sodinokibi | 388d21a5e711ac53519656a0fce9cbd8d381300c0877b4978bc0792d233bec7f

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
Size

156KB
MD5

ade8979d58960b5214d80e5a723e2779
SHA1

b49e6fa430d3fcc559236a440abbb99b6efd003f
SHA256

388d21a5e711ac53519656a0fce9cbd8d381300c0877b4978bc0792d233bec7f
SHA512

3e76e9fc2048d7d835746d4452f72602c852018fb5db7eb271a74cabf391c3fdfcef3ed8c6ee377c040f1de0ab05021163888598d3a18ecb3832fed3fef55537
SSDEEP

3072:Ui8Iy8EytSLbi4eTMlwDCnuZ3O8VN96b:d8IUykbnWJZ3O8V+b

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\jdpr3.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got jdpr3 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7257CF149BCE8973 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/7257CF149BCE8973 Page will ask you for the key, here it is: 0u2UQz7V0h7SEDRW7IYBgSxRiS+9/onhiqMjokGDZo8LKD9G1E+PIuepR+NJ3IHw JVZfWnMb9gi61UqRm02AXny/6pDTYqefOoLeAx9+w/NTpr91IBPGNohqamqUVVlq UUj/Rx/8IxjfxlKeYHqS33pIVLpZMUKndHzvq+VrbF9bFQY2JiJM4nNEjwdTg69I ZRPaV2HBoV0o9LgFpegGh/W37ulbP/LeRxnZxsxDOGbg+PIcJMl2SWv0cyq3IDmg FpLNjTWEJ+yvYmLVdrVzJhJxrBu98lDcE+tKsVEp9TY1P0XOLTYeo0EKJq2mD3ev jsUl9LmOv+i5Aexecaqj2ZLiUfEGXKvrz8giP66aYkMscfPgq0WOG4bHFyZQkaFs e2MbU+P2uAnO/EReMCnx9DunQRTRJGIMmBn5qCu9gtA/aO72eHMIkuLen59bV8kL 08pOf4kuPvsOhytRK0Ce/bxtmbjQVRYmLokwyTScWnew+uIJ7plAhHjWk1ubCG28 44NUgdj7YedEswPb+d7jCAkB8R/UFUO33TRHxI6MfuElBkoyI80pv1JSLTn9xzqA WeD1XSmyxKqANA0vmkpBkXHo/TFITaKb4jWH/DS8R8E66X5ESvL+TSUUZqW/EjkM t9H9WtZVcfAqhztuPzOKjivbU7OezchUvEfUMlQZihp+NEBXJzcrCL+B/cpopSJc Ljuut6elorO8kr9gBd9MO+jmt+GeVAXJzKHRDAzn8ROy+TAnfwNi8zO3n1R04SyT WzL07wi5fWyzlJ2Rt8sJTylOZII8D7kuQ0ZUrTYaiCBzEYCIkSRXxFYI69yv+aP+ QI6IlDtF1kfr9E/JZnHLmpsraM3P7jZq1lC49nYOfE7u/4byPJeax/R3on3B5D1K fkXIefAO8Ye89+s1cfcDZDVMMUDkts7u7zhG+B8Lf02qMWvEVnLWm3llvHU7UA3z Dp/ZBU9anOSNJU5cibdGwZo6CN7APDfavM31TfADEli7+DenHBGatmEM0MSbx3kN 8ng8VgukboWe3mLTOBpEj+9vmLS5HuPZ1Z4V++7ST1KVQotULp8D1vMM0BWZO2Hx KPVD+z/ncmjb1eLRI4UrzUMHVX8UmnJnB/6+RDoN5G/lPsM+nefnL1I4CXqS1veK jJaQixmyTdHlOoUTStLkS/85egUy5qMrGqBWqli+

