Analysis Overview
SHA256
f5c11f20320dfc1be95d715260880695bc3e0fc76cc19664b3d6129c57fc80f7
Threat Level: Known bad
The file 2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
Deletes shadow copies
Checks computer location settings
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 11:52
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 11:52
Reported
2024-12-15 11:55
Platform
win7-20240708-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Deletes shadow copies
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ec20.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd289c780c8805eb_themeservice.dll.mui_9e71f1ab | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c92bbd3b7c238f30.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c765b843b5f5fca.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_6b8acc3d2645838d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f0b62b00a7235a_sppc.dll.mui_0a75786d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0_serwvdrv.dll_874b1f23 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dc34e0e1a4582e1.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_84a967f3c21f5562_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d5be3a38b80bebf.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ea79c4c6eb99ea3d_pshed.dll.mui_d7f9a40f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a028059d8dcbea2.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63045bcb00602fc0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e26217990f7f049a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652_ndadmin.exe.mui_2e106c3e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9038f177d74f2f88_mdminst.dll.mui_19a87063 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7600.16385_none_aa5813cb3a17070e_winipsec.mof_abfff45a | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fd4cc85296b4e888.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caba3de2d9ce0d4b_netiougc.exe.mui_ad7a9e4d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasmigplugin-mig.dll_e9d0eb3e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_081caacce2fe65aa.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a3d5488f6ee5d330.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d_bootmgfw.efi.mui_a6e78cfa | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39abefffc16e5209_lsasrv.dll.mui_d47f7e1c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-client_31bf3856ad364e35_6.1.7600.16385_none_011904ea1e74d196.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7601.17514_it-it_20fb579c8da53c8f.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winload.efi.mui_35ee487d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpcsvc6.dll_39c77c46 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e686c340855ae9c3_auditpol.exe.mui_df4767d7 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7ac6dd35850e9985.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiobj.dll.mui_b9c0c4d6 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b2b4319ea764ed4.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_50eb7c559b1066a6_hdwwiz.exe.mui_b4acc7bc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-858_31bf3856ad364e35_6.1.7600.16385_none_cebddca2fc8602ec_c_858.nls_a9f5a762 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3b633a5aa9d7cdbc_ntlanman.dll.mui_690e687e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7600.16385_none_11d4ade16b61222e.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_umpnpmgr.mof_112f9e6c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571_rtm.dll.mui_55e4e990 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_f3ebb0cc8a4dd814_esent.dll_35f49bdd | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiapi.dll.mui_e94aeb19 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_b6de6c0835b43484_mailrecipient.mapimail_d3a49bc0 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b28bd85e0d0ff6f1_iscsicli.exe.mui_64c0a23c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cfcb609ed0e709.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_expand.exe.mui_3f54e013 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a3cb925fbca77833_umpo.dll.mui_cac12e54 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1e424c3af623a3d0_uicom.dll.mui_4fdc61f8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b7a745f30be28bb_sxproxy.dll.mui_f9d8f818 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_882de4394e753398.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_de-de_5c78c2290dbd5640.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuil.ttf_ea38f4ef | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f_drvinst.exe.mui_e88f4c73 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_37da4de470bd3352_odbcjet.chm_2a003207 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_de-de_46584364f4c4d556_sendmail.dll.mui_cbac108c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_1083c2248cf458dd.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winresume.exe.mui_ff8b5358 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a547f57d755ff33d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.1.7601.17514_none_0990ff400fc4c431_cscapi.dll_f718286f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c87415f91a2fd6b_ws2_32.dll.mui_f13ef3a5 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_030746ff6460d052.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 172.67.153.12:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 172.67.204.127:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 107.178.223.183:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | lassocrm.com | udp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | mbuildinghomes.com | udp |
