Analysis Overview
SHA256
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae
Threat Level: Known bad
The file c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:08
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:08
Reported
2022-01-24 01:24
Platform
win7-en-20211208
Max time kernel
129s
Max time network
170s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ReadOpen.png => \??\c:\users\admin\pictures\ReadOpen.png.6825sar84 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipBlock.tiff => \??\c:\users\admin\pictures\SkipBlock.tiff.6825sar84 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\SkipBlock.tiff | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairEdit.tif => \??\c:\users\admin\pictures\RepairEdit.tif.6825sar84 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w833shn4.bmp" | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC\Blob = 0300000001000000140000004c27431717565a3a07f3e6d0032c4258949cf9ec140000000100000014000000f5cdd53c0850f96a4f3ab797da5683e669d268f7040000000100000010000000342e1e02d91852d4a66f8a892167c8fa0f0000000100000020000000a2de33490c476d356e2dbc737c2779692249526b65ab8fba9a34280481c8bdfc19000000010000001000000014b989b317682449c76eb3c21dac16e7180000000100000010000000a823b4a20180beb460cab955c24d7e212000000001000000510400003082044d30820335a003020102020b040000000001444ef03631300d06092a864886f70d01010b05003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3134303232303130303030305a170d3234303232303130303030305a304c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613122302006035504031319416c70686153534c204341202d20534841323536202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100da01ece4ec7360fb7e8f6ab7c617e3926432d4ac00d9a20fb9edee6b8a86ca9267d974d75d47023c8f40d69e6d14cdc3da2939a70f050a68a2661a1ec4b28b7658e5ab5d1d8f40b3398bef1e837d22d0e3a9002eec53cf62198544284cc027cb7b0eec10640010a405cca072be416c315b48e4b1ecb923eb554dd07d624aa5b4a5a45985c52591a6fea6099f06106d8f810c64405e73009ae02e65985410007098c8e1ed345fd89cc70dc0d6235945fcfe557a86ee946022f1aed1e65546f699c51b08745facb064848f89381ca1a790214f026ebde06167d4f842870f0af7c9046d2aa92fef42a5dfdda353db981e81f99a727b5ade4f3e7fa258a0e217ad670203010001a38201233082011f300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e04160414f5cdd53c0850f96a4f3ab797da5683e669d268f730450603551d20043e303c303a0604551d20003032303006082b06010505070201162468747470733a2f2f7777772e616c70686173736c2e636f6d2f7265706f7369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e63726c303d06082b060105050701010431302f302d06082b060105050730018621687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f726f6f747231301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010b050003820101006040681647e7168ddb5ca1562acbf45c9bb01ea24bf5cb023ff80ba1f2a742d4b74cebe36680f32543782e1b1756075218cbd1a8ece6fb733ea4628c80b4d2c51273a3d3fa0238be633d84b899c1f1baf79fc340d1581853c162ddaf18427f344ec543d571b03000c7e390ae3f578697ceea0c128e2270e366a7547f2e28cbd454d0b31e626708f927e1cbe366b8241b896a894465f2d94cd2581c8c4ec095a1d4ef672f3820e82eff9651f0bad83d927047651c9e7372b4600c5ce2d17376e0af4ee2e537a5452f8a233e87c730e631387cf4dd52caf353042557566694e80beee603144eeefd6d94649e5ece79d4b2a6cf40b144a83e87195ee9f821165953 | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixelhealth.net | udp |
| GB | 109.68.33.64:443 | pixelhealth.net | tcp |
| US | 8.8.8.8:53 | professionetata.com | udp |
| US | 8.8.8.8:53 | carmel-york.com | udp |
| US | 34.102.136.180:443 | carmel-york.com | tcp |
| US | 34.102.136.180:443 | carmel-york.com | tcp |
| US | 8.8.8.8:53 | xn--80abehgab4ak0ddz.xn--p1ai | udp |
| RU | 92.53.96.115:443 | xn--80abehgab4ak0ddz.xn--p1ai | tcp |
| RU | 92.53.96.115:443 | xn--80abehgab4ak0ddz.xn--p1ai | tcp |
| US | 8.8.8.8:53 | pazarspor.org.tr | udp |
| TR | 213.128.76.181:443 | pazarspor.org.tr | tcp |
| TR | 213.128.76.181:443 | pazarspor.org.tr | tcp |
| US | 8.8.8.8:53 | flossmoordental.com | udp |
| US | 173.255.198.240:443 | flossmoordental.com | tcp |
