sodinokibi | 6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
Size

561KB
MD5

ea5d24b9bdfb7ea892b4ff16bc2c9d42
SHA1

40717d8266cf429ddc7df3a29248ef3bc8678a44
SHA256

6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a
SHA512

fef1c194135b4341da580de14d66d1cfb5b0207f5c57aa8bedb5f2f677c1dc913fb450a89de424d093da8a60c422af4aa4f189a95aa825e6e7c84e28b859f547
SSDEEP

12288:PIUykkZ3UdvReTV6dtXyLkzjF+4AYdvReTV6dtXyLkzjF+4AWLkzjF+4Ay:PIUWOZcLkzjF+4XZcLkzjF+4LLkzjF+s

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\0ho590d37-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0ho590d37. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DB7F3659722B2F3E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DB7F3659722B2F3E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3dEu4RQUy38AjxP4K2Gnqnr599tBa5JZZzvPCMH0HvrrZKR5Tfzy+PfXcl5/QJ0p kO8xYAAjb772/7KDMQnIUTByqiKrxrFYdYmjXpO2nNKceUZiJYEsdz6o0Hw4pOrB NlRFcIy8P4OIPvWxw1sgSArlr3lpB9s4A4mrkap7SZFXNFanBeEP1m+FMA8eO3hB vZ8ER45DQGYXAsLNGinCfV/N2hnJXfAAjFpYWBSdVMew63lOFpgyFnBMGkbtP2z7 dzjyfBMOPcz0OSe73I2ezUQhklHYZ1prPY73TUnJ/bKj1CbKdE8C6lfRHP3hA909 6ujoNWkykRLb98jYoToTZQUpT59qD+XEUDgn2jH8pArrfo8cJmuqcOglBup/seyG yyRvyoR8Ei2I/tyQjAqxZDTHG8934P/AefaOWavT7FQOy7DguPanDkDa3Xucow76 5XcA8XY2myICc6/lkZ+FgKMCaUD6Fj5LsZLJRezuvnZBjlndiFCFaQ4oAriK2WGf tsVHQzb4Ew9xefPFm+RqApOgay5fx/s+HmxS0UW5BuURbrESiM92ozwPPaQFBAlX 4xJhnhOYN4bEfXA3olrZXiULVVun/d224EJCBZDyHAlb79lw0ZtaWsxJlhMYlyjc F1HQKtBttP0exPTDKjGh4p2MDp6YZHk9BK5fiZKy2QPC+tlEel7BAG8pOtJUJQMb K/9Ak0dvrk7+GCw9OaXjuhSi4YpGG3ExdRinvvE6XJ8tqYsqxQlKVx8CrYwWkGoN qBYj3WjTK0qZYr8hMf70dbHtsXxR9THQlqNDqVJVuVhWggtAD3e/NG7hGxl/WrEr gBWrDryA2buOI6LMnAnTqd/is4R9mNmXATD/xnZA/yqYUZHdFIeyFP2a483ghMaC eILD3B67CRPtgWjdLPPnSK6XBg6zfK6/dlXGlB9i2dafGpJ2gKLJMudMdBSbSP6/ ATlipY1mTApiGZ8Ng1WJdJqXAsGVFYKgArMXAPXEq9Oqcgi2RC6EI7xdNdDUFyJz j9rn8BrapgMSLVBIGDgQls6vf4CifzsFIUgrjg3qoPgEqhWzqCNPbeG3epZNVTeO 4lvZNePbBcyKn2ZLGS6YG7j+hDjCfM8vmTR97fUMXn6yFkcXy5/u5zRr665xnCRv he/pV4VM8Xghai5VF+woZ6THRJ4QI/IQFoVywKM8FZs= Extension name: 0ho590d37 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DB7F3659722B2F3E