| US | 104.21.112.1:443 | mbuildinghomes.com | tcp |
| US | 8.8.8.8:53 | santastoy.store | udp |
| US | 8.8.8.8:53 | citiscapes-art.com | udp |
| US | 172.67.201.110:443 | citiscapes-art.com | tcp |
| US | 8.8.8.8:53 | unislaw-narty.pl | udp |
| PL | 91.185.184.170:443 | unislaw-narty.pl | tcp |
| US | 8.8.8.8:53 | envomask.com | udp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 8.8.8.8:53 | patassociation.com | udp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| US | 8.8.8.8:53 | luvbec.com | udp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 8.8.8.8:53 | keuken-prijs.nl | udp |
| US | 8.8.8.8:53 | therapybusinessacademy.com | udp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| US | 8.8.8.8:53 | baikalflot.ru | udp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 78.46.133.97:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| DE | 78.46.133.97:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | klapanvent.ru | udp |
| RU | 77.222.40.14:443 | klapanvent.ru | tcp |
| RU | 77.222.40.14:443 | klapanvent.ru | tcp |
| US | 8.8.8.8:53 | fysiotherapierijnmond.nl | udp |
| NL | 178.128.138.113:443 | fysiotherapierijnmond.nl | tcp |
| NL | 178.128.138.113:443 | fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | avis.mantova.it | udp |
| IT | 217.64.195.176:443 | avis.mantova.it | tcp |
| IT | 217.64.195.176:443 | avis.mantova.it | tcp |
| US | 8.8.8.8:53 | fla.se | udp |
| SE | 91.201.63.7:443 | fla.se | tcp |
| SE | 91.201.63.7:443 | fla.se | tcp |
| US | 8.8.8.8:53 | sjtpo.org | udp |
| US | 65.60.10.226:443 | sjtpo.org | tcp |
| US | 65.60.10.226:443 | sjtpo.org | tcp |
| US | 8.8.8.8:53 | kroophold-sjaelland.dk | udp |
| DK | 178.20.216.245:443 | kroophold-sjaelland.dk | tcp |
| DK | 178.20.216.245:443 | kroophold-sjaelland.dk | tcp |
| US | 8.8.8.8:53 | alharsunindo.com | udp |
| SG | 45.90.230.13:443 | alharsunindo.com | tcp |
| SG | 45.90.230.13:443 | alharsunindo.com | tcp |
| US | 8.8.8.8:53 | tothebackofthemoon.com | udp |
| US | 162.241.217.186:443 | tothebackofthemoon.com | tcp |
| US | 162.241.217.186:443 | tothebackofthemoon.com | tcp |
| US | 8.8.8.8:53 | chainofhopeeurope.eu | udp |
| FR | 51.15.159.75:443 | chainofhopeeurope.eu | tcp |
| FR | 51.15.159.75:443 | chainofhopeeurope.eu | tcp |
| US | 8.8.8.8:53 | smartmind.net | udp |
| ES | 82.98.154.79:443 | smartmind.net | tcp |
| US | 8.8.8.8:53 | akcadagofis.com | udp |
| TR | 5.180.184.153:443 | akcadagofis.com | tcp |
| TR | 5.180.184.153:443 | akcadagofis.com | tcp |
| US | 8.8.8.8:53 | bundan.com | udp |
| NL | 35.214.211.239:443 | bundan.com | tcp |
| NL | 35.214.211.239:443 | bundan.com | tcp |
| US | 8.8.8.8:53 | graygreenbiomedservices.com | udp |
| US | 8.8.8.8:53 | dogsunlimitedguide.com | udp |
| US | 8.8.8.8:53 | rvside.com | udp |
| US | 172.67.196.85:443 | rvside.com | tcp |
| US | 8.8.8.8:53 | davedavisphotos.com | udp |
| US | 8.8.8.8:53 | johnstonmingmanning.com | udp |
| US | 162.159.136.54:443 | johnstonmingmanning.com | tcp |
| US | 162.159.136.54:443 | johnstonmingmanning.com | tcp |
| US | 8.8.8.8:53 | mangimirossana.it | udp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| US | 8.8.8.8:53 | welovecustomers.fr | udp |
| FR | 51.15.236.35:443 | welovecustomers.fr | tcp |
| US | 8.8.8.8:53 | kenmccallum.com | udp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 8.8.8.8:53 | glas-kuck.de | udp |
| DE | 51.195.6.20:443 | glas-kuck.de | tcp |
| DE | 51.195.6.20:443 | glas-kuck.de | tcp |
| US | 8.8.8.8:53 | theboardroomafrica.com | udp |
| FR | 160.153.133.193:443 | theboardroomafrica.com | tcp |
| FR | 160.153.133.193:443 | theboardroomafrica.com | tcp |
| US | 8.8.8.8:53 | slideevents.be | udp |
| DE | 94.237.96.23:443 | slideevents.be | tcp |
| DE | 94.237.96.23:443 | slideevents.be | tcp |
| US | 8.8.8.8:53 | omegamarbella.com | udp |
| NL | 35.214.249.33:443 | omegamarbella.com | tcp |
| NL | 35.214.249.33:443 | omegamarbella.com | tcp |
| US | 8.8.8.8:53 | zdrowieszczecin.pl | udp |
| PL | 195.78.67.66:443 | zdrowieszczecin.pl | tcp |
| US | 8.8.8.8:53 | fotoslubna.com | udp |
| US | 8.8.8.8:53 | mursall.de | udp |
| DE | 95.130.22.108:443 | mursall.de | tcp |
| DE | 95.130.22.108:443 | mursall.de | tcp |
| US | 8.8.8.8:53 | forextimes.ru | udp |
| RU | 37.228.89.36:443 | forextimes.ru | tcp |