| US | 8.8.8.8:53 | iexpert99.com | udp |
| US | 8.8.8.8:53 | satoblog.org | udp |
| JP | 103.141.96.74:443 | satoblog.org | tcp |
| JP | 103.141.96.74:443 | satoblog.org | tcp |
| US | 8.8.8.8:53 | zumrutkuyutemel.com | udp |
| ES | 185.107.227.241:443 | zumrutkuyutemel.com | tcp |
| US | 8.8.8.8:53 | thenalpa.com | udp |
| US | 104.131.161.191:443 | thenalpa.com | tcp |
| US | 8.8.8.8:53 | dieetuniversiteit.nl | udp |
| US | 104.21.36.188:443 | dieetuniversiteit.nl | tcp |
| US | 8.8.8.8:53 | bellesiniacademy.org | udp |
| US | 198.71.233.64:443 | bellesiniacademy.org | tcp |
| US | 198.71.233.64:443 | bellesiniacademy.org | tcp |
| US | 8.8.8.8:53 | airserviceunlimited.com | udp |
| DE | 78.46.155.135:443 | airserviceunlimited.com | tcp |
| US | 8.8.8.8:53 | acibademmobil.com.tr | udp |
| TR | 46.45.134.70:443 | acibademmobil.com.tr | tcp |
| TR | 46.45.134.70:443 | acibademmobil.com.tr | tcp |
| US | 8.8.8.8:53 | epsondriversforwindows.com | udp |
| US | 8.8.8.8:53 | aktivfriskcenter.se | udp |
| US | 162.159.134.42:443 | aktivfriskcenter.se | tcp |
| US | 162.159.134.42:443 | aktivfriskcenter.se | tcp |
| US | 8.8.8.8:53 | ideamode.com | udp |
| FR | 92.205.17.192:443 | ideamode.com | tcp |
| US | 8.8.8.8:53 | marcandy.com | udp |
| US | 52.14.173.103:443 | marcandy.com | tcp |
| US | 3.138.251.142:443 | marcandy.com | tcp |
| US | 3.140.179.210:443 | marcandy.com | tcp |
| US | 8.8.8.8:53 | hiddensee-buhne11.de | udp |
| DE | 217.160.0.84:443 | hiddensee-buhne11.de | tcp |
| DE | 217.160.0.84:443 | hiddensee-buhne11.de | tcp |
| US | 8.8.8.8:53 | livedeveloper.com | udp |
| US | 107.161.23.124:443 | livedeveloper.com | tcp |
| US | 107.161.23.124:443 | livedeveloper.com | tcp |
| US | 8.8.8.8:53 | fidelitytitleoregon.com | udp |
| US | 72.52.196.16:443 | fidelitytitleoregon.com | tcp |
| US | 72.52.196.16:443 | fidelitytitleoregon.com | tcp |
| US | 8.8.8.8:53 | awag-blog.de | udp |
| DE | 62.113.233.7:443 | awag-blog.de | tcp |
| DE | 62.113.233.7:443 | awag-blog.de | tcp |
| US | 8.8.8.8:53 | customroasts.com | udp |
| US | 35.209.109.205:443 | customroasts.com | tcp |
| US | 35.209.109.205:443 | customroasts.com | tcp |
| US | 8.8.8.8:53 | itheroes.dk | udp |
| NL | 178.62.235.8:443 | itheroes.dk | tcp |
| US | 8.8.8.8:53 | k-zubki.ru | udp |
| GB | 185.215.4.16:443 | k-zubki.ru | tcp |
| US | 8.8.8.8:53 | lsngroupe.com | udp |
| FR | 213.186.33.5:443 | lsngroupe.com | tcp |
| US | 8.8.8.8:53 | apiarista.de | udp |
| DE | 212.8.207.5:443 | apiarista.de | tcp |
| DE | 212.8.207.5:443 | apiarista.de | tcp |
| US | 8.8.8.8:53 | xn--80addfr4ahr.dp.ua | udp |
| UA | 185.104.45.19:443 | xn--80addfr4ahr.dp.ua | tcp |
| US | 8.8.8.8:53 | palmenhaus-erfurt.de | udp |
| DE | 217.160.0.35:443 | palmenhaus-erfurt.de | tcp |
| DE | 217.160.0.35:443 | palmenhaus-erfurt.de | tcp |
| US | 8.8.8.8:53 | forskolinslimeffect.net | udp |
| US | 8.8.8.8:53 | sharonalbrightdds.com | udp |
| US | 151.101.2.159:443 | sharonalbrightdds.com | tcp |
| US | 151.101.2.159:443 | sharonalbrightdds.com | tcp |
| US | 8.8.8.8:53 | line-x.co.uk | udp |
| US | 172.67.145.210:443 | line-x.co.uk | tcp |
| US | 8.8.8.8:53 | mrkluttz.com | udp |
| US | 8.8.8.8:53 | mensemetgesigte.co.za | udp |
| GB | 77.72.0.150:443 | mensemetgesigte.co.za | tcp |
| GB | 77.72.0.150:443 | mensemetgesigte.co.za | tcp |
| US | 8.8.8.8:53 | dennisverschuur.com | udp |
| DK | 46.30.215.120:443 | dennisverschuur.com | tcp |
| DK | 46.30.215.120:443 | dennisverschuur.com | tcp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| US | 8.8.8.8:53 | auberives-sur-vareze.fr | udp |
| FR | 164.132.235.17:443 | auberives-sur-vareze.fr | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | lollachiro.com | udp |
| US | 172.67.132.243:443 | lollachiro.com | tcp |
| US | 8.8.8.8:53 | www.lollachiro.com | udp |
| US | 104.21.5.43:443 | www.lollachiro.com | tcp |
| US | 8.8.8.8:53 | sprintcoach.com | udp |
| US | 50.116.64.37:443 | sprintcoach.com | tcp |
| US | 50.116.64.37:443 | sprintcoach.com | tcp |
