Malware Analysis Report

2025-01-18 18:28

Sample ID 241215-pc33pstmbs
Target 2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi
SHA256 46482511ca8cf232e2adf984dcd3d8624d52c391bd9a08a72c42cf828ed6c10b
Tags
sodinokibi 5 367 discovery ransomware spyware stealer defense_evasion execution impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46482511ca8cf232e2adf984dcd3d8624d52c391bd9a08a72c42cf828ed6c10b

Threat Level: Known bad

The file 2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi was found to be: Known bad.

Malicious Activity Summary

sodinokibi 5 367 discovery ransomware spyware stealer defense_evasion execution impact

Sodinokibi/Revil sample

Sodinokibi family

Sodin,Sodinokibi,REvil

Deletes shadow copies

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 12:11

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 12:11

Reported

2024-12-15 12:14

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zhis.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ConvertHide.wmf C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ReadPop.odt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResetRestart.mp4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\dd28d1-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SendGrant.svg C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StepPop.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SubmitInstall.png C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\BackupGroup.m4a C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SaveTest.DVR-MS C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\GetJoin.html C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ShowCompress.xhtml C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SubmitEnter.rar C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\SubmitGrant.search-ms C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\dd28d1-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ConvertCompare.dot C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\PushMount.vstx C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RemoveCompress.xlsb C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StartUndo.vsx C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\UnregisterDismount.xls C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\PopExpand.vsdm C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21126be33c76b858.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_d8897d7855c66c63.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_1df83464f895eec7.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1151_en-us_3fc8a69ab94012f6_winlogon.exe.mui_3280fc46 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_es-es_2c55246d83884e93_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_6e688577a32f8855_themeservice.dll.mui_9e71f1ab C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-endpointmapper_31bf3856ad364e35_10.0.19041.1_none_00838c0981f40351.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_es-es_23d331484ec165c2_dsregtask.dll.mui_5e1b9353 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1202_none_087e122b0b81e049.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_115701fa8eb2a3ae.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_1c8f1f932b553c89_dcomp.dll_a2e93a7d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_srpapi.dll_5f1dbe43 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgasysr.fon_af0ffe9e C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_certprop.dll.mui_602eaab4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_9468ebbd3ef7a656.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_077d882c43db17cd_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63994a974590744a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_37470850f46de265_bootmgfw.efi.mui_a6e78cfa C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_950d46109b6707a2_wmiutils.dll.mui_42583eaf C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_f840d1e088d281f3_clipsvc.dll.mui_18823613 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.264_none_5c643b8f866d5e2b.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.153_none_d1a66a77fe3b57f3.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a35d6ad33b0c3e19_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2d13f7d6bc2181e3.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_f2c99b30decb81ab_mountmgr.sys.mui_71b54a25 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_it-it_88016773740fb9a7.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_tr-tr_1d60a06c87d527e6.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_es-es_0380b9a9254b8896.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ar-sa_4244e753a064bf19_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pt-pt_158c69c9f3caa65a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8b9693c8ab3775e_credprov2fahelper.dll.mui_71e4ecb5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.19041.1237_none_5f00842b9149cc7c_tdx.sys_d0cc4fd9 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde_dciman32.dll_a41dd515 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_msobjs.dll_052c8a60 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.19041.1202_none_301d5c0e1bd4c77b_twinapi.dll_1b801978 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_e4acb32056072b0a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ar-sa_fa97b07c8be89613.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c_appidtel.exe_b664fbc5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_430caa488be6f8ed_rpcepmap.dll.mui_349798e1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_es-es_7cee071de5c3f01a_rasautou.exe.mui_55686a97 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_en-us_f24223ac7f30b8f8_nsisvc.dll.mui_237a741f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_c27553705df60b81_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde_fontdrvhost.exe_94bdc76d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.662_none_3bbdfd78507f28c7_ncrypt.dll_0f36c580 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_mofcomp.exe.mui_35badf56 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e451070aababddb2_wuaueng.dll.mui_297f975d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_es-es_f63b9dbd80bffee4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478_netiougc.exe.mui_ad7a9e4d C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_1c389b2600d2d78a_pshed.dll_f6ac239e C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.1_none_508622491f012218.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_a0b367f31f29d0aa_rasdiag.dll.mui_15cb4ec4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_19e50489d0787aec.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9123280a93582482_vpntoasticon.png_e607ca23 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ru-ru_078f78c804200d01_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.19041.906_none_9e2a4a3c38b724ef.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_cfc21f8d801be317.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_th-th_8739216e3790b2ba.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_b951d0f9879ec306.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
US 8.8.8.8:53 113.137.87.50.in-addr.arpa udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 42.1.46.78.in-addr.arpa udp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 104.21.40.147:443 vipcarrental.ae tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 141.192.205.92.in-addr.arpa udp
US 8.8.8.8:53 147.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 169.7.202.37.in-addr.arpa udp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 188.16.103.185.in-addr.arpa udp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 3.33.251.168:443 medicalsupportco.com tcp
US 3.33.251.168:443 medicalsupportco.com tcp
US 8.8.8.8:53 168.251.33.3.in-addr.arpa udp
US 3.33.251.168:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 133.175.9.37.in-addr.arpa udp
US 8.8.8.8:53 179.179.110.89.in-addr.arpa udp
US 8.8.8.8:53 www.sveneulberg.de udp
DE 89.110.179.179:443 www.sveneulberg.de tcp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 92.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 90.208.175.213.in-addr.arpa udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 237.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 irizar.com udp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 www.irizar.com udp
US 8.8.8.8:53 95.99.30.194.in-addr.arpa udp

