe Token: SeBackupPrivilege 4700 vssvc.exe Token: SeRestorePrivilege 4700 vssvc.exe Token: SeAuditPrivilege 4700 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4312
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700