Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2023 07:39
Behavioral task
behavioral1
Sample
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe
Resource
win10v2004-20230221-en
General
-
Target
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe
-
Size
122KB
-
MD5
c5baecf50164376ef048646969d080d4
-
SHA1
610ba6ae85414b12e509e77906d8b81f95ce8cb7
-
SHA256
da5d73f59359d904a6c58c4940270a4ad7774ff340442f7a0eaebd2ccbc7c7fb
-
SHA512
7c8231224b15d43a1129bb5012fb443937f9fd0153ecf223371b2d362bdb0242645655fc573a0be2d260f6629d5b109ba896c18dafbdfa187a8050376d813571
-
SSDEEP
1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6UdOgYMTLOjeW47s:hMhQNDEtb3AiPnGjeW47s
Malware Config
Extracted
C:\Recovery\59v39ft483-read-me-PUP.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2ED93EE30ED9D99C
http://decoder.re/2ED93EE30ED9D99C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exedescription ioc process File renamed C:\Users\Admin\Pictures\BlockRedo.tif => \??\c:\users\admin\pictures\BlockRedo.tif.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\ProtectUpdate.raw => \??\c:\users\admin\pictures\ProtectUpdate.raw.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\SearchFind.png => \??\c:\users\admin\pictures\SearchFind.png.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\CompareInvoke.crw => \??\c:\users\admin\pictures\CompareInvoke.crw.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\ConvertToFormat.crw => \??\c:\users\admin\pictures\ConvertToFormat.crw.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\users\admin\pictures\SuspendStep.tiff 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\SuspendRestore.raw => \??\c:\users\admin\pictures\SuspendRestore.raw.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\SuspendStep.tiff => \??\c:\users\admin\pictures\SuspendStep.tiff.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File renamed C:\Users\Admin\Pictures\UnregisterMeasure.raw => \??\c:\users\admin\pictures\UnregisterMeasure.raw.59v39ft483 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exedescription ioc process File opened (read-only) \??\B: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\G: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\H: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\M: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\Y: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\S: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\D: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\A: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\F: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\J: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\K: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\Q: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\R: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\E: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\N: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\U: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\V: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\X: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\Z: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\I: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\L: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\O: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\P: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\T: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened (read-only) \??\W: 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bgi480mq4h.bmp" 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe -
Drops file in Program Files directory 29 IoCs
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exedescription ioc process File opened for modification \??\c:\program files\OpenFind.emz 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\RemovePop.vb 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\RenameSplit.ADT 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\RestoreSkip.jpg 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\RestoreSuspend.zip 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\SendOpen.png 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\BackupAdd.xlsm 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\ClearOpen.odp 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\ShowUnlock.bmp 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\UnpublishResolve.vsx 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\FormatRestore.crw 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\GetCompare.ex_ 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\StopRename.AAC 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\HideWatch.xlt 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\OpenWait.ini 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\RemoveFormat.WTV 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\SuspendAssert.ogg 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File created \??\c:\program files (x86)\tmp 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\MountPublish.shtml 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\ExitUnblock.zip 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\ExpandGrant.AAC 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File created \??\c:\program files (x86)\59v39ft483-read-me-PUP.txt 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\EnterExit.ttf 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\SkipDeny.TS 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\SwitchClear.potx 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File created \??\c:\program files\tmp 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\DisconnectClose.js 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File created \??\c:\program files\59v39ft483-read-me-PUP.txt 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe File opened for modification \??\c:\program files\DisableGrant.wmv 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exepid process 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exevssvc.exedescription pid process Token: SeDebugPrivilege 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe Token: SeTakeOwnershipPrivilege 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe Token: SeBackupPrivilege 4372 vssvc.exe Token: SeRestorePrivilege 4372 vssvc.exe Token: SeAuditPrivilege 4372 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2023-05-13_c5baecf50164376ef048646969d080d4_revil.exedescription pid process target process PID 4612 wrote to memory of 1132 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe netsh.exe PID 4612 wrote to memory of 1132 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe netsh.exe PID 4612 wrote to memory of 1132 4612 2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe netsh.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\59v39ft483-read-me-PUP.txtFilesize
8KB
MD52bb3c1d184f9f153e62232fd27452eec
SHA15eb577f2eaf4733f7093e625b81dc912baf4e46c
SHA2560c69f58a48f1b9936beed6c7ffcc5722a647f5e6c79df160187e3f56bfd8635c
SHA51276822704a1f8196774ac1917f49471a6808689c9ff1d283c5a5557b966501b312e3ec120a23399baea7eba5fd20ac7b3f9d9980e4477737e7b4398efbb02bc52