sodinokibi | daac7c8703b72e04eac96278222c6325b63825416ad58d59125621f7ca936c9a

Analysis

max time kernel
124s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
Size

156KB
MD5

07887580c8d8c896575794372fea0e5b
SHA1

e19bdafbc1925f4072c70dbe3989ccb49be18186
SHA256

daac7c8703b72e04eac96278222c6325b63825416ad58d59125621f7ca936c9a
SHA512

33a927cc575c6a0ee9a50c8d397ef6f09c94ed0d52e9aa41ecec303ebfcee019c17c26645f457fb54c97566c586e866c65ee1065f97766d3a0288828a40fadf7
SSDEEP

1536:L1bolsa+dSn91zyKRpK63R7Pbi4eTMluxtXDCntTnICS4Ahbulmwd9jUlhQP4t4:vdo1zyKzVLbi4eTMlwDCnuuwIIn+

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\p108g02xn-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion p108g02xn. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E883FE1D92851F46 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E883FE1D92851F46 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3FXwsVmNfoOdD9XT7PsUZ3VhUkl/GuXSo9Wkwd2i9PRDpoxyMTa1iLDugDnaueDQ aCBuD/G/IV8TyJlyEU4O3SXGvetMM3gTPFJBV23D6KLWxNLt/3m4CWmFCgBcsCU1 Z5iw1s+NGDYJbVuX9CdEOAkhVijlmZGAmNCIucT6evSH2tDMcRzbN2APf4uLiC5/ 3LZzW7UTH1nCkon5rx2lQXGbjXqByva7wGWtAlBxPSFE84maWdaRAY1ssVEZSWBJ cPbWjxt2wlG+8zK8gX5eX+jHYSL7d8KuKH5VH7OyQ4Vp9VGD59X5JJIt6sWMQp4j bPdcwTJ3/EvHt3GG6xDTQaLwjWUmRLK7vCS+Xhi5V5fWOlSeo5fP304IpFUXZAb5 wEapU8PX8kcs6wfUZGE+cg2Qj+kFoMJ10KO9kCvNNlz0/6fvcwvv8E72Uj3CpCMd Mqd2XvUSA4LgOx166lEuq7Hlrx8l7jpTIc2BWhsoRwBuaAJ5RfwKmPZXSE/NzA9/ bgYwXrK/dqwFrqbuUTx5ewOvM4OVZ+AdIOKNGGGwXb5AGP0gqVA5M3/Iuwdi+zcS VJrbh/mShvl0BUMhYzoe8DjjezeN5DjcZWcCNjR4RApZI9x+BkUXJpVCwVTzaQfm kUm31lX/lrsJo1c6bybOQbOO7obT99sTmLpLuMz8/MjVUTZngaz8nomiCbbhuBe5 CQkfxmA4hCksZN63fTOZ/3NHLDEZMlhiXpl0n509i9/3sWIFXqyN3d6/gmi1me3s ZbnTWRQCD4ale/Zuzx/uwtl2DUwXvpJt3aHjS3e6nkKd09ItzUHd4ZCeNKYZqjhA YVgfpaPpvkO+gMW0RrfrGg5xzcR6gWZI2E09PLnswHnUMW15R6ufJ7lUwKNui1yA AnfpimQw0YJv0znpauTwZZw93DSjl8D17jy+92ryeJfXfwTf4F7EyjoM/lWydn9Z m81Y5P/+iYYXDj00AeIsjZAJoDsMfrFu21f8hzzFVGp90ZgYc60xeYq1/IB0yIVr CW+Ge056YWYKvlLk+G3cyzXJixSMCHgx9Z5viqAf8dnjLjCmvhVzsAU3bOQzvrLu 23bDA4npIG6+TXklz1pKZDfiy2e4VDeJHIfebc1ndoCf61U93wTwFmSf1qYCb725 UL9DYQpXmbBv9msuQ4JhkDnkWec6lz4I0H+qaej7wjw= Extension name: p108g02xn ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E883FE1D92851F46

