Analysis Overview
SHA256
da5d73f59359d904a6c58c4940270a4ad7774ff340442f7a0eaebd2ccbc7c7fb
Threat Level: Known bad
The file 2023-05-13_c5baecf50164376ef048646969d080d4_revil was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Modifies Windows Firewall
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-14 07:39
Signatures
Sodinokibi family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-14 07:39
Reported
2023-05-14 07:42
Platform
win7-20230220-en
Max time kernel
17s
Max time network
32s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-14 07:39
Reported
2023-05-14 07:42
Platform
win10v2004-20230221-en
Max time kernel
156s
Max time network
160s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\BlockRedo.tif => \??\c:\users\admin\pictures\BlockRedo.tif.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectUpdate.raw => \??\c:\users\admin\pictures\ProtectUpdate.raw.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchFind.png => \??\c:\users\admin\pictures\SearchFind.png.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareInvoke.crw => \??\c:\users\admin\pictures\CompareInvoke.crw.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertToFormat.crw => \??\c:\users\admin\pictures\ConvertToFormat.crw.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\SuspendStep.tiff | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendRestore.raw => \??\c:\users\admin\pictures\SuspendRestore.raw.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendStep.tiff => \??\c:\users\admin\pictures\SuspendStep.tiff.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterMeasure.raw => \??\c:\users\admin\pictures\UnregisterMeasure.raw.59v39ft483 | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bgi480mq4h.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4612 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4612 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4612 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe | C:\Windows\SysWOW64\netsh.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 20.42.65.90:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | cortec-neuro.com | udp |
| DE | 217.160.0.189:443 | cortec-neuro.com | tcp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raschlosser.de | udp |
| DE | 185.245.99.134:443 | raschlosser.de | tcp |
| US | 8.8.8.8:53 | www.raschlosser.de | udp |
| DE | 185.245.99.134:443 | www.raschlosser.de | tcp |
| US | 8.8.8.8:53 | naturstein-hotte.de | udp |
| DE | 78.46.10.150:443 | naturstein-hotte.de | tcp |
| US | 8.8.8.8:53 | www.naturstein-hotte.de | udp |
| DE | 78.46.10.150:443 | www.naturstein-hotte.de | tcp |
| US | 8.8.8.8:53 | 134.99.245.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.10.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | praxis-foerderdiagnostik.de | udp |
| DE | 206.81.31.151:443 | praxis-foerderdiagnostik.de | tcp |
| US | 8.8.8.8:53 | www.praxis-foerderdiagnostik.de | udp |
| DE | 206.81.31.151:443 | www.praxis-foerderdiagnostik.de | tcp |
| US | 8.8.8.8:53 | kosterra.com | udp |
| US | 35.215.114.69:443 | kosterra.com | tcp |
| US | 8.8.8.8:53 | 151.31.81.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uimaan.fi | udp |
| FI | 84.34.147.48:443 | uimaan.fi | tcp |
| US | 8.8.8.8:53 | ampisolabergeggi.it | udp |
| FR | 51.178.206.226:443 | ampisolabergeggi.it | tcp |
| US | 8.8.8.8:53 | www.ampisolabergeggi.it | udp |
| FR | 51.178.206.226:443 | www.ampisolabergeggi.it | tcp |
| US | 8.8.8.8:53 | 48.147.34.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.206.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pubweb.carnet.hr | udp |
| HR | 193.198.184.106:443 | pubweb.carnet.hr | tcp |
| US | 8.8.8.8:53 | securityfmm.com | udp |
| US | 154.38.161.76:443 | securityfmm.com | tcp |
| US | 8.8.8.8:53 | 106.184.198.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | commercialboatbuilding.com | udp |
| US | 8.8.8.8:53 | hkr-reise.de | udp |
| FR | 5.35.241.68:443 | hkr-reise.de | tcp |
| US | 8.8.8.8:53 | www.hkr-reise.de | udp |
| FR | 5.35.241.68:443 | www.hkr-reise.de | tcp |
| US | 8.8.8.8:53 | fatfreezingmachines.com | udp |
| SG | 35.213.136.188:443 | fatfreezingmachines.com | tcp |
| US | 8.8.8.8:53 | 76.161.38.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.241.35.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cuspdental.com | udp |
| US | 207.55.244.8:443 | cuspdental.com | tcp |
| US | 8.8.8.8:53 | 365questions.org | udp |
| FR | 78.40.8.65:443 | 365questions.org | tcp |
| FR | 78.40.8.65:443 | 365questions.org | tcp |
| FR | 78.40.8.65:443 | 365questions.org | tcp |
| US | 8.8.8.8:53 | 8.244.55.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hmsdanmark.dk | udp |
| DK | 94.231.103.180:443 | hmsdanmark.dk | tcp |
| US | 8.8.8.8:53 | 65.8.40.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.103.231.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nijaplay.com | udp |
| US | 66.29.146.184:443 | nijaplay.com | tcp |
| US | 8.8.8.8:53 | coursio.com | udp |
| NL | 64.227.72.13:443 | coursio.com | tcp |
| US | 8.8.8.8:53 | body-armour.online | udp |
| US | 8.8.8.8:53 | ecoledansemulhouse.fr | udp |
| DE | 217.160.0.56:443 | ecoledansemulhouse.fr | tcp |
| US | 8.8.8.8:53 | 184.146.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.72.227.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baptisttabernacle.com | udp |
| US | 34.197.116.254:443 | baptisttabernacle.com | tcp |
| US | 8.8.8.8:53 | www.baptisttabernacle.com | udp |
| US | 34.197.116.254:443 | www.baptisttabernacle.com | tcp |
| US | 8.8.8.8:53 | portoesdofarrobo.com | udp |
| US | 8.8.8.8:53 | dw-css.de | udp |
| US | 8.8.8.8:53 | 254.116.197.34.in-addr.arpa | udp |
| DE | 185.53.178.11:443 | dw-css.de | tcp |
| US | 8.8.8.8:53 | craigmccabe.fun | udp |
| US | 8.8.8.8:53 | rafaut.com | udp |
| FR | 54.36.91.62:443 | rafaut.com | tcp |
| US | 8.8.8.8:53 | www.rafautgroup.com | udp |
| FR | 54.37.106.128:443 | www.rafautgroup.com | tcp |
| US | 8.8.8.8:53 | 11.178.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.91.36.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | levdittliv.se | udp |
| SE | 185.198.192.66:443 | levdittliv.se | tcp |
| US | 8.8.8.8:53 | www.levdittliv.se | udp |
| SE | 185.198.192.66:443 | www.levdittliv.se | tcp |
| SE | 185.198.192.66:443 | www.levdittliv.se | tcp |
| US | 8.8.8.8:53 | 128.106.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.192.198.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ecpmedia.vn | udp |
| VN | 103.221.223.112:443 | ecpmedia.vn | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.64.155.188:80 | tcp |
Files
C:\Recovery\59v39ft483-read-me-PUP.txt
| MD5 | 2bb3c1d184f9f153e62232fd27452eec |
| SHA1 | 5eb577f2eaf4733f7093e625b81dc912baf4e46c |
| SHA256 | 0c69f58a48f1b9936beed6c7ffcc5722a647f5e6c79df160187e3f56bfd8635c |
| SHA512 | 76822704a1f8196774ac1917f49471a6808689c9ff1d283c5a5557b966501b312e3ec120a23399baea7eba5fd20ac7b3f9d9980e4477737e7b4398efbb02bc52 |