Analysis Overview
SHA256
f5c11f20320dfc1be95d715260880695bc3e0fc76cc19664b3d6129c57fc80f7
Threat Level: Known bad
The file 2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
Deletes shadow copies
Reads user/profile data of web browsers
Checks computer location settings
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies system certificate store
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-15 11:47
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-15 11:47
Reported
2024-12-15 11:50
Platform
win7-20241023-en
Max time kernel
137s
Max time network
150s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Deletes shadow copies
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6pw6m.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d869760728e52d38.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cea9abf2aa5aade0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6ea0fa9e9820bd7.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_85f874.fon_2b942d95 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bc8810265da7f7a9_hidserv.dll.mui_561adfc8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2c0f48b59617c262.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuii.ttf_ea35f432 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-core-classdriver_31bf3856ad364e35_6.1.7600.16385_none_8bf97498085ce154.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f888459d50b2939b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2e054b96ee6339d3.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7600.16385_none_80aaf3716f04bb88.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_156a7fbdf434dfce.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cc18cf7c2e77940e_tcpipcfg.dll.mui_a5479fc1 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_95503b1f4b07b926.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6b7b4102d6a6798a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d93bcb5108987fe3_scecli.dll.mui_225fa220 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c40ba42e0ae30d38.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wshtcpip.dll.mui_042165f9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4aab526590e1172b_scfilter.sys.mui_cebab716 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a9d4566c54c223de_gpapi.dll.mui_ef0a9748 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec8cf7a93a7ed3ff.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_it-it_25aceb9a2322fdb7_mountmgr.sys.mui_71b54a25 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_84c970b54d5773ed_msdasc.chm_e6d620a3 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9f12eb68eff5150_newdev.exe.mui_6ce4084e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8af9daaf6cb0394_scecli.dll.mui_225fa220 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7136d5a73bb63d77_sens.dll.mui_64739194 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210_wshelper.dll_5dfe9c7e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3de2b918dd486536_webclnt.dll.mui_e8f04040 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1324d20bbf83030a_irclass.dll.mui_c67cedc8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12_cliconf.chm_12e2bd62 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d43cf1197e7ce94f_searchfolder.dll.mui_8c30bdaf | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_6.1.7600.16385_none_5a3df7a44ab7cb96_profapi.dll_d55ae499 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1564d79270d6651c_newdev.exe.mui_6ce4084e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ff72338b8528ca90.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-857_31bf3856ad364e35_6.1.7600.16385_none_cebdf36afc85e94b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b5c96023e4e0ea00_winlogon.exe.mui_3280fc46 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7601.17514_none_2af7b924bed13316.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_24d3552052fff863_iscsiprf.mfl_24c6459c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_cec0218efc83e8b7_c_875.nls_b284c215 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c_malgun.ttf_166813d8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c9f3fffd349960b.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_it-it_051cb38514053e82_winload.efi.mui_35ee487d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0129330494b0e3c3_advapi32.dll.mui_28c7718f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30_vanib.ttf_8c9d41c8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c464d2bacfbc42a4.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a6825ad66f6db77_ntlanman.dll.mui_690e687e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_545ec4e0c6ba7521_dhcpcsvc6.dll.mui_b45c7567 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9dee017864e3d2d5_hh.exe.mui_2744e397 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_es-es_729f4974b4d841db.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bb763253eb8e2ed8.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1143384e9ab8e550.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698_apphelp.dll.mui_59096153 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f_ci.dll.mui_76757f43 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_lt-lt_bf218497286c0530.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a2a13bd60c8180bb_wsock32.dll.mui_18b23987 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7063688072591d4_irclass.dll.mui_c67cedc8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_89701e1decba44ab.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f148573ead9e671e_mfc42.dll.mui_66106d85 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_serialui.dll.mui_7d29d2a3 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1_31bf3856ad364e35_6.1.7600.16385_none_405ce7e40c5d242a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_019943d7782289a6_puiobj.dll.mui_b9c0c4d6 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1a74ee1d3e85ebf_dhcpcsvc6.dll.mui_b45c7567 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasmigplugin-mig.dll_e9d0eb3e | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 172.67.153.12:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 3.33.251.168:443 | medicalsupportco.com | tcp |
