sodinokibi | 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b

General

Target

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Size

160KB
MD5

b572a0486274ee9c0ba816c1b91b87c7
SHA1

43a904323a8583203b307c622c71c8ca706c2462
SHA256

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b
SHA512

77d4ee400ded4b4be92da0170e7d2c197c312089429a1650e2843d0ceb15402d14f7e4fc3c2e84f20eeaa24995f0814c2106a37fc4cc32de7dbb4c15b6c5a171
SSDEEP

3072:tp5SexkWi1Lbi4eTMlwDCnu/qjUt7ptQJS+s:HvGWwbnWJ/3tTQg

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\ProgramData\33ygh39u3-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 33ygh39u3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/569FAA6380C8B137 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/569FAA6380C8B137 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Je7FwhnlGiv1YA2B9uMefo7BIA6mok43wBWbALtzobJ/x8B9LKDi8pqzGU0d0L6V s0y9I8v1IZuTf0rAfP6HGezcbpbAqLsFa4t47/DyFJrURX0E36JHDccD+HwWYNNb nRLTjviiqOvuvO/RDwYF6d7QS/FYtLRWjMd4o2XxXtD4shWV8LnHEmuy5h2fmQtP 2z/J0JFS25a6hEo4yQzUfHZE7SumjCfk/ntsmHJDalAdqBQ4A/AVWU+DEMvW53gi iJRNtOJpdFnelfzQfY6OAYfYKugDRC8vkHIKMraWFV10XF1bN/fGtqEwr0ahZ7P3 G72eQDHZDxoLZ0RcQNRnsqKtqc1l6TWezxAob+UNrIfO6aBVwSQSwIJSmP7ATrhX xXYcMykazMtzLTyTn2XVQhX7zvvD2/FdIXZc3tA3fLYF4XY6GVdPGKdMro5YdF0J tGDQiorU4t6ezV6cB4PB/nJc8my/LboK59H7ZPJxjs66FUIXA6i2zm1t0fDb1Slq ku6N3pYbmSW+BvSl6FQ5aranj4hfIzPB+zjPJ+eAmdC2FEpDE9d2Xfwgbgfb4+An 087WS48nW0jD6rvBGoJ5JVkjcN7JFPBduoBxnwAFBhA/XAkvt876CCaij415+6DJ RNS2n+2KJzWqqd+4FfFjkKt6D/uTZBaRNvcxWnlTKwX8ceDnv0Zb8BZCchlwyxx/ bQ3Dk3YDQwI30ntOr7R8ApwM/bkvGYbe6dB9Yx9L6tlHXlRqWMkKLVuQ5Z3gtGiX 7yRw5k7djw6xwro+Suv76zYUj693GQa8zCyMrGNvrwnGadqlOR7BaoLV36R0GWbp pSj6AVlm5EvCV8mmAECmQ4V+d6r0NnEFePsjiE/ykvklSAaHbMdEqvn0UakFwN0P cVK8lXf+2JMHtpXRljFjmIN1NvcBozNfIH8dXjSu2P9ZXjE8dpTnfMSZb/lZQehe uASvPXzLSBz4L4nNbMd2jgoeP6DDKCOwMOmgKllMybRZR1j3USgLujRc3T0qKVcR JbRvzVZTaJci1zjfJKSBNDu5OV/0MrH1WbzZpGhJSu74WWEarrATkxdK8JmDMHK0 hBIuXFDxo/S0IK/oxolho/QyqL2gU3JcXMCAFQ10YzYnZc2wmqnSqq4VxJQ3gF4W 07wWjXsLz8KpSh2O29HSAwW3GWrCu5rhEEcIok00exo38anj/zXWnp0Cu6w5Hp2J kufa9xrZCLakeM5GfCg= Extension name: 33ygh39u3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/569FAA6380C8B137

http://decryptor.top/569FAA6380C8B137

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

description	ioc	process
File opened (read-only)	\??\R:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\Z:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\Y:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\B:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\G:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\O:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\X:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\J:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\N:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\P:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\S:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\A:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\E:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\H:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\I:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\V:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\W:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\F:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\T:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\U:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\D:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\K:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\L:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\M:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened (read-only)	\??\Q:	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3hk3.bmp"	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

Drops file in Program Files directory 23 IoCs

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

description	ioc	process
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\5c4c3ad0.lock	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files\5c4c3ad0.lock	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\FindRevoke.potm	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\GetGroup.mp2v	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\LockMerge.mid	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\RedoSuspend.mhtml	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\StartPing.js	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\33ygh39u3-readme.txt	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files\33ygh39u3-readme.txt	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\ConvertToProtect.ADTS	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\InvokeJoin.vsw	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\5c4c3ad0.lock	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\33ygh39u3-readme.txt	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\5c4c3ad0.lock	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\ExitPush.emf	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\JoinPublish.png	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\SearchLock.mpeg3	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\SkipUnregister.emz	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\33ygh39u3-readme.txt	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\DebugProtect.mht	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File opened for modification	\??\c:\program files\LockTest.rtf	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\33ygh39u3-readme.txt	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\5c4c3ad0.lock	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2696 vssadmin.exe

pid	process
2696	vssadmin.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

pid process

2400 2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1696 vssvc.exe
Token: SeRestorePrivilege 1696 vssvc.exe
Token: SeAuditPrivilege 1696 vssvc.exe

pid	process
2400	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe

description	pid	process
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 2568	2400	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe	cmd.exe
PID 2400 wrote to memory of 2568	2400	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe	cmd.exe
PID 2400 wrote to memory of 2568	2400	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe	cmd.exe
PID 2400 wrote to memory of 2568	2400	2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe	cmd.exe
PID 2568 wrote to memory of 2696	2568	cmd.exe	vssadmin.exe
PID 2568 wrote to memory of 2696	2568	cmd.exe	vssadmin.exe
PID 2568 wrote to memory of 2696	2568	cmd.exe	vssadmin.exe
PID 2568 wrote to memory of 2696	2568	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-06_b572a0486274ee9c0ba816c1b91b87c7_revil_sodinokibi.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\33ygh39u3-readme.txt
Filesize
6KB

MD5
9fea8d2b3136fe77deb606420cc4852e

SHA1
775a607f07c42ae12cbe8a2c5e96c03a0f6cda23

SHA256
98c81d4e8474d37dde92eb6d004d0a2fa012c2dccdbd510b5dffbd29c77198f1

SHA512
11b5d058e54ffae53e1181c7e2536884f8e13a3346f9cb63bd024633554a2eb304e6c5bcb9d9564741fa456490f1ba001a8783993f19ff9d68a47d8b634ff0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
11a996b0d75d2dca42e71e3684eea09a

SHA1
4f50b29cded76c99b8a2362e16792a2ad3b07fc8

SHA256
471febb21871a975baa2976054eb0705c38858252c3eeb59e2f33d44a57f8c6b

SHA512
07d8645d0f8128aa6896f256cd3d57f40b4f3405641f1613e72113cc38a165e4c195cfb91de583a257de96080cb69e7b50248014091912ea8c8e10a0c9f11816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
51bf65153ff83812e41935aa99698377

SHA1
8586ff448c64ce49ce7695b0cf1d2b2d5ad04fc1

SHA256
c74f6a32060a08c5a948ef6f613aa5806050299b1c126d65b9bf586006fb705f

SHA512
01755370d3c829ff5705ced50072e72620bb3e410e6fa58822ca25e85e1c73c6fcf9125e4929c6115d727683ef9535d54dbacc541c625d33ef939c2699eb0c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC2F6.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads