Analysis Overview
SHA256
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
Threat Level: Known bad
The file 2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil sample
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-12 05:12
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-12 05:12
Reported
2023-05-12 05:15
Platform
win7-20230220-en
Max time kernel
23s
Max time network
36s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-12 05:12
Reported
2023-05-12 05:15
Platform
win10v2004-20230220-en
Max time kernel
172s
Max time network
183s
Command Line
Signatures
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app950.fon_e2e577aa | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68_gpsvc.dll.mui_0c160ac2 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_wfplwfs.sys_df3e0120 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_33634d5efb5cf151.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-onecore-pnp-umpnpmgr_31bf3856ad364e35_10.0.19041.662_none_052522aee08549d0.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_qps-ploc_2b765c956db488cf_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vdsldr.exe_20c491b3 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f71a10e55724c259_clfs.sys.mui_1310ba12 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40866.fon_5e8c53bc | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e2ed1b5da749d72d_partmgr.sys.mui_b800c491 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.450_none_15f655ce37f84049_scecli.dll_149e0f7b | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f06032ef729ef08b_shsvcs.dll.mui_b69fccab | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5af0d35f5d5822e9.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hr-hr_0e05abbb958aae06_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.19041.84_none_5f9dd4d3686528a6.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vds.exe.mui_2268d934 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resources19h1_31bf3856ad364e35_10.0.19041.1_none_a747a941ec33876b.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1484daa47b73afab_netlogon.dll.mui_ecbeb9bd | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winresume.exe.mui_ff8b5358 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntosext_31bf3856ad364e35_10.0.19041.1_none_89e4438cceba3f44_ntosext.sys_e9e096c6 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_70c254192b5ba65d.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_02d41c75ec2f1710.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga863.fon_0805d564 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiapsrv.exe.mui_b1567840 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da_iprtrmgr.dll_50f5fe79 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0b29d8e18c561a2_dsreg.dll.mui_5d9efc7e | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1_none_5b35da44a9e83608.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiarpc.dll_5aecac54 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.19041.546_none_a281e1595804c734.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1052_none_7ec56a9d21671e02_dam.sys_fdd762d9 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9123280a93582482.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tunnel_31bf3856ad364e35_10.0.19041.1_none_595b16922411e0f5_tunnel.sys_90392579 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_es-es_d67b0596196ad316.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1f5866fbea0202f7_wudfplatform.dll.mui_d815d31a | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_59e3467cfd510b4b_efssvc.dll.mui_03cc4e41 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_wiaservc.dll.mui_54051b53 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24_userdeviceregistration.ngc.dll.mui_d2c6ca95 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-es_d53e3423c57572b5.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_bfdba9ed0ba30611.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5075d9ce26303c63_nsi.dll_e72df756 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.1_none_78990edc010a0704.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pcw_31bf3856ad364e35_10.0.19041.1_none_6602a3e1f5dded97.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_de-de_00c609c5ceeb0835_scdeviceenum.dll.mui_815e7662 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.1288_none_4cc02c3b6c5e5630.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directui_31bf3856ad364e35_10.0.19041.1151_none_361ab30ed820622a.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_0bc0c6751faa809f_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos737.fon_8de20802 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f58d254bd51feff_wmpdui.dll.mui_92411657 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..migration.resources_31bf3856ad364e35_10.0.19041.1_en-us_066aaec65f5dc77a.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_6ace49ac53b0c2de_axinstsv.dll.mui_be092a2d | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sl-si_4892e179afed964c_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_d951a72ad1ee4c8e_wuceffects.dll_0c15b7d5 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nb-no_e0132477454b2a7d_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_1cad2165a3d16b35.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_95a1a37ffda61620.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1_none_55d16b95f6e3e25c.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_wmiutils.dll.mui_42583eaf | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_el-gr_a89731d17de81b67_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_85962dc4bac043a9.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.19041.1_none_13e0a2d70bde69d7.manifest | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4864 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4864 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-11_be059dd5f3442f498bde97f69265ccbd_revil_sodinokibi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkgtrjbf.x5r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1164-138-0x000001E4A3760000-0x000001E4A3782000-memory.dmp
memory/1164-143-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp
memory/1164-144-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp
memory/1164-145-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp
memory/1164-146-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp
memory/1164-147-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp
memory/1164-148-0x000001E4A2D30000-0x000001E4A2D40000-memory.dmp