Malware Analysis Report

2024-10-19 10:36

Sample ID 230514-jg4l5sdd8y
Target 2023-05-13_c5baecf50164376ef048646969d080d4_revil
SHA256 da5d73f59359d904a6c58c4940270a4ad7774ff340442f7a0eaebd2ccbc7c7fb
Tags
sodinokibi evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da5d73f59359d904a6c58c4940270a4ad7774ff340442f7a0eaebd2ccbc7c7fb

Threat Level: Known bad

The file 2023-05-13_c5baecf50164376ef048646969d080d4_revil was found to be: Known bad.

Malicious Activity Summary

sodinokibi evasion ransomware

Sodin,Sodinokibi,REvil

Sodinokibi family

Modifies Windows Firewall

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-14 07:39

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-14 07:39

Reported

2023-05-14 07:42

Platform

win7-20230220-en

Max time kernel

17s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-14 07:39

Reported

2023-05-14 07:42

Platform

win10v2004-20230221-en

Max time kernel

156s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BlockRedo.tif => \??\c:\users\admin\pictures\BlockRedo.tif.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectUpdate.raw => \??\c:\users\admin\pictures\ProtectUpdate.raw.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\SearchFind.png => \??\c:\users\admin\pictures\SearchFind.png.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\CompareInvoke.crw => \??\c:\users\admin\pictures\CompareInvoke.crw.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToFormat.crw => \??\c:\users\admin\pictures\ConvertToFormat.crw.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\users\admin\pictures\SuspendStep.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendRestore.raw => \??\c:\users\admin\pictures\SuspendRestore.raw.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendStep.tiff => \??\c:\users\admin\pictures\SuspendStep.tiff.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterMeasure.raw => \??\c:\users\admin\pictures\UnregisterMeasure.raw.59v39ft483 C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bgi480mq4h.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\OpenFind.emz C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\RemovePop.vb C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\RenameSplit.ADT C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\RestoreSkip.jpg C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\RestoreSuspend.zip C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\SendOpen.png C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\BackupAdd.xlsm C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\ClearOpen.odp C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\ShowUnlock.bmp C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\UnpublishResolve.vsx C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\FormatRestore.crw C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\GetCompare.ex_ C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\StopRename.AAC C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\HideWatch.xlt C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\OpenWait.ini C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\RemoveFormat.WTV C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\SuspendAssert.ogg C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\MountPublish.shtml C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\ExitUnblock.zip C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\ExpandGrant.AAC C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File created \??\c:\program files (x86)\59v39ft483-read-me-PUP.txt C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\EnterExit.ttf C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\SkipDeny.TS C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\SwitchClear.potx C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\DisconnectClose.js C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File created \??\c:\program files\59v39ft483-read-me-PUP.txt C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
