Analysis Overview
SHA256
c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d
Threat Level: Known bad
The file c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil sample
Deletes shadow copies
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:07
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:23
Platform
win7-en-20211208
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Deletes shadow copies
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add_acproxy.dll_5d65b262 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad_activeds.dll.mui_67414db4 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7449c6becaace7e3.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_747e69daca85f63e_advapi32.dll.mui_28c7718f | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_sdbinst.exe_8725e339 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_shimeng.dll_2036b947 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf_axinstsv.dll.mui_be092a2d | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_27bdda6ccd542631.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a_authui.dll.mui_19b92789 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dc4a3190eb7d1265_acledit.dll.mui_5f932ccb | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4_hid.dll.mui_cccd5ae0 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8_activeds.dll.mui_67414db4 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c620663a0d83d04f_winmm.dll.mui_224f6445 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_aelupsvc.dll.mui_5d6cb110 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstui.exe.mui_aea34130 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e80b31cc7dc75d0.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649_hidserv.dll.mui_561adfc8 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a_acledit.dll.mui_5f932ccb | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369_acledit.dll.mui_5f932ccb | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9dc6c5d5ca9cbc28_aclui.dll.mui_adadbfb7 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_404998b8bd95c42f.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_8c256fc0a6a20d36_authui.dll.mui_19b92789 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cc970e0c87e2bb88.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c6bb35d9d79285b4_activeds.dll.mui_67414db4 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_apphelp.dll.mui_59096153 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7718915b6ba8195_authui.dll.mui_19b92789 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5_authui.dll.mui_19b92789 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_aelupsvc.dll.mui_5d6cb110 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hidserv.dll.mui_561adfc8 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6_axinstui.exe.mui_aea34130 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_apphelp.dll.mui_59096153 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a_acledit.dll.mui_5f932ccb | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8.manifest | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab_hid.dll.mui_cccd5ae0 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856_winmm.dll.mui_224f6445 | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe
"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/2040-55-0x00000000760F1000-0x00000000760F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:07
Reported
2022-01-24 01:24
Platform
win10-en-20211208
Max time kernel
123s
Max time network
132s
Command Line
Signatures
Deletes shadow copies
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3208 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3208 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3208 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1864 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 1864 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 1864 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe
"C:\Users\Admin\AppData\Local\Temp\c48f7b0e83fd4b4800dffd7f441854d8b68750f636d3424e37a60d550c82cd1d.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe