Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2023 14:35
Behavioral task
behavioral1
Sample
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
Resource
win10v2004-20221111-en
General
-
Target
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe
-
Size
179KB
-
MD5
d3624ff1fd9a8d7866a1578359716a55
-
SHA1
66813f8263a1c8a53e8d6fece8a307e2ba5fa342
-
SHA256
60c49baa290de5336e5903286d1e8ff8b8b833046a63be00966695dc9d3f6dbb
-
SHA512
97da304352f0a37071ae935879af3531e33dd580e50f768521e2e12986f155d7a1b09e755cef20f720f3e9bb9608258e2fd37f32e5aca5cf611cfa4dfa8e0ee9
-
SSDEEP
3072:rNKQ4JTBg0Q8F63VETed7/kBazzFbUL7npOStSWQ:rNn4FQS63VE6F/M4q30TJ
Malware Config
Extracted
C:\q29go-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D90AD6D62A20EAD
http://decryptor.top/9D90AD6D62A20EAD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointAdd.crw => \??\c:\users\admin\pictures\CheckpointAdd.crw.q29go 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\NewRegister.tiff 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\NewRegister.tiff => \??\c:\users\admin\pictures\NewRegister.tiff.q29go 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Drops desktop.ini file(s) 27 IoCs
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\videos\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files (x86)\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\music\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\links\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\3d objects\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\music\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\documents\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process File opened (read-only) \??\G: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\U: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\V: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\Y: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\Z: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\H: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\O: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\P: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\R: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\W: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\X: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\B: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\F: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\I: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\N: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\T: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\D: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\Q: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\S: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\A: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\E: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\J: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\K: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\L: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened (read-only) \??\M: 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0y0304.bmp" 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Drops file in Program Files directory 24 IoCs
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription ioc process File opened for modification \??\c:\program files\AssertSend.au3 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\LimitExit.ogg 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\PingPop.mpe 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\SaveEnable.mpp 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\SkipSuspend.wmv 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\TraceAdd.wav 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File created \??\c:\program files (x86)\q29go-readme.txt 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\ApproveRestore.svg 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\InvokeGrant.M2T 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\JoinGrant.eprtx 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\MoveUnprotect.xml 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\ShowCopy.mov 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\ConvertFromSuspend.mpg 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\HideGrant.xlsm 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\RequestDisable.dwg 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\SelectStart.txt 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\SubmitBackup.txt 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\UnpublishDebug.tif 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files (x86)\desktop.ini 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File created \??\c:\program files\q29go-readme.txt 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\AddSkip.mpg 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\MergeSkip.ex_ 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe File opened for modification \??\c:\program files\SyncPush.vssx 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exepid process 2728 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe 2728 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exedescription pid process target process PID 2728 wrote to memory of 4316 2728 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe cmd.exe PID 2728 wrote to memory of 4316 2728 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe cmd.exe PID 2728 wrote to memory of 4316 2728 2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-08_d3624ff1fd9a8d7866a1578359716a55_revil_sodinokibi.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4316-132-0x0000000000000000-mapping.dmp