File opened for modification \??\c:\program files\DisableGrant.wmv C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_c5baecf50164376ef048646969d080d4_revil.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 cortec-neuro.com udp
DE 217.160.0.189:443 cortec-neuro.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 189.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 raschlosser.de udp
DE 185.245.99.134:443 raschlosser.de tcp
US 8.8.8.8:53 www.raschlosser.de udp
DE 185.245.99.134:443 www.raschlosser.de tcp
US 8.8.8.8:53 naturstein-hotte.de udp
DE 78.46.10.150:443 naturstein-hotte.de tcp
US 8.8.8.8:53 www.naturstein-hotte.de udp
DE 78.46.10.150:443 www.naturstein-hotte.de tcp
US 8.8.8.8:53 134.99.245.185.in-addr.arpa udp
US 8.8.8.8:53 150.10.46.78.in-addr.arpa udp
US 8.8.8.8:53 praxis-foerderdiagnostik.de udp
DE 206.81.31.151:443 praxis-foerderdiagnostik.de tcp
US 8.8.8.8:53 www.praxis-foerderdiagnostik.de udp
DE 206.81.31.151:443 www.praxis-foerderdiagnostik.de tcp
US 8.8.8.8:53 kosterra.com udp
US 35.215.114.69:443 kosterra.com tcp
US 8.8.8.8:53 151.31.81.206.in-addr.arpa udp
US 8.8.8.8:53 uimaan.fi udp
FI 84.34.147.48:443 uimaan.fi tcp
US 8.8.8.8:53 ampisolabergeggi.it udp
FR 51.178.206.226:443 ampisolabergeggi.it tcp
US 8.8.8.8:53 www.ampisolabergeggi.it udp
FR 51.178.206.226:443 www.ampisolabergeggi.it tcp
US 8.8.8.8:53 48.147.34.84.in-addr.arpa udp
US 8.8.8.8:53 226.206.178.51.in-addr.arpa udp
US 8.8.8.8:53 pubweb.carnet.hr udp
HR 193.198.184.106:443 pubweb.carnet.hr tcp
US 8.8.8.8:53 securityfmm.com udp
US 154.38.161.76:443 securityfmm.com tcp
US 8.8.8.8:53 106.184.198.193.in-addr.arpa udp
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 hkr-reise.de udp
FR 5.35.241.68:443 hkr-reise.de tcp
US 8.8.8.8:53 www.hkr-reise.de udp
FR 5.35.241.68:443 www.hkr-reise.de tcp
US 8.8.8.8:53 fatfreezingmachines.com udp
SG 35.213.136.188:443 fatfreezingmachines.com tcp
US 8.8.8.8:53 76.161.38.154.in-addr.arpa udp
US 8.8.8.8:53 68.241.35.5.in-addr.arpa udp
US 8.8.8.8:53 cuspdental.com udp
US 207.55.244.8:443 cuspdental.com tcp
US 8.8.8.8:53 365questions.org udp
FR 78.40.8.65:443 365questions.org tcp
FR 78.40.8.65:443 365questions.org tcp
FR 78.40.8.65:443 365questions.org tcp
US 8.8.8.8:53 8.244.55.207.in-addr.arpa udp
US 8.8.8.8:53 hmsdanmark.dk udp
DK 94.231.103.180:443 hmsdanmark.dk tcp
US 8.8.8.8:53 65.8.40.78.in-addr.arpa udp
US 8.8.8.8:53 180.103.231.94.in-addr.arpa udp
US 8.8.8.8:53 nijaplay.com udp
US 66.29.146.184:443 nijaplay.com tcp
US 8.8.8.8:53 coursio.com udp
NL 64.227.72.13:443 coursio.com tcp
US 8.8.8.8:53 body-armour.online udp
US 8.8.8.8:53 ecoledansemulhouse.fr udp
DE 217.160.0.56:443 ecoledansemulhouse.fr tcp
US 8.8.8.8:53 184.146.29.66.in-addr.arpa udp
US 8.8.8.8:53 13.72.227.64.in-addr.arpa udp
US 8.8.8.8:53 56.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 baptisttabernacle.com udp
US 34.197.116.254:443 baptisttabernacle.com tcp
US 8.8.8.8:53 www.baptisttabernacle.com udp
US 34.197.116.254:443 www.baptisttabernacle.com tcp
US 8.8.8.8:53 portoesdofarrobo.com udp
US 8.8.8.8:53 dw-css.de udp
US 8.8.8.8:53 254.116.197.34.in-addr.arpa udp
DE 185.53.178.11:443 dw-css.de tcp
US 8.8.8.8:53 craigmccabe.fun udp
US 8.8.8.8:53 rafaut.com udp
FR 54.36.91.62:443 rafaut.com tcp
US 8.8.8.8:53 www.rafautgroup.com udp
FR 54.37.106.128:443 www.rafautgroup.com tcp
US 8.8.8.8:53 11.178.53.185.in-addr.arpa udp
US 8.8.8.8:53 62.91.36.54.in-addr.arpa udp
US 8.8.8.8:53 levdittliv.se udp
SE 185.198.192.66:443 levdittliv.se tcp
US 8.8.8.8:53 www.levdittliv.se udp
SE 185.198.192.66:443 www.levdittliv.se tcp
SE 185.198.192.66:443 www.levdittliv.se tcp
US 8.8.8.8:53 128.106.37.54.in-addr.arpa udp
US 8.8.8.8:53 66.192.198.185.in-addr.arpa udp
US 8.8.8.8:53 ecpmedia.vn udp
VN 103.221.223.112:443 ecpmedia.vn tcp
US 8.8.8.8:53 udp
N/A 172.64.155.188:80 tcp

Files

C:\Recovery\59v39ft483-read-me-PUP.txt

MD5 2bb3c1d184f9f153e62232fd27452eec
SHA1 5eb577f2eaf4733f7093e625b81dc912baf4e46c
SHA256 0c69f58a48f1b9936beed6c7ffcc5722a647f5e6c79df160187e3f56bfd8635c
SHA512 76822704a1f8196774ac1917f49471a6808689c9ff1d283c5a5557b966501b312e3ec120a23399baea7eba5fd20ac7b3f9d9980e4477737e7b4398efbb02bc52