| RU | 37.228.89.36:443 | forextimes.ru | tcp |
| US | 8.8.8.8:53 | hiddensee-buhne11.de | udp |
| DE | 217.160.0.84:443 | hiddensee-buhne11.de | tcp |
| DE | 217.160.0.84:443 | hiddensee-buhne11.de | tcp |
| US | 8.8.8.8:53 | girlish.ae | udp |
| US | 162.241.244.73:443 | girlish.ae | tcp |
| US | 162.241.244.73:443 | tcp |
Files
memory/1508-1-0x0000000000070000-0x000000000007A000-memory.dmp
memory/1508-0-0x0000000000500000-0x000000000052E000-memory.dmp
memory/1508-6-0x0000000000220000-0x000000000023F000-memory.dmp
memory/1508-11-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1508-10-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1508-9-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1508-8-0x00000000001E0000-0x00000000001E6000-memory.dmp
memory/1508-7-0x0000000002670000-0x0000000002779000-memory.dmp
memory/1508-5-0x0000000002240000-0x000000000236D000-memory.dmp
memory/1508-4-0x00000000021A0000-0x000000000223F000-memory.dmp
memory/1508-3-0x00000000020D0000-0x0000000002199000-memory.dmp
memory/1508-2-0x0000000000070000-0x000000000007A000-memory.dmp
memory/1508-12-0x00000000001E0000-0x00000000001E6000-memory.dmp
memory/1508-14-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
memory/1508-15-0x0000000000500000-0x000000000052E000-memory.dmp
memory/1508-16-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1508-17-0x0000000002AC0000-0x0000000002AD0000-memory.dmp
C:\Users\arkpt-readme.txt
| MD5 | f6a9d552440a06aaa3ea5c12436b8742 |
| SHA1 | f221aef87dfd6846804ba14230687f64ed4ce5a2 |
| SHA256 | d44ed1cd434bae2cc49c9e4f04bccc614151ab2b5e072d63aa28b73a01854635 |
| SHA512 | 77d1f6889a4f732da76a5d83701969cf70e1a0e1f3c26a9082d5086f8a42001f904dd9fb60b1f76450bfb04902074a4997807b6618bf1906063192fcfd4ef6f5 |
C:\Users\Admin\AppData\Local\Temp\CabBC11.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBC14.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 11:52
Reported
2024-12-15 11:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\394n3k572k55y.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_95090027c7abbbb9.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40869.fon_5e8f5479 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_rtm.dll.mui_55e4e990 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_002b04f15e757967.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsiexe.dll.mui_7d81b1cc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapres.dll.mui_c1b8803f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a349f4a6799ca6da_listsvc.dll.mui_27f0fc85 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_de-de_542227990f3fe3b2.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.telemetry.ppkg_8b58160d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_it-it_63d59ac645c938b0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.19041.388_none_ac614ad689688c59_keyiso.dll_897976dc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d_gpapi.dll.mui_ef0a9748 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.1_none_b85d7ef5bf4cc5c7.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ru-ru_2005a287b66c44a0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564_sbservicetrigger.dll_b5ff30d2 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1_none_83157d6cc9e85e84.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-tw_2ee3d4c657bdc65b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62fee1a8066741a1.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_603504816df8a341_shacctprofile.dll_c91e31f3 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.746_none_35adfa9d5cea0bbc_dui70.dll_5f097b0b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_05fb19d338e44a8b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_lv-lv_d81762d10a91689b_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resources19h1_31bf3856ad364e35_10.0.19041.1_none_a747a941ec33876b_windows.ui.xaml.resources.19h1.dll_9d12b64b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_fontdrvhost.exe_94bdc76d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_10.0.19041.1_none_0fd2c5ae0a7cd53b_netbios.sys_6f23c4df | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_10.0.19041.1151_none_1ff907b40ed3d811_hal.dll_f279be4d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_1c8f1f932b553c89_dcomp.dll_a2e93a7d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_2adbc983514c73da.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.746_none_9be9f1245111722d_twinapi.appcore.dll_8d6512dc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398_clipsvc.dll.mui_18823613 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28_axinstui.exe.mui_aea34130 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ype-segoeui_regular_31bf3856ad364e35_10.0.19041.1_none_2a7c063d36b96ac8_segoeui.ttf_b39275ad | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_wmiapres.dll.mui_c1b8803f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_a254f4e433806f5f_gdiplus.dll_423f7010 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9b77d25cc7b8e67d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cng_31bf3856ad364e35_10.0.19041.1202_none_1dab520e105346c7.