Malware Analysis Report

2025-01-18 20:01

Sample ID 220124-bgwmjahcd3
Target c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d
SHA256 c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d
Tags
9 793 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d

Threat Level: Known bad

The file c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d was found to be: Known bad.

Malicious Activity Summary

9 793 sodinokibi ransomware

Sodinokibi family

Sodinokibi/Revil sample

Deletes shadow copies

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:07

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:23

Platform

win7-en-20211208

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"

Signatures

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add_acproxy.dll_5d65b262 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad_activeds.dll.mui_67414db4 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7449c6becaace7e3.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_747e69daca85f63e_advapi32.dll.mui_28c7718f C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_sdbinst.exe_8725e339 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_shimeng.dll_2036b947 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf_axinstsv.dll.mui_be092a2d C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_27bdda6ccd542631.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a_authui.dll.mui_19b92789 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dc4a3190eb7d1265_acledit.dll.mui_5f932ccb C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4_hid.dll.mui_cccd5ae0 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8_activeds.dll.mui_67414db4 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c620663a0d83d04f_winmm.dll.mui_224f6445 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_aelupsvc.dll.mui_5d6cb110 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstui.exe.mui_aea34130 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e80b31cc7dc75d0.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649_hidserv.dll.mui_561adfc8 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a_acledit.dll.mui_5f932ccb C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369_acledit.dll.mui_5f932ccb C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9dc6c5d5ca9cbc28_aclui.dll.mui_adadbfb7 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_404998b8bd95c42f.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36_authui.dll.mui_19b92789 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cc970e0c87e2bb88.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c6bb35d9d79285b4_activeds.dll.mui_67414db4 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_apphelp.dll.mui_59096153 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7718915b6ba8195_authui.dll.mui_19b92789 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5_authui.dll.mui_19b92789 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_aelupsvc.dll.mui_5d6cb110 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hidserv.dll.mui_561adfc8 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6_axinstui.exe.mui_aea34130 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_apphelp.dll.mui_59096153 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a_acledit.dll.mui_5f932ccb C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8.manifest C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hid.dll.mui_cccd5ae0 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856_winmm.dll.mui_224f6445 C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe

"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2040-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:07

Reported

2022-01-24 01:24

Platform

win10-en-20211208

Max time kernel

123s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"

Signatures

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe

"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

N/A