| US | 3.33.251.168:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 172.67.204.127:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 107.178.223.183:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | lassocrm.com | udp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | mbuildinghomes.com | udp |
| US | 104.21.16.1:443 | mbuildinghomes.com | tcp |
| US | 8.8.8.8:53 | santastoy.store | udp |
| US | 8.8.8.8:53 | citiscapes-art.com | udp |
| US | 172.67.201.110:443 | citiscapes-art.com | tcp |
| US | 8.8.8.8:53 | unislaw-narty.pl | udp |
| PL | 91.185.184.170:443 | unislaw-narty.pl | tcp |
| US | 8.8.8.8:53 | envomask.com | udp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 8.8.8.8:53 | patassociation.com | udp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| US | 8.8.8.8:53 | luvbec.com | udp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 8.8.8.8:53 | keuken-prijs.nl | udp |
| US | 8.8.8.8:53 | therapybusinessacademy.com | udp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| US | 8.8.8.8:53 | baikalflot.ru | udp |
| US | 8.8.8.8:53 | piestar.com | udp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 78.46.133.97:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| DE | 78.46.133.97:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | klapanvent.ru | udp |
| RU | 77.222.40.14:443 | klapanvent.ru | tcp |
| RU | 77.222.40.14:443 | klapanvent.ru | tcp |
| US | 8.8.8.8:53 | fysiotherapierijnmond.nl | udp |
| NL | 178.128.138.113:443 | fysiotherapierijnmond.nl | tcp |
| NL | 178.128.138.113:443 | fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | avis.mantova.it | udp |
| IT | 217.64.195.176:443 | avis.mantova.it | tcp |
| IT | 217.64.195.176:443 | avis.mantova.it | tcp |
| US | 8.8.8.8:53 | fla.se | udp |
| SE | 91.201.63.7:443 | fla.se | tcp |
| SE | 91.201.63.7:443 | fla.se | tcp |
| US | 8.8.8.8:53 | sjtpo.org | udp |
| US | 65.60.10.226:443 | sjtpo.org | tcp |
| US | 65.60.10.226:443 | sjtpo.org | tcp |
| US | 8.8.8.8:53 | kroophold-sjaelland.dk | udp |
| DK | 178.20.216.245:443 | kroophold-sjaelland.dk | tcp |
| DK | 178.20.216.245:443 | kroophold-sjaelland.dk | tcp |
| US | 8.8.8.8:53 | alharsunindo.com | udp |
| SG | 45.90.230.13:443 | alharsunindo.com | tcp |
| SG | 45.90.230.13:443 | alharsunindo.com | tcp |
| US | 8.8.8.8:53 | tothebackofthemoon.com | udp |
| US | 162.241.217.186:443 | tothebackofthemoon.com | tcp |
| US | 162.241.217.186:443 | tothebackofthemoon.com | tcp |
| US | 8.8.8.8:53 | chainofhopeeurope.eu | udp |
| FR | 51.15.159.75:443 | chainofhopeeurope.eu | tcp |
| FR | 51.15.159.75:443 | chainofhopeeurope.eu | tcp |
| US | 8.8.8.8:53 | smartmind.net | udp |
| ES | 82.98.154.79:443 | smartmind.net | tcp |
| US | 8.8.8.8:53 | akcadagofis.com | udp |
| TR | 5.180.184.153:443 | akcadagofis.com | tcp |
| TR | 5.180.184.153:443 | akcadagofis.com | tcp |
| US | 8.8.8.8:53 | bundan.com | udp |
| NL | 35.214.211.239:443 | bundan.com | tcp |
| NL | 35.214.211.239:443 | bundan.com | tcp |
| US | 8.8.8.8:53 | graygreenbiomedservices.com | udp |
| US | 8.8.8.8:53 | dogsunlimitedguide.com | udp |
| US | 8.8.8.8:53 | rvside.com | udp |
| US | 104.21.44.61:443 | rvside.com | tcp |
| US | 8.8.8.8:53 | davedavisphotos.com | udp |
| US | 8.8.8.8:53 | johnstonmingmanning.com | udp |
| US | 162.159.136.54:443 | johnstonmingmanning.com | tcp |
| US | 162.159.136.54:443 | johnstonmingmanning.com | tcp |
| US | 8.8.8.8:53 | mangimirossana.it | udp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| US | 8.8.8.8:53 | welovecustomers.fr | udp |
| FR | 51.15.236.35:443 | welovecustomers.fr | tcp |
| US | 8.8.8.8:53 | kenmccallum.com | udp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 8.8.8.8:53 | glas-kuck.de | udp |
| DE | 51.195.6.20:443 | glas-kuck.de | tcp |
| DE | 51.195.6.20:443 | glas-kuck.de | tcp |
| US | 8.8.8.8:53 | theboardroomafrica.com | udp |
| FR | 160.153.133.193:443 | theboardroomafrica.com | tcp |
| FR | 160.153.133.193:443 | theboardroomafrica.com | tcp |
| US | 8.8.8.8:53 | slideevents.be | udp |
| DE | 94.237.96.23:443 | slideevents.be | tcp |
| DE | 94.237.96.23:443 | slideevents.be | tcp |
| US | 8.8.8.8:53 | omegamarbella.com | udp |
| NL | 35.214.249.33:443 | omegamarbella.com | tcp |
| NL | 35.214.249.33:443 | omegamarbella.com | tcp |
| US | 8.8.8.8:53 | zdrowieszczecin.pl | udp |
| PL | 195.78.67.66:443 | zdrowieszczecin.pl | tcp |
Files
memory/2080-0-0x0000000000BE0000-0x0000000000C0E000-memory.dmp
memory/2080-1-0x00000000000F0000-0x00000000000FA000-memory.dmp
memory/2080-4-0x00000000021A0000-0x000000000223F000-memory.dmp
memory/2080-3-0x00000000020D0000-0x0000000002199000-memory.dmp
memory/2080-2-0x00000000000F0000-0x00000000000FA000-memory.dmp
memory/2080-5-0x0000000002240000-0x000000000236D000-memory.dmp
memory/2080-6-0x00000000001A0000-0x00000000001BF000-memory.dmp
memory/2080-7-0x00000000025F0000-0x00000000026F9000-memory.dmp
memory/2080-12-0x0000000000170000-0x0000000000176000-memory.dmp
memory/2080-11-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2080-10-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2080-9-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2080-8-0x0000000000170000-0x0000000000176000-memory.dmp
memory/2080-13-0x0000000000170000-0x0000000000176000-memory.dmp
memory/2080-15-0x0000000002B80000-0x0000000002B90000-memory.dmp
memory/2080-16-0x0000000000BE0000-0x0000000000C0E000-memory.dmp
memory/2080-17-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2080-18-0x0000000002B80000-0x0000000002B90000-memory.dmp
C:\Users\3q7xxm9-readme.txt
| MD5 | bb902d57988a2142e45b9eb60df823ae |
| SHA1 | 9aeb6c879e32b14ff5062f854945ddd238ac6946 |
| SHA256 | 5df3afa7d6b3cb1956ff1306985ae5e054e856ed1be17c3308df6e7b4b7af762 |
| SHA512 | d0e27c85a1e0df98d88bad942bb055d7c976f6dcf0abed1bff7538dfe7eab7c6086672b37b22c11315cacfcaf3f5e5c1cef87bfc69e7955a85250415338b8d46 |
C:\Users\Admin\AppData\Local\Temp\Cab19F8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1A1B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-15 11:47
Reported
2024-12-15 11:50
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41lg2.bmp" | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga863.fon_0805d564 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsidsc.dll_20ed5065 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_rasmigplugin.dll_7ee2aa40 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_qps..ocm_d24d6122b61a7522.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_5a8499cf2748e5aa.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1052_none_7ec56a9d21671e02_dam.sys_fdd762d9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9776d7f5085fe75b_iscsicli.exe.mui_64c0a23c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeres.dll_55e40455 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vdsutil.dll_f2ef43cf | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_en-us_7cd59418f708faf0.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_sr-..-rs_646331312131f0de_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_115701fa8eb2a3ae_wuaueng.dll.mui_297f975d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_da-dk_c6bdf9af39b53c71_memtest.efi.mui_71e15c22 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nb-no_e0132477454b2a7d_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.19041.546_none_af4e7d20fdb56824.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cd7a60faad5130d5_fidocredprov.dll.mui_4ca89266 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_de-de_a9c82e9ce75a1605.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_it-it_1bf36b0c23ae824c_wiaservc.dll.mui_54051b53 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_dfdc949920ceba22_firewallapi.dll.mui_43c7a05b | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_a6b88435313203cc.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_es-es_0380b9a9254b8896.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_he-il_0be8f8db96d74140_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.1288_none_1b12314c11faf44f.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.1_none_56a3c953964ea509.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_mofd.dll.mui_793ef98d | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_bb28382b78803539_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_12d9c0bd87ce2a84.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d_comctl32.dll_9c499789 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8b9693c8ab3775e.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_vgafix.fon_8caf829c | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsitarget.cdxml_1fec77bc | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_880ae1a68c30b37b_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_it-it_a83e66a954bae1fd.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d74bd5437b437cf1_bootmgr.efi.mui_be5d0075 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa_scfilter.sys.mui_cebab716 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_el-gr_766681d69ed6451d.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..migration.resources_31bf3856ad364e35_10.0.19041.1_en-us_066aaec65f5dc77a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.572_none_104ce2457a4ea0ee_gpapi.dll_868dd225 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_mofcomp.exe.mui_35badf56 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_cb2c89e67352017e.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_9bf95f22f35ed346.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_en-us_2f8d7570bd2b0d5a.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1_none_8e9b59a2386e4292.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_pt-br_7af0724079a50d79_bootmgr.exe.mui_c434701f | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_ea022bbb47fc9865.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_jvgafix.fon_f133926a | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_25d6f2766f7cf9c2_storagesense.adml_0fc60f43 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_057ff0e8d689e0d1_win32kbase.sys.mui_07d441e9 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.1_none_f22c316c97d7c109.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_efaaa65fd03af775.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.546_none_48d6c53e575a9a81.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21126be33c76b858.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_da-dk_6cf1f8a496f2d880_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_6e3c2686dd2d1656.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_d6afa8b21943e171.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.906_none_25e4da38255df869_sspicli.dll_bcec1809 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398_clipsvc.dll.mui_18823613 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.19041.1_none_3eeeb9b5ca0761f9.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_48837248d77fb182_userdeviceregistration.dll.mui_22ab8f29 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_es-es_cb68faf93138a102_wlrmdr.exe.mui_ee563c83 | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ru-ru_5c2f7b8dd8ac3486.manifest | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4048 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4048 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-15_28b37382562ff548dade7df010148e9c_revil_sodinokibi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 114.238.56.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 172.67.153.12:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | 113.137.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.153.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.192.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | 169.7.202.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 3.33.251.168:443 | medicalsupportco.com | tcp |
| US | 3.33.251.168:443 | medicalsupportco.com | tcp |
| US | 3.33.251.168:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | www.sveneulberg.de | udp |
| DE | 89.110.179.179:443 | www.sveneulberg.de | tcp |
| US | 8.8.8.8:53 | 188.16.103.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.251.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.175.9.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.179.110.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | 92.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | 90.208.175.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | irizar.com | udp |
| US | 8.8.8.8:53 | 237.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.81.225.91.in-addr.arpa | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | www.irizar.com | udp |
| ES | 194.30.99.95:443 | www.irizar.com | tcp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | 95.99.30.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 104.21.58.148:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | 183.155.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.172.16.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | 252.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | 87.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | 122.215.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 104.155.138.21:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | 158.25.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.frimec-international.es | udp |
| FR | 188.165.33.133:443 | www.frimec-international.es | tcp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.33.165.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.7.198.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| US | 8.8.8.8:53 | 78.43.56.149.in-addr.arpa | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | 195.40.222.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | 166.19.213.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | 201.195.3.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.18.182.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | 11.56.157.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | 142.17.178.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | www.alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | www.alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | 21.163.31.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.225.210.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lassocrm.com | udp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | mbuildinghomes.com | udp |
| US | 104.21.16.1:443 | mbuildinghomes.com | tcp |
| US | 8.8.8.8:53 | santastoy.store | udp |
| US | 8.8.8.8:53 | citiscapes-art.com | udp |
| US | 172.67.201.110:443 | citiscapes-art.com | tcp |
| US | 8.8.8.8:53 | unislaw-narty.pl | udp |
| US | 8.8.8.8:53 | 78.149.87.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.67.172.in-addr.arpa | udp |
| PL | 91.185.184.170:443 | unislaw-narty.pl | tcp |
| US | 8.8.8.8:53 | envomask.com | udp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 8.8.8.8:53 | patassociation.com | udp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| US | 8.8.8.8:53 | luvbec.com | udp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 8.8.8.8:53 | keuken-prijs.nl | udp |
| US | 8.8.8.8:53 | 170.184.185.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.160.234.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.116.81.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | therapybusinessacademy.com | udp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| US | 8.8.8.8:53 | baikalflot.ru | udp |
| US | 8.8.8.8:53 | piestar.com | udp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 8.8.8.8:53 | www.piestar.com | udp |
| US | 35.170.173.134:443 | www.piestar.com | tcp |
| US | 8.8.8.8:53 | 95.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.173.170.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4048-0-0x0000000000C00000-0x0000000000C2E000-memory.dmp
memory/4048-1-0x0000000000C00000-0x0000000000C2E000-memory.dmp
C:\Users\5j6n3a81v-readme.txt
| MD5 | 3156186aa1842ab7c07760e26e8187f0 |
| SHA1 | ddbe01a36777ee68e6ce976c29090bb0e1fefda5 |
| SHA256 | bca112a7e3457f8898241dd8a19471ed8b2d30108a39a50bde5759fbaceff1bd |
| SHA512 | 41a143d80ebc7b66760eacab9f22ca10e36dfbedf896e13fa2079ab49cd1a3e8a1909cfe2f32a06c3e7ca7b15d2db7af2a505a1d61fc1fccd93283ff0d29e1c5 |