Files

memory/3572-0-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/3572-1-0x0000000000780000-0x00000000007AE000-memory.dmp

C:\Users\dd28d1-readme.txt

MD5 fd1083cfb8bc2628269ceae4255e9c30
SHA1 c07df343bf65b57fd00e6521d9427a603d401b67
SHA256 59167eef5146820dc621b5908b534490b2a32452ef423aa25c193df6c6d92803
SHA512 00338d6fe5c56c60822b5420e8f594b13b38abf2780ad7a8d090127b0af94970e473899bab344f52c426cbcc91b94cc4a10268fc6d907b9d98fc9b71943a3af3

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 12:11

Reported

2024-12-15 12:14

Platform

win7-20240903-en

Max time kernel

130s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Deletes shadow copies

ransomware defense_evasion impact execution

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gov33388gv1m9.bmp" C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ApproveProtect.wax C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RepairMount.mpe C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ResolveUninstall.mpv2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\tej91p-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tej91p-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\tej91p-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\RequestDismount.mp4 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tej91p-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\tej91p-readme.txt C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\JoinConvert.m4v C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\OutConfirm.xps C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\StepStart.cr2 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\ImportNew.dib C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification \??\c:\program files\InitializeSkip.DVR C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00887df2a19c65d6_volmgrx.sys.mui_b0c205d7 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_46e12cf1dd7ba188.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c79917aabb8f3414_shdocvw.dll.mui_9b8f26d5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33bb1a534004f6c6.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_6b8acc3d2645838d.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aac11498ff0f4ac.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_deaa3f2f341fcff5_nsisvc.dll.mui_237a741f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4500db6c6927212c_ole32.dll.mui_5035d60a C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_24d3552052fff863.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ec506ff0bdc9b5ed.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rascfg.dll.mui_0b036e1f C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e8b0c18f5629386_sccls.dll.mui_f104be47 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f85aad48a0aa756a_esent.dll.mui_e30e3b90 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16f7dbd4736deb32.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_990fb5253ef5803e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb_dhcpcsvc.dll_8155446a C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0420e6d1b7d46b70.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a59e289ac2c01456_dnsrslvr.dll.mui_1e1a1ed1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c63a861166e5ad51_shdocvw.dll.mui_9b8f26d5 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292_iscsidsc.dll.mui_6acb64a6 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1e171ce0b8b501a6.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-708_31bf3856ad364e35_6.1.7600.16385_none_cec3ab1cfc826848.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_19c02f902f46df9c.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988_atmfd.dll_ff796bf0 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_14159d5b488c6fa1.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mscat32-dll_31bf3856ad364e35_6.1.7600.16385_none_80ba6a1a80d90497_mscat32.dll_1fcb31df C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.1.7601.17514_none_b7b87b8d03e9acb0_comdlg32.ptxml_e7a9d9f8 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_6.1.7601.17514_none_8878ff5a9e1a8a48.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-timesnewroman_31bf3856ad364e35_6.1.7601.17514_none_3b958c66aff6cdb7_times.ttf_2caa4556 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_61d39da0d47e9d3e.