Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2023 03:51
Behavioral task
behavioral1
Sample
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe
-
Size
165KB
-
MD5
e4be3e7aa3e471f7c42ec7ba35c3d69f
-
SHA1
5640beca5831e8a49031cd335a31415bfc8f3282
-
SHA256
50fdb342de90ce63c31625156beb9ed968bf11527ce7c4c3bd4a3f3f7c4cf730
-
SHA512
11b7e7659b083d1a7a060c7512651089fab63960e96083a60123c44cdd957a022c7d0af8c7b1bb7db364c44d30333ec2e121a9f4a85659f61143c8f36504fc26
-
SSDEEP
3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaV4mKI3EeUO:lw02sJPi7O93NK4mKI0VO
Malware Config
Extracted
C:\Recovery\ncyx0rm-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4DAD1982572985D
http://decryptor.top/B4DAD1982572985D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exedescription ioc process File renamed C:\Users\Admin\Pictures\SuspendDisconnect.tiff => \??\c:\users\admin\pictures\SuspendDisconnect.tiff.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File renamed C:\Users\Admin\Pictures\UnprotectAssert.raw => \??\c:\users\admin\pictures\UnprotectAssert.raw.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File renamed C:\Users\Admin\Pictures\ExportRepair.tif => \??\c:\users\admin\pictures\ExportRepair.tif.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File renamed C:\Users\Admin\Pictures\ProtectMove.tif => \??\c:\users\admin\pictures\ProtectMove.tif.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\users\admin\pictures\SuspendDisconnect.tiff 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File renamed C:\Users\Admin\Pictures\RegisterAdd.raw => \??\c:\users\admin\pictures\RegisterAdd.raw.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File renamed C:\Users\Admin\Pictures\StartTest.tif => \??\c:\users\admin\pictures\StartTest.tif.ncyx0rm 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exedescription ioc process File opened (read-only) \??\G: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\H: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\I: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\P: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\Y: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\A: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\E: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\F: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\Z: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\D: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\J: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\K: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\O: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\T: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\U: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\V: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\X: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\L: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\R: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\S: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\Q: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\W: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\B: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\M: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened (read-only) \??\N: 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4j759y.bmp" 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe -
Drops file in Program Files directory 32 IoCs
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exedescription ioc process File opened for modification \??\c:\program files\EnterClose.mpeg 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\GetExport.gif 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\WatchComplete.mpe 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File created \??\c:\program files\ncyx0rm-readme.txt 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\ConvertToRedo.mpeg 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\ResizeCheckpoint.wmf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\SaveMerge.temp 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\SendInvoke.DVR-MS 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\OpenProtect.tif 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\CopyBackup.xlt 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\RenamePublish.wpl 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\UnregisterLock.pdf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\TraceAssert.kix 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\FindResolve.wax 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\ReadExpand.rtf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\RedoRegister.dxf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\RepairOptimize.vsx 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\RevokeSuspend.mp2 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\CompleteRegister.asf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\GrantOpen.wmf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\MountDisconnect.odt 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\OptimizeExit.zip 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\ResumePing.M2T 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\SaveInitialize.sql 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\StartSync.scf 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\StepUpdate.wmv 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\WaitRedo.m4a 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File created \??\c:\program files (x86)\ncyx0rm-readme.txt 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\EnterComplete.xlt 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\GetReceive.mpeg2 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\RestoreResume.docx 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe File opened for modification \??\c:\program files\ResumeResize.mpeg 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exepowershell.exepid process 904 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe 904 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe 2836 powershell.exe 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2836 powershell.exe Token: SeBackupPrivilege 3704 vssvc.exe Token: SeRestorePrivilege 3704 vssvc.exe Token: SeAuditPrivilege 3704 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exedescription pid process target process PID 904 wrote to memory of 2836 904 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe powershell.exe PID 904 wrote to memory of 2836 904 2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe"C:\Users\Admin\AppData\Local\Temp\2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2388
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD514efa44ca00c3a22b7078bbee3c5ca44
SHA1932219d37f4d4dcee1c163a9d2ff5c384cf80458
SHA256cffe674b2be6d99edb656595127e4dbd962c39e5f85aba9e7909d592d8daa680
SHA5125ba206202ec69f1cbae227f587b2cdab8880c6d109e9e7192a615229f241579f491820b64e1923fdc0b43ea320957f07d01ebef4fd10c742a11e0aa54a33f15b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82