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7257CF149BCE8973

http://decryptor.top/7257CF149BCE8973

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (148) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\Q:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\I:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\W:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\X:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\E:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\S:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\V:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\R:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\B:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\L:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\P:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\T:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\D:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\A:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\U:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\Y:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\O:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\M:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\N:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\G:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\K:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\Z:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\F:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened (read-only)	\??\H:	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\274p1p45w.bmp"	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33_kerbclientshared.dll_1fa7b356	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_lt-lt_8913b4c62985caf2.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1151_none_9cf376ee9c2c46c1.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_d1358e97b53afe52.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_a66d5af59c568371.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_it-it_ba1fa13a181c56f7_appinfo.dll.mui_cfd93456	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1081_none_314b50cb6e47ee49.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pl-pl_608cef40d75eff53.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_52d2b2ecb593c243_oleacc.dll_2f3fa5bf	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0b29d8e18c561a2_userdeviceregistration.dll.mui_22ab8f29	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_uk-ua_00edb9ea93827738_comctl32.dll.mui_0da4e682	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ro-ro_6bff4a7f0ff97122.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.546_none_3a4f6516d93a4779_imm32.dll_53c2ab30	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_432d585a19d46624_windows.ui.xaml.inkcontrols.dll_523c865d	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40850.fon_5e8f5479	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_el-gr_be13b8adb3526e23.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.1_none_171d07e1a7b66413.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_de-de_d3e4be20082aef2b_wudfplatform.dll.mui_d815d31a	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.19041.1023_none_fd45b2d04bfadb27_msxml6r.dll_d8460bdb	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.19041.1_none_7a79a7dc98930338.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_en-us_8f48a1e2598394c7_sti.dll.mui_00a4f15b	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9dd9712c9cddd429.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_mofd.dll.mui_793ef98d	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.19041.1_none_49813668770cd6ad.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_en-us_89e92105cd6d77fe_credprov2fahelper.dll.mui_71e4ecb5	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_cafe4e67c189aef0.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mpcmdrun.exe_1d1038c2	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_es-es_89b47de9cd9469a3_credprov2fahelper.dll.mui_71e4ecb5	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_08f6da56337b289b_w32time.dll.mui_b382d4b4	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35fcf50d32ba29_userdeviceregistration.ngc.dll.mui_d2c6ca95	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_20bf32b2e3f96cf5.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5e5dbda77a710cba_wmpdui.dll.mui_92411657	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_es-es_3d251e9a2dfca3c0.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_14a631980cb7b20a.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_ba47d7f37d90af73_wuaueng.dll.mui_297f975d	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_wmiutils.dll.mui_42583eaf	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a957ea8f6dfc58ba.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_de-de_00c609c5ceeb0835_scardsvr.dll.mui_5f6fb64f	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.19041.1_none_b5be0fd62dd3dc6e.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1202_none_12d2bc7d3fe2a244.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_cfc21f8d801be317_bootmgr.efi.mui_be5d0075	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1202_none_087e122b0b81e049_kernel32.dll_ef9eca7e	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c512b243847d5d6.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_31a464aca9751670.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsidsc.dll.mui_6acb64a6	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.546_none_cb01ee53d6697641.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_440381adc2707144.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_en-us_52b90495d63821ca.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_de-de_f5b942cb012d25b0_fidocredprov.dll.mui_4ca89266	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_tr-tr_371b26a7b49ac691.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_da-dk_6cf1f8a496f2d880_comctl32.dll.mui_0da4e682	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_46694069b3c83c61_bootmgr.efi.mui_be5d0075	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_de-de_8bd82c67996c6925_bootmgr.efi.mui_be5d0075	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d9d86028f54c50.manifest	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.546_none_8e987c14effb44a8_offlinelsa.dll_26ff60c5	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-mx_aaf424c17c6b93ee_comctl32.dll.mui_0da4e682	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_5a4ff6b3276fd74f_volmgrx.sys.mui_b0c205d7	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.906_en-us_adc1f5c62c383715_dsregcmd.exe.mui_8ce2c638	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_da849917c76ae070_crypt32.dll_9c3ccf73	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1088	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
1088	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2224	1088	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe	92
PID 1088 wrote to memory of 2224	1088	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe	92
PID 1088 wrote to memory of 2224	1088	2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ade8979d58960b5214d80e5a723e2779_revil_sodinokibi.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3908,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=1336 /prefetch:8
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\jdpr3.info.txt

Filesize
3KB

MD5
288c008865cdc8504a3af077e98131d2

SHA1
bca55a63b2481c215022052ba1217c4d1923a48f

SHA256
41dff42f72c779ede90a9f7359bf01a5aef381f970d41251c088ee28849510ec

SHA512
86a3a979c5613d0dd3c0c4bc87a0241382d8f97d4b7921695dc24274242fa918664fd64ff5298df8985f2041c33cd621b56076ec7f6295c4f3a81f9ebc34075f

Download Submit