Analysis Overview
SHA256
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e
Threat Level: Known bad
The file 2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Modifies Windows Firewall
Modifies extensions of user files
Enumerates connected drives
Adds Run key to start application
Sets desktop wallpaper using registry
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-14 07:36
Signatures
Sodinokibi family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-14 07:36
Reported
2023-05-14 07:39
Platform
win7-20230220-en
Max time kernel
28s
Max time network
33s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-14 07:36
Reported
2023-05-14 07:39
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\pictures\RenameExpand.tiff | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameExpand.tiff => \??\c:\users\admin\pictures\RenameExpand.tiff.yq7er5k | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe" | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7usbmxic31.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1796 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1796 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe | C:\Windows\SysWOW64\netsh.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | withahmed.com | udp |
| US | 188.114.96.0:443 | withahmed.com | tcp |
| US | 8.8.8.8:53 | simulatebrain.com | udp |
| US | 8.8.8.8:53 | villa-marrakesch.de | udp |
| DE | 138.201.193.58:443 | villa-marrakesch.de | tcp |
| US | 8.8.8.8:53 | higadograsoweb.com | udp |
| US | 8.8.8.8:53 | minipara.com | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.193.201.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oldschoolfun.net | udp |
| NL | 185.220.205.181:443 | oldschoolfun.net | tcp |
| US | 8.8.8.8:53 | remcakram.com | udp |
| US | 72.52.178.23:443 | remcakram.com | tcp |
| US | 8.8.8.8:53 | 181.205.220.185.in-addr.arpa | udp |
| US | 72.52.178.23:443 | remcakram.com | tcp |
| US | 72.52.178.23:443 | remcakram.com | tcp |
| US | 8.8.8.8:53 | international-sound-awards.com | udp |
| DE | 217.160.0.46:443 | international-sound-awards.com | tcp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xn--fnsterputssollentuna-39b.se | udp |
| SE | 93.188.2.51:443 | xn--fnsterputssollentuna-39b.se | tcp |
| US | 8.8.8.8:53 | 46.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hogahojder.se | udp |
| US | 172.67.147.24:443 | hogahojder.se | tcp |
| US | 8.8.8.8:53 | 51.2.188.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | echtveilig.nl | udp |
| US | 23.236.62.147:443 | echtveilig.nl | tcp |
| US | 8.8.8.8:53 | 24.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | izzi360.com | udp |
| FR | 109.234.162.102:443 | izzi360.com | tcp |
| FR | 109.234.162.102:443 | izzi360.com | tcp |
| US | 8.8.8.8:53 | 147.62.236.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.izzi360.com | udp |
| FR | 109.234.162.102:443 | www.izzi360.com | tcp |
| US | 8.8.8.8:53 | 102.162.234.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | slashdb.com | udp |
| US | 52.1.93.170:443 | slashdb.com | tcp |
| US | 8.8.8.8:53 | burkert-ideenreich.de | udp |
| DE | 188.40.2.8:443 | burkert-ideenreich.de | tcp |
| US | 8.8.8.8:53 | 170.93.1.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ilso.net | udp |
| US | 8.8.8.8:53 | cwsitservices.co.uk | udp |
| GB | 35.214.77.27:443 | cwsitservices.co.uk | tcp |
| US | 8.8.8.8:53 | 8.2.40.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | projetlyonturin.fr | udp |
| FR | 87.98.154.146:443 | projetlyonturin.fr | tcp |
| US | 8.8.8.8:53 | gonzalezfornes.es | udp |
| DE | 217.160.0.244:443 | gonzalezfornes.es | tcp |
| DE | 217.160.0.244:443 | gonzalezfornes.es | tcp |
| DE | 217.160.0.244:443 | gonzalezfornes.es | tcp |
| US | 8.8.8.8:53 | autopfand24.de | udp |
| DE | 87.230.46.46:443 | autopfand24.de | tcp |
| US | 8.8.8.8:53 | 146.154.98.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fayrecreations.com | udp |
| US | 198.54.121.233:443 | fayrecreations.com | tcp |
| US | 8.8.8.8:53 | 46.46.230.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vancouver-print.ca | udp |
| US | 24.38.41.117:443 | vancouver-print.ca | tcp |
| US | 8.8.8.8:53 | 233.121.54.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | minuteman.com | udp |
| US | 24.38.41.117:443 | minuteman.com | tcp |
| US | 8.8.8.8:53 | 117.41.38.24.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pubweb.carnet.hr | udp |
| HR | 193.198.184.106:443 | pubweb.carnet.hr | tcp |
| US | 8.8.8.8:53 | beautychance.se | udp |
| US | 8.8.8.8:53 | edv-live.de | udp |
| DE | 202.61.195.82:443 | edv-live.de | tcp |
| US | 8.8.8.8:53 | ikads.org | udp |
| US | 8.8.8.8:53 | allure-cosmetics.at | udp |
| US | 8.8.8.8:53 | 106.184.198.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.195.61.202.in-addr.arpa | udp |
| DE | 159.69.224.11:443 | allure-cosmetics.at | tcp |
| US | 8.8.8.8:53 | www.allure-cosmetics.at | udp |
| DE | 159.69.224.11:443 | www.allure-cosmetics.at | tcp |
| US | 8.8.8.8:53 | lmtprovisions.com | udp |
| US | 35.209.158.247:443 | lmtprovisions.com | tcp |
| US | 8.8.8.8:53 | 11.224.69.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dublikator.com | udp |
| UA | 185.68.16.210:443 | dublikator.com | tcp |
| US | 8.8.8.8:53 | 247.158.209.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | candyhouseusa.com | udp |
| DE | 85.214.77.144:443 | candyhouseusa.com | tcp |
| US | 8.8.8.8:53 | 210.16.68.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creamery201.com | udp |
| IL | 185.230.63.107:443 | creamery201.com | tcp |
| US | 8.8.8.8:53 | handi-jack-llc.com | udp |
| US | 204.11.56.48:443 | handi-jack-llc.com | tcp |
| US | 8.8.8.8:53 | 107.63.230.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baustb.de | udp |
| DE | 85.13.164.99:443 | baustb.de | tcp |
| US | 8.8.8.8:53 | admos-gleitlager.de | udp |
| DE | 81.169.145.149:443 | admos-gleitlager.de | tcp |
| US | 8.8.8.8:53 | 99.164.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.56.11.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.145.169.81.in-addr.arpa | udp |
Files
C:\Recovery\yq7er5k-readme.txt
| MD5 | 77bd641d5387d1314588c0d6baaeb97c |
| SHA1 | b15f7cb2bbb932aa012a567a567759828fa7f29d |
| SHA256 | 6cf68f8b51f872d45cfc24923bab9b18e4e25975c4500706244aacaf06cc93be |
| SHA512 | a15b3a850ce199b24225025f362be4ca5e92f74de03684a279751bc47df75e129a06937fb4cb83c4d6b42f36be17b1f2165ade4f399d7ecd74d304e8eea0b038 |