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_it-it_b1f14780879a25d0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.19041.1081_none_e07df81d711ca0d9.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.546_none_a0a14858c07bcb00.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19a87c02033cbe34_gpapi.dll.mui_ef0a9748 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1023_none_6eb1689259d35752_shlwapi.dll_1eec0a2e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6_lagcounterdef.ini_328543a1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c39b2a1b0c21c01_scdeviceenum.dll.mui_815e7662 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_76fa6c1a5ef15070.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0_netlogon.dll.mui_ecbeb9bd | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1202_none_c1d5764939090b5e_tm.sys_d7defcbe | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_48837248d77fb182_dsregtask.dll.mui_5e1b9353 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiaservc.dll_08fa1e78 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-fr_79675db658605100.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_it-it_ac991dc48f7da1c1_services.exe.mui_86ea5e71 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.906_en-us_adc1f5c62c383715_dsregcmd.exe.mui_8ce2c638 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_mofd.dll.mui_793ef98d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b5efa638ab6e61d_hidserv.dll.mui_561adfc8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.906_none_697cd7dad1ab7e2e_usermgr.dll_015952d1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_9f4b9bda672e080a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_cc30ef1d8b2537d2.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.546_none_3f25415e6728280f_ktmw32.dll_835a43ee | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_94d8a2f49b8df947.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 4984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2524 wrote to memory of 4984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2524 wrote to memory of 4984 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| US | 8.8.8.8:53 | 113.137.87.50.in-addr.arpa | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 172.67.153.12:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | 141.192.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.153.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | 169.7.202.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | 188.16.103.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | 128.225.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.175.9.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | www.sveneulberg.de | udp |
| DE | 89.110.179.179:443 | www.sveneulberg.de | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | 179.179.110.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 90.208.175.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| US | 8.8.8.8:53 | 237.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.81.225.91.in-addr.arpa | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | 95.99.30.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 104.21.58.148:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 8.8.8.8:53 | 148.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.155.13.85.in-addr.arpa | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 104.21.96.155:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | 213.172.16.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | 87.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| US | 8.8.8.8:53 | 122.215.174.34.in-addr.arpa | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 107.178.223.183:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | 158.25.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | www.frimec-international.es | udp |
| FR | 188.165.33.133:443 | www.frimec-international.es | tcp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.33.165.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | 126.7.198.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | 78.43.56.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | 195.40.222.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | 166.19.213.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | 201.195.3.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.18.182.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
Files
memory/2524-0-0x00000000008B0000-0x00000000008DE000-memory.dmp
memory/2524-1-0x00000000008B0000-0x00000000008DE000-memory.dmp
C:\Users\937nc6-readme.txt
| MD5 | e61886cea16d24e5b71931b458873d63 |
| SHA1 | 8d91660ddb7705fb9c4ba086a1b92ab92c0760ee |
| SHA256 | a5d89cb7537cf984c7a7362c59acbcc3d4feb38c08279316771a0557dc8611cb |
| SHA512 | 67e1236b2d674f422a69b714001dd37f14ff406c6976e1424e27db8492fb370462ce9c7cb35a28e187ae63b1d9fc72fa875bffc25e4a9c62bc3f9cb63c29d0f3 |