http://decryptor.top/DB7F3659722B2F3E

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi
Renames multiple (170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\I:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\L:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\N:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\W:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\B:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\J:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\K:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\O:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\R:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\T:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\Y:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\Z:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\H:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\D:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\E:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\M:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\U:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\V:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\X:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\A:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\Q:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\S:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\F:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened (read-only)	\??\P:	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8eti219n.bmp"	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_077d882c43db17cd.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_dcd6e37ff183c65c.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_c2f24ed0bf347cdd_bootmgr.efi.mui_be5d0075	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_7725a91f1043b62d_gpapi.dll.mui_ef0a9748	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_wmiutils.dll.mui_42583eaf	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-cn_7294ce476ec912f1.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_46694069b3c83c61.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_20ddd445a787b81f.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_11e3f0d3cc72158f.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_apps.inf_0b7d7d89	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_es-es_81fee3c06ca876bd.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hu-hu_fd01b7045f001002.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c271277db84bbc43.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_a7fd6f88bbbece6f_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_et-ee_b7f98987b747df8e_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_3f1489cfda206346_memtest.efi.mui_71e15c22	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_eb14f252120fd1e9_trustedsignalcredprov.dll.mui_5edc427b	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_79676005b94fbd75_ngcsvc.dll.mui_96312421	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_it-it_7eececd6495ba67d.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_es-es_1fb9b17ec579a5e1_services.exe.mui_86ea5e71	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_nl-nl_4843455ad9f31bfa.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-mx_cd63778c71e5e529_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_60026a0018dee1ab_iprtrmgr.dll.mui_eb023b92	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ru-ru_2005a287b66c44a0.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_fd031af45b0106f2.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_windowsshell.manifest_ad1cb5ce	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_it-it_7eececd6495ba67d_nsisvc.dll.mui_237a741f	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sk-sk_912df698c3cfac6f_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_21f025fe4ae682b3_ipsecsvc.mof_713662d2	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.964_none_917daa321cc2afb4.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.19041.1266_none_6ec8b79d83a2fd27.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_es-es_ade4b30e36254a8c_apphelp.dll.mui_59096153	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_6c22b0c49894068b.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.19041.84_none_5f9dd4d3686528a6.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_47d83bc872f1a26d.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cng_31bf3856ad364e35_10.0.19041.264_none_86ccc606b9fe4762.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.19041.1_none_23b3cc627fe715d7.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_47d83bc872f1a26d_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nb-no_1c114980f11087ca.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sr-..-rs_043fd09a5a699039.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_da-dk_c6bdf9af39b53c71.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winresume.exe.mui_ff8b5358	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.19041.844_none_659179fc44ecf41c.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_34114e40f674dea5_bootmgfw.efi.mui_a6e78cfa	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_10f39c85cfff2cb8_wintypes.dll.mui_36d5f25a	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_5801e9f68bdc3d85.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_it-it_b93490b34d8c4a73_winresume.exe.mui_ff8b5358	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_be18ea1916c99427_wiarpc.dll.mui_0c913b87	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ru-ru_bfe241f0efa3e3fb.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.19041.207_none_47f05d449c8dfad1.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1151_en-us_3fc8a69ab94012f6_winlogon.exe.mui_3280fc46	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_msmplics.dll_50e185fa	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-tw_76910b9d6c39ef61_comctl32.dll.mui_0da4e682	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga949.fon_0fa0b40b	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_it-it_da88293649d0d609_shsvcs.dll.mui_b69fccab	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_5c4b115fa6f864cd.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_en-us_7d22aa39e59cfe75_rasauto.dll.mui_12fa2c50	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_eb14f252120fd1e9.manifest	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_de-de_22acc81c4233a398_wlrmdr.exe.mui_ee563c83	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
2420	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4796	2420	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe	84
PID 2420 wrote to memory of 4796	2420	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe	84
PID 2420 wrote to memory of 4796	2420	2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-26_ea5d24b9bdfb7ea892b4ff16bc2c9d42_revil_sodinokibi.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\0ho590d37-readme.txt

Filesize
6KB

MD5
1b9a59d63d1a8be3beae418a1b4c6922

SHA1
2a9bff4c2c5ec3493e2b56c100af8982740ea346

SHA256
7fb3b1780213cf7ce14ce1b43f2f147c3dac02f090b2398543101d74fcb66613

SHA512
11814ae2af4784c50541d697ede603de9a084fa6f15ac95ce42da2ec13596e2c7203b9c1b283551956a11ba904807d8d66b10af41f6da7b28450f26e168407ed

Download Submit