http://decryptor.top/E883FE1D92851F46

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (141) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\M:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\X:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\H:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\L:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\D:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\K:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\T:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\Y:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\B:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\Q:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\F:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\V:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\O:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\P:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\S:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\W:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\A:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\I:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\J:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\U:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\Z:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\G:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\N:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened (read-only)	\??\R:	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tj52dm.bmp"	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_en-us_4ddd600c7fa5e884.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f_netiougc.exe.mui_ad7a9e4d	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_he-il_5d63a4c17806f149_comctl32.dll.mui_0da4e682	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sl-si_5e0f6855e557e908.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_en-us_fe43af9ffedb8283_user32.dll.mui_14652dbb	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_es-es_ade4b30e36254a8c_sdbinst.exe.mui_258ad624	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_rasdiag.dll_341d4299	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.264_none_fa67c499aa4c670d.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_8514syse.fon_d693946f	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_1c787e49a3f85cda_profsvc.dll.mui_32482e9e	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a45ca0c210bd2969.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_efaaa65fd03af775.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opinstallcomponents_31bf3856ad364e35_10.0.19041.662_none_d0ad3eafc6e540ad_umpnpmgr.mof_112f9e6c	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_85855.fon_f139fbdc	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52d81c9b0be0737d.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_da-dk_c6bdf9af39b53c71.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_31a464aca9751670.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_cafe4e67c189aef0.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6db5c466b45bc552_sens.dll.mui_64739194	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.19041.746_none_c85cd9abd32d61b4_dwmapi.dll_2f4f8b34	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_d8897d7855c66c63_gpapi.dll.mui_ef0a9748	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ko-kr_7b2bff232d678514_comctl32.dll.mui_0da4e682	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_de-de_36b58c017f3edc8c_ws2ifsl.sys.mui_b672c7b4	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_59dedd2b6ac5922c_dnsapi.dll.mui_97465f8a	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1052_none_6277ca3070041917_advapi32.dll_9512793c	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-ca_665a4a2f6afc7e06.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_29841988436f4072.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_es-es_53c339fa60537c35.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_1724b854923485bf.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_es-es_2c55246d83884e93_winload.exe.mui_3bc5b827	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.1_none_2075cb51c1c141fe.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.disk.ppkg_2c825c35	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_es-es_df71bede6e43d9f6.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-es_61100044695b873d_comctl32.dll.mui_0da4e682	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615_comctl32.dll.mui_0da4e682	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1_none_cf8aac6a925f13ef.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f_tcpipcfg.dll.mui_a5479fc1	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba1334d77db7a118_wuaueng.dll.mui_297f975d	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.19041.546_none_af7edcb05985488d.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_26ae8647562ae5ff_samsrv.dll_b7a400ca	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsiexe.dll.mui_7d81b1cc	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_qps-ploc_35cb06e7a2154aca.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_950d46109b6707a2_mofcomp.exe.mui_35badf56	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..pointmanager-minwin_31bf3856ad364e35_10.0.19041.1_none_864c9e3e6c9f9e12_mountmgr.sys_77371b26	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8099ce7794a5ae0d.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_es-es_8f13fec659aa866c_wiarpc.dll.mui_0c913b87	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4aa399f7e53ccf9f.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67_storsvc.dll.mui_2fc7b1d3	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_it-it_4518c9a6348a0867_apphelp.dll.mui_59096153	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1_none_987b063fd85ba334.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_nl-nl_8ff07c31ee6f4500.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1288_none_d9539a9fe102720c.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1202_none_ce3ed6e5fe87e306_gdi32.dll_1f014d57	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_08c2373a33a21a40.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c512b243847d5d6_ws2ifsl.sys.mui_b672c7b4	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_wmiapres.dll.mui_c1b8803f	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-ca_665a4a2f6afc7e06_comctl32.dll.mui_0da4e682	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_1d051ec1ce6962bb_bootmgfw.efi.mui_a6e78cfa	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e_bootmgr.efi.mui_be5d0075	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_rasdiag.dll.mui_15cb4ec4	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a.manifest	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_en-us_ae19562a35fe58e7_apphelp.dll.mui_59096153	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4408	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
4408	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2296	4408	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe	90
PID 4408 wrote to memory of 2296	4408	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe	90
PID 4408 wrote to memory of 2296	4408	2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_07887580c8d8c896575794372fea0e5b_revil_sodinokibi.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\p108g02xn-readme.txt

Filesize
6KB

MD5
c49ddfff3ee3a4727b3877f6beba58d0

SHA1
2e980b2a3cc8a0b06ca6e2da3fdf4ff01344066d

SHA256
64a571c7983b7a8110f73826ca252fe526b6517af917e69f53b3638a07e610d8

SHA512
facb38552bc9c54632dc5a39c938634f33e1cfc4a9df0a90e64e83618469a92cfb483e59e90e64329b0a34daf3f414f3bd0adb6006ced462f14b2b81a2e3060e

Download Submit