sodinokibi | c7f7ed131d7b0759910ec04e5f25f0fa4f23b89f768fca1ffbffcfa130813a93

General

Target

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Size

118KB
MD5

57bb226213f038b7fd016ab0463632df
SHA1

a19d79621b327e1a6b6010b73e5f96cbea895d43
SHA256

c7f7ed131d7b0759910ec04e5f25f0fa4f23b89f768fca1ffbffcfa130813a93
SHA512

cd679c07da96c88a071f5a27825333159b257be5e49ae5852395b225a3bddf81d7d24592c9270e583a0f115f9955d332f97814806fb53573ec869569568afd85
SSDEEP

1536:6xryLRras2vlBmcJW6Xi5wBwBpaKj2dICS4ARoGjnmFxVd0dEtr0kJBhnv:+dBVJW0BwjX/o9xVSAIkjhnv

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wwyhp-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension wwyhp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 200 GB archived data from \\UDATA. Example of data: - Accounting - Finance - Audit - Strategic sourcing - Management - projects, plans - Personal Data - Banking data - WE DOWNLOADED DATA FROM ALL YOUR DOMAINS And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DB30F55E04B68613 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DB30F55E04B68613 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: L78Nnto9bFa5Fp41KaWZTzWFu9g6qE2b7eaLknj7s/LTrT6Akwi7BetuAuhsnEIm vl/YbCGDS4K/B2eJDHFglS+F/HrooyKPQkdsv8KJ5bgVkAldvQTINePYRWZ3Co3r Y2qsUSR8vaFvwYcpuj81BXmA6a9khQbmpcooca9vbDqGt1ej7PA6mB1i9H+3+3GA Zfspwo7+Sd5mtRMEnjHHPTElz5m6DKJ8Mtn7EZxY0CNdMOsVeoMtA+K/yjJlCNq5 2q29QCP+ugWzITVhAS/gf42pGKMBueXoG3d75z6yFhK+R+IULy3La34vt9bJVCRV gfeKl+0SuVTepdU6vzQQrkWoGp/2n+Zt8ZOjeeXLg4Jnmpi0suRzIor3y2OPlj3U RctftTIomgf0vb02DaBHhklM/VO4WPo6VzMKAF4FtPBzM8Ahfr1/JUKfuQ4W/iPu y0EJySf22FKORGZ2IjKnA0g+mnDEpmxObFhZInQnZl3IGzxRP5uxwVyF6sxdybv8 FQVFdQLB4I4a3tsAf3+4eWDM0PWkmSLqg/Ya0kICrLAW9nX5FuAmeqpyqf/Q76yP Gi7+uJmLC4GcKegz+RRdDChj5MHskeEqqBBr89aMefzzPCP8ZJ5L/Mayqq+sSw5O z8oo93VXComQZSutrk56ZJMRxwkUWMSJnLNdY090NMfGzPUz2y2Xj8edqvy30PXw d2tRrol51W43KthSFEcHbziRmVktRJ65a0nEf2p95FSwO2S/EJh/Cn2pZ4PnWpps 6OGnD3371FFXcTs1qgxrUMhdv4B9PtYfnCFw1L9Ek77UBhoL5qDucLdTBbjUJYNO 1JMsrZJC6oKkZ3lNubusFspMHlfWStXpAEbt1ESVbM6QmkvPL2Qdn/XD1EnU8ZLE fwnh450VDkNIvgZKHH9AhxE3gEH6YrV3T8782cmLq1DTOvSLPa6IPsAvh4LRaSEe ib3Xt0rQiwQ32GHXdn0xcU34fjbnspCUX7QbfirP+rLbElMd+QoMRvrZteFI3nx9 2xNkzFbHvPxm+auOz3OdPpl7WBkD8pdxBeI2IWK1GmQJrXQ6Bg4OLEAbpo87PzNc PxJPLpQteqD9BU8q1g6bXM6iDQW3zmnJVNw1KAJKrYSv03f69oJb9DSj70s/YSCc Ti7QoyJmOzgm/Dla3qo9noJpUOocJJtZVi4bQbuAoM44wZWeGywQxmcW/B84lV1X ASlpPhayNLtc80S/D0N2WskwkMOoTfNjJ8rAaSyk4RBSGKIH7urnO433Qp/dpC2w NNgyPqZPRfEpxJSoyQ8OBiXTW+PQE5ZOgLoHYWDJqKk5BdAUYbgsqhEyyIrhHC0+ xR0KiSHNYIdYdtOtN+d4/1+zhmJ0AzaBP9Oj4tZc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DB30F55E04B68613

http://decryptor.cc/DB30F55E04B68613

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description	ioc	process
File opened (read-only)	\??\K:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\A:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\B:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\G:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\O:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\P:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\W:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\J:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\L:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\Q:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\M:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\F:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\H:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\X:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\E:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\V:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\I:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\S:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\T:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\Y:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\D:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\N:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\R:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\U:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened (read-only)	\??\Z:	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaeel.bmp"	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Drops file in Program Files directory 36 IoCs

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description	ioc	process
File opened for modification	\??\c:\program files\UnlockRestore.midi	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\DebugCheckpoint.mpp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\MergeInvoke.xlsb	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ExitMove.vssx	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ShowUnpublish.jpeg	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\UninstallConvertTo.xlsx	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\UpdateWatch.dxf	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\wwyhp-readme.txt	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\wwyhp-readme.txt	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\CheckpointSuspend.i64	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\EnterExpand.WTV	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\CheckpointConnect.iso	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\InitializeShow.3gpp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ProtectMove.m3u	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\RepairShow.jpg	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ResetEnter.AAC	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\AddLock.svgz	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\AddUnregister.mpp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ConvertToSync.au	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\StartMount.jpe	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\InitializeClose.ttc	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\PingCompress.rar	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\SplitFormat.ttc	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\CompleteMeasure.ogg	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ExpandPing.docx	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\UseReset.wvx	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\DismountDisable.gif	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\SubmitWait.mpe	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\wwyhp-readme.txt	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ExpandClose.bmp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\RedoAssert.tiff	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\DisconnectConvert.js	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\RevokeUnprotect.bmp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\SendConvertTo.au3	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\ConvertToResume.3gp	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
File opened for modification	\??\c:\program files\DebugResume.ppsx	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02401800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

pid process

2180 2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
2180 2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

pid	process
2180	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
2180	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2180	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Token: SeTakeOwnershipPrivilege	2180	2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_57bb226213f038b7fd016ab0463632df_revil.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wwyhp-readme.txt

Filesize
8KB

MD5
c0fdb13a27c60f73df00950b25bfe46a

SHA1
8bc8b9b5c704bf1a61d9c8441eaf416836be1950

SHA256
ffe72865f205e31f810adabac6096b9faf128f8dcd69e38fb94f5c0fa94820c1

SHA512
1873bc955812f0fd1840387c63a4f7b83de599d7dc82c5e077dfb6a2666d0a619bb9fd19fa980cf4d64061e4c73f3a7ea07a66cd0231566890a3f3ef7331433e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EC5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6013.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
201b68d7003b2015c7e360e1c62091ed

SHA1
d2fcc5279f9b7b623862f60eba68133530d1335f

SHA256
7ef245ad1d9ae3aea450625e77ec3a2faa20061ace87f276f853cf72576c2398

SHA512
2199be00120a9f6cf9f9be2909bddb07099af13c8fe0954f6c35750a37a87fa18fc5974fd43f4bc1ccaea3c08d0ba97aefec6efa10ecc8d6946661b976255e97

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads