sodinokibi | c5815fb72035e77992ae38151ce02635ec21ef53c44c22403b6c426bc6695025

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
Size

156KB
MD5

2064ef527e12bcbe467ba9148dd5b907
SHA1

30f495e281ecfcf95f1bebde8c9d8e486c14a2ed
SHA256

c5815fb72035e77992ae38151ce02635ec21ef53c44c22403b6c426bc6695025
SHA512

ecc284817cdcc8ce975f1bee977f67c9ae60e2c3d4b3efe51353fc43f5f4ca19f0fde5412b0fab83c46f23fc5d0ac0f115e3389cd60d78a2825502e8b6a4f35b
SSDEEP

1536:LVlo4vFAPi8hnuy8Ey7pAe3U7Pbi4eTMluxtXDCntTnICS4A33eKWKOgwoAN61Vj:Ui8Iy8EytSLbi4eTMlwDCnuZ3N9w0IE

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\r6lz18g3l-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion r6lz18g3l. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9B0A1E114B0A1C8E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9B0A1E114B0A1C8E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Uv3HAGBS4221eaZfCa6iYWvBWC0rCswIbojrVM0aFUaT7OzkvxQWacJPskuIpqYP Jr3z0nukAjD6xfE2zg22UjoHV09Ccsml5tbcl+3pgs9hAxuWzhOcr/mnGxlhG1bu W8sfvgOr3Yh6pZ8oiQ2yUDL5zRExMpcvw6ZvfG4LUX3JAAwdvDR4SFHBvQfADju+ kYegHShEeeCg1yRAPC42XN5lRGxLxOUcyMRbygT7An4/f1fx+WSf8N/m7dTtP89b 9lRuNm3tudLWv4x9WGgyOKbKf6MpXj7D1zktXDdvpnXA17cJWK/qrxbmym6gIlNW F3PBslHT+unfmGhRrZ2IjSL0YR2BsbYmDUw2Wd+4nAxigbRhqcYrdmR+UKzfbmIy h5I106tvk0y9gzhZdmMs/s0nrvQnTOaotGMWAD9AImRZhYip+RwSi67JWykUZqzZ 4COnkPTH1R+itkFo+dYO1L6hdt7Lq2A7PxR4JSz/hCvH5FcgvfLkZxec1nehzAPQ vz1O6piGVsB+QKzdtEKIVAj84lob7Oxx9ggHgp7TtS+zbobSIFf9AaTuiug4t5Oc Ne5HVMW8HTpkoR8EPHrX6TQG90Z9NKxoX+yrGHdr8pCISE8A+xY8ozn0PEdvebn5 MMt/bkHjhdRuibjb6wxjcdhA6By8/8yPgHDGNIrFvgqKg3bMNT3ZE/2T/kPDlR5d pMwDkLAFVuMuiM9l6PyDxU5BS+djKpP1cEAGzbB1PZYRKuWWr35tNEuUyWIxO2+e z0SitwZEJN+n71gyoH/kNycAjwlf7t3s2SGcm3PqQ4ODKgDm1QSaMp2/3OfoLTCK lhULq/3KygLL473ODMHQdZIG7SJlhvORLJLJLqGskTRbtKp0Bip0d9kWDbfM+iNU bKrWUSFBqd4jyaj3mX5aVl81QpcEhf98zz/80OZChcT69OoPPjT9kel2R2TPUr+l fHMZ1C8xUcrH8aOzH4t7jF5vzPUTOTgH8zjfRVJlVvmLWZgTPERn2/RM+D3x49r9 EnjUYulrNxRY0ZbhigqjALhml3skvkB5NImVldAwV+u8tGmwCjirIL82kwFmzeV7 DzGemBBKBYTzy2VBsHDZzt/VHTt5Bl/XW3GnR0puFKY8a+frCp7BuqEvjpR9Wfbj lx5IrLJ/Hl9wdH9g6W3SUPrEoiaO04Nerohp4Ft6pdc= Extension name: r6lz18g3l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9B0A1E114B0A1C8E

http://decryptor.top/9B0A1E114B0A1C8E

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\A:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\M:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\W:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\G:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\T:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\Z:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\J:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\P:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\I:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\S:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\X:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\D:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\L:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\O:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\R:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\Y:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\B:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\E:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\K:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\N:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\Q:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\V:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\H:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened (read-only)	\??\F:	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8dy170uet4yi9.bmp"	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4b7d699c61176a95.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_en-us_4ddd600c7fa5e884_shsvcs.dll.mui_b69fccab	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.19041.1023_none_457e1b66652a9084.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e_comctl32.dll_9c499789	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_adtschema.dll_4cae41ac	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68_gpapi.dll.mui_ef0a9748	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_b41cd326ea03d7cd_partmgr.sys.mui_b800c491	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_11ab5f5f99fc8eda.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_14a631980cb7b20a_dnsapi.dll_c81f5791	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0f5d37c71d62a4d7_memtest.efi.mui_71e15c22	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_s8514sys.fon_30e5bd9f	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_it-it_f55158e81544d580.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeunattend.exe_60b7e340	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_b281bba039a7e747_storagehealth.adml_00c6b7b3	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_en-us_823386dc6c818518_tcpipcfg.dll.mui_a5479fc1	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_d6afa8b21943e171_win32kbase.sys.mui_07d441e9	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da_rasadhlp.dll_7438be63	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_10.0.19041.1_none_74fd915921441a6a.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28_axinstsv.dll.mui_be092a2d	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.84_none_44bf3519cfab87ee.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_j8514fix.fon_cc283848	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_c8514oem.fon_9ff1fe45	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_48837248d77fb182_dsreg.dll.mui_5d9efc7e	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_a27d02ab81dd8cd2.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_61114d49f90ff362.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_51f6670d7297a2d2_memtest.efi.mui_71e15c22	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6fb6e6e49393acae_dnsrslvr.dll.mui_1e1a1ed1	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9d4111d99a4c2411_wintypes.dll.mui_36d5f25a	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_it-it_e0a2a6402a577815_wevtsvc.dll.mui_f41bf7b7	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ko-kr_e54888c5375dff55_comctl32.dll.mui_0da4e682	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_66a210ec64140be1.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0_netlogon.dll.mui_ecbeb9bd	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1_none_afcabf88440c71c5.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ar-sa_90a6dad6f86cae6b.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_en-gb_1dbdc338c2468486_msimsg.dll.mui_72e8994f	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_de-de_5265c850bb06c05d_wininit.exe.mui_997435f5	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_be1670627d88fc7f.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1266_none_153dc4c3b9f13a6f.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9581112fd19d980d_mountmgr.sys.mui_71b54a25	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42d8e7001244e285_kmddsp.tsp.mui_80ddeedb	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_wmiapsrv.exe.mui_b1567840	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_76775b16ccf4c886_memtest.exe.mui_77b8cbcc	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.19041.546_none_af7edcb05985488d_wtsapi32.dll_470d4d41	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_eb14f252120fd1e9.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_de-de_4afe2f54db9cb4c3.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334_xblgamesave.dll_7b3589a7	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.906_none_25e4da38255df869_sspicli.dll_bcec1809	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_it-it_c173cb8a5275626f_bootmgfw.efi.mui_a6e78cfa	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_95a1a37ffda61620.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_281147e45fdff648.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_es-es_df71bede6e43d9f6.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1288_qps-ploc_f6c6cc73660e3177.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f152ce0e82a41ba.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_it-it_b93490b34d8c4a73_winresume.efi.mui_f412814e	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1bd70e9effea17e1.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_13bf1fa5428ecea3.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_5acfcbd46d6163cc.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_thirdpartynotices.txt_086f3c50	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.546_none_eaba62c4b31f4bbe.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b04a9ba801ea7788.manifest	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
3740	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3108	3740	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe	100
PID 3740 wrote to memory of 3108	3740	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe	100
PID 3740 wrote to memory of 3108	3740	2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2064ef527e12bcbe467ba9148dd5b907_revil_sodinokibi.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1428,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\r6lz18g3l-readme.txt

Filesize
6KB

MD5
eabdbfceb82602f7cf8a8760d3616c7c

SHA1
870fdfa9de53de399733d1712e1c9912c5c92810

SHA256
6aa81a146e621c53d0d79816b8ab6643850dccaa0c46ca27df974618699be88c

SHA512
63ac4f574c67fd9059e9eda2bf22cb5c3ae160e268d8347ef40661fab790ec2710f3163619550f21c2ebc46fa2374551dad7f612473fedec572a19d231752026

Download Submit