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f469506f7f6f97f_tcpip.sys.mui_5885771c C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752a818fe660eceb_sti_ci.dll.mui_f0a16278 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_it-it_09d8903c3785e299.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_9450c441b822af1a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7b0ad52b3bcfdb6_wsock32.dll.mui_18b23987 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcore.dll.mui_8b901fc3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_ae2511475093798f.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_de-de_260fca3a475cc286.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_6.1.7601.17514_none_c1f959bd9451d7a7.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fffad235455db1eb_provsvc.dll.mui_3a2926ae C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_edcef7c9160396ab.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_da91c3e3638f49b4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caba3de2d9ce0d4b_tcpipcfg.dll.mui_a5479fc1 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37_fwpkclnt.sys_cbbab82c C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b_ws2help.dll_2dd5d345 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292_iscsicli.exe.mui_64c0a23c C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4fcc12c061ad9631.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntfs_31bf3856ad364e35_6.1.7601.17514_none_04972f2c338b23d4.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9214614bc6c64f8a_cryptui.dll.mui_9728c1dd C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-852_31bf3856ad364e35_6.1.7600.16385_none_cebe6552fc856926.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_387e0dccfbc70bf0.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4b5ad37c597b9f43.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_svgasys.fon_32986711 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sqmapi_31bf3856ad364e35_6.1.7601.17514_none_5c63b87c1b6dc7ec_sqmapi.dll_3755dd17 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434_expand.exe.mui_3f54e013 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_86a68a63a4aaf841.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef54932792fc58dd.manifest C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f3317575c0f924ac_ndptsp.tsp.mui_5bee9ce3 C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-15_d78b058ba0bb3f10d2db81726ecfd9c9_revil_sodinokibi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 172.67.153.12:443 vipcarrental.ae tcp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 3.33.251.168:443 medicalsupportco.com tcp
US 15.197.225.128:443 medicalsupportco.com tcp
US 3.33.251.168:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp

Files

memory/2124-0-0x00000000005F0000-0x000000000061E000-memory.dmp

memory/2124-1-0x0000000000070000-0x000000000007A000-memory.dmp

memory/2124-8-0x00000000001B0000-0x00000000001CF000-memory.dmp

memory/2124-10-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2124-9-0x0000000002680000-0x0000000002789000-memory.dmp

memory/2124-4-0x0000000002240000-0x000000000236D000-memory.dmp

memory/2124-7-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2124-6-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2124-5-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2124-3-0x00000000021A0000-0x000000000223F000-memory.dmp

memory/2124-2-0x0000000001F30000-0x0000000001FF9000-memory.dmp

memory/2124-11-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2124-13-0x0000000002940000-0x0000000002950000-memory.dmp

memory/2124-14-0x00000000005F0000-0x000000000061E000-memory.dmp

memory/2124-15-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2124-17-0x0000000002940000-0x0000000002950000-memory.dmp

C:\Users\tej91p-readme.txt

MD5 21dc68e89b8c9732a46b4c1a290c991d
SHA1 5a2b4d05afe60944241a8ecb9d1949d272e73b16
SHA256 b81229dc3a8960af548d039dd33992b325f8f6a17a24fc64aafa4e37ce126ad8
SHA512 c3dfc910670248a26769a093d77900c1752a4b5ac2132ee6489d712d81191cbb63f6a94304581168edcd0297e287361a225abbd92584299cf5b49bb2c67689d9

C:\Users\Admin\AppData\Local\Temp\CabA65F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA681.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b