| US | 8.8.8.8:53 | frameshift.it | udp |
| IT | 86.107.32.48:443 | frameshift.it | tcp |
| IT | 86.107.32.48:443 | frameshift.it | tcp |
| US | 8.8.8.8:53 | drbenveniste.com | udp |
| US | 108.160.146.5:443 | drbenveniste.com | tcp |
| US | 8.8.8.8:53 | marmarabasin.com | udp |
| TR | 185.99.199.148:443 | marmarabasin.com | tcp |
| US | 8.8.8.8:53 | secure2.alphassl.com | udp |
| US | 104.18.20.226:80 | secure2.alphassl.com | tcp |
| US | 8.8.8.8:53 | ncjc.ca | udp |
| CA | 54.39.73.56:443 | ncjc.ca | tcp |
| US | 8.8.8.8:53 | vitormmcosta.com | udp |
| NL | 37.139.3.100:443 | vitormmcosta.com | tcp |
| NL | 37.139.3.100:443 | vitormmcosta.com | tcp |
| US | 8.8.8.8:53 | factorywizuk.com | udp |
| DK | 46.30.215.191:443 | factorywizuk.com | tcp |
| DK | 46.30.215.191:443 | factorywizuk.com | tcp |
| US | 8.8.8.8:53 | thisprettyhair.com | udp |
| US | 204.11.56.48:443 | thisprettyhair.com | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 37.218.255.162:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| DE | 37.218.255.162:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | happycatering.de | udp |
| DE | 185.30.32.35:443 | happycatering.de | tcp |
| DE | 185.30.32.35:443 | happycatering.de | tcp |
| US | 8.8.8.8:53 | sachainchiuk.com | udp |
| US | 8.8.8.8:53 | hutchstyle.co.uk | udp |
| GB | 51.195.234.92:443 | hutchstyle.co.uk | tcp |
| GB | 51.195.234.92:443 | hutchstyle.co.uk | tcp |
| US | 8.8.8.8:53 | muller.nl | udp |
| NL | 31.7.1.101:443 | muller.nl | tcp |
| NL | 31.7.1.101:443 | muller.nl | tcp |
| US | 8.8.8.8:53 | latteswithleslie.com | udp |
| US | 198.46.93.64:443 | latteswithleslie.com | tcp |
| US | 198.46.93.64:443 | latteswithleslie.com | tcp |
| US | 8.8.8.8:53 | agencewho-aixenprovence.fr | udp |
| US | 8.8.8.8:53 | sololibrerie.it | udp |
| NL | 178.62.210.148:443 | sololibrerie.it | tcp |
Files
memory/1892-54-0x0000000076C91000-0x0000000076C93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:08
Reported
2022-01-24 01:25
Platform
win10-en-20211208
Max time kernel
173s
Max time network
189s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CompareExpand.png => \??\c:\users\admin\pictures\CompareExpand.png.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeDismount.tif => \??\c:\users\admin\pictures\ResumeDismount.tif.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SavePop.tif => \??\c:\users\admin\pictures\SavePop.tif.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetSuspend.raw => \??\c:\users\admin\pictures\SetSuspend.raw.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendMeasure.crw => \??\c:\users\admin\pictures\SendMeasure.crw.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\UnregisterMount.tiff | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountPop.crw => \??\c:\users\admin\pictures\MountPop.crw.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingConvert.tif => \??\c:\users\admin\pictures\PingConvert.tif.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterMount.tiff => \??\c:\users\admin\pictures\UnregisterMount.tiff.z49aex | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6meft0s1.bmp" | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 680 | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1200 wrote to memory of 680 | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1200 wrote to memory of 680 | N/A | C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 680 wrote to memory of 3852 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 680 wrote to memory of 3852 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 680 wrote to memory of 3852 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixelhealth.net | udp |
| GB | 109.68.33.64:443 | pixelhealth.net | tcp |
| US | 8.8.8.8:53 | professionetata.com | udp |
| US | 8.8.8.8:53 | carmel-york.com | udp |
| US | 34.102.136.180:443 | carmel-york.com | tcp |
| US | 34.102.136.180:443 | carmel-york.com | tcp |
| US | 34.102.136.180:443 | carmel-york.com | tcp |