Malware Analysis Report

2025-01-18 20:01

Sample ID 220124-bg1aqahbhr
Target c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757
SHA256 c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757
Tags
21 65 sodinokibi ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757

Threat Level: Known bad

The file c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757 was found to be: Known bad.

Malicious Activity Summary

21 65 sodinokibi ransomware spyware stealer

Sodinokibi family

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:07

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:24

Platform

win7-en-20211208

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\StopSet.tiff C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.0096aka C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\VideoLAN\VLC\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Triedit\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Uninstall Information\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\StepRestore.odt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Journal\en-US\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\DVD Maker\de-DE\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\blank.jtp C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Defender\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\es-ES\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows NT\TableTextService\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\RedoSplit.TTS C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\0096aka-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

"C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1700-54-0x0000000075601000-0x0000000075603000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:24

Platform

win10-en-20211208

Max time kernel

159s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RemoveDeny.tiff C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveDeny.tiff => C:\Users\Admin\Pictures\RemoveDeny.tiff.y2fs51o8d0 C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File renamed C:\Users\Admin\Pictures\ResetSkip.crw => C:\Users\Admin\Pictures\ResetSkip.crw.y2fs51o8d0 C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Resources\cursorXBOX_active.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Common Files\microsoft shared\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2bb76f1c.pri C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-100.jpg C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\_Resources\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_cube.3mf C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Dust.jpg C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\_Resources\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxMetadata\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\y2fs51o8d0-readme.txt C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\1dbc51d0.lock C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.ps1 C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

"C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

N/A