Malware Analysis Report

2025-01-18 19:27

Sample ID 220124-btdbqahdhp
Target a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2
SHA256 a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2
Tags
sodinokibi ransomware 19 29
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2

Threat Level: Known bad

The file a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2 was found to be: Known bad.

Malicious Activity Summary

sodinokibi ransomware 19 29

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Sodinokibi family

Deletes shadow copies

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:25

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:58

Platform

win7-en-20211208

Max time kernel

143s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_findnetprinters.dll_d9721533 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c26a086b301c0205.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_6.1.7600.16385_none_c79503ead5aed6b0.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4e286816448a8f66_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b5d51a51f05b818_rpcrt4.dll.mui_9745823e C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dba340d7365a2c01_slc.dll.mui_dc24f809 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_18a24a3dbedfab6e_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec8cf7a93a7ed3ff_dui70.dll.mui_de5f27e2 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b7a745f30be28bb.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7601.17514_none_50ddb631e4f59005.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_6.1.7600.16385_none_da778c54413d0c9c.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_1b262ffd1219bd69.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_25801b39bc00ed6c.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f653c49b01e27e2.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b91f4c11edec673.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_a74d96a66e8abfbf_comdlg32.dll.mui_ac8e62f4 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_ff2b8a4884ab92de.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652_ndadmin.exe.mui_2e106c3e C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7aec48ea1bde353f_iphlpapi.dll.mui_9531144c C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_07fbb9023f7f0b75_hid.dll.mui_cccd5ae0 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c2bf0e25e7a17c20.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5bb13085371dbcff_shell32.dll.mui_19f538b4 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_de-de_64f4fcfff76e7869.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6e4eb2f75bef81.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_04dbf9102154d42e.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-863_31bf3856ad364e35_6.1.7600.16385_none_cebf4ed4fc849c1e.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_411ad01ef696adaa.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dc840a10b75e8567.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c8f55cfc24b6b58_rascfg.dll.mui_0b036e1f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d7cf58e8c6d01cfa_wiaservc.dll.mui_54051b53 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468_services.exe.mui_86ea5e71 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wshtcpip.dll.mui_042165f9 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09d25d5db275f73d_winsockhc.dll.mui_a8a7d1fa C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66a957f5f121da3c.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec_comdlg32.dll.mui_ac8e62f4 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kartika_31bf3856ad364e35_6.1.7600.16385_none_66211148328492ad.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55_mcupdate_authenticamd.dll_0c1b7cf5 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2c7f379a97f4b72.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_57ee6a4218527f7e_dhcpcsvc6.dll.mui_b45c7567 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b56589636443993.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-embedding_31bf3856ad364e35_6.1.7601.17514_none_13e628b635935244.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afc46a483dba13d4_shlwapi.dll.mui_a6436c6f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78_msxml3.dll_eaee1698 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa8c8b00989fc5d5.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8a6ad183d1aaa86_modemui.dll.mui_a710bc71 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12_sqlsoldb.chm_9573a554 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_rasser.dll_4231e658 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68d891dc840c463a.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_4863cdbaf2b532f8_tdx.sys_d0cc4fd9 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25_udfs.sys_cf08a343 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aac12e1c9878d430.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876_dnsapi.dll.mui_97465f8a C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b12fe15175794c34.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..-rasmobilitymanager_31bf3856ad364e35_6.1.7600.16385_none_8819a134fb8a8d41.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba88bec7f5c72fd7.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4725641a6a4489b7.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_145f01d8625db541_mpssvc.dll.mui_4b194b5f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0_prflbmsg.dll.mui_4caa0054 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b4e9412e316844af_mlang.dll.mui_2904864a C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e_netmsg.dll.mui_ab0f7c73 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f0114c776a1a046d_mountmgr.sys.mui_71b54a25 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/524-54-0x0000000075531000-0x0000000075533000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:58

Platform

win10-en-20211208

Max time kernel

172s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.15063.0_none_6c839b1516a28042.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_72ae0481be0160c2.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_es-es_ff6a001fa544bde2.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1a52bffe303ba629.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sl-si_40fad639bb52c987_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_53ab704c5bfd8301_drvinst.exe.mui_e88f4c73 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_en-us_4d64ef6218a1ebe5_nsisvc.dll.mui_237a741f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072_vdsutil.dll.mui_0caf9b0e C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_885e3a56f370809b.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_b4c2e4b843761379_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_8f3419f68fe61192.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_03474fa863a84227.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.15063.0_none_b7972f79a940b072_psapi.dll_e8b5b4d1 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_d21d37cff862835d.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidsvc.dll_b571c01a C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.15063.0_none_e7c8d45e6a1c8c7b.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga852.fon_0a8e74dc C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_c8d121395a04e07d.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf_netlogon.dll_90e0458e C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5_workerdd.dll_a9a6f55a C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_993ce3e93eba8262.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_fdf8a75c105fcf0a_umpnpmgr.dll.mui_d66aed17 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d6133df613164066_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.15063.0_en-us_97bbad8acf6a108f_lsasrv.dll.mui_d47f7e1c C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_ce6bccb1aa74baa3.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508_mpssvc.dll.mui_4b194b5f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_97104af0d7031f5b.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_7f6609be4b2dcbcf.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.15063.0_none_da4e3d83edc5d78f.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.15063.0_none_3816518ced62ca02_kernelbase.dll_7f3dc5f6 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f0a3dce56b0ecafa.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_fwremotesvr.dll_afaa5ea8 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_ce1403c73448ec90_oleaut32.dll_730e3d41 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.15063.0_none_bf8a1f019f8c15f7.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b6139f14f6c955d6.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_2ed22fa716fc8ba6.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_0db76bcd0aaf78a5_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_bc1b3f5b642099f1.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.15063.0_none_fce6a4f7a7da6cb9.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc9c46454adb8ec6.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89_shcore.dll_c9cc19cc C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc172dc3df31b12e.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.15063.0_en-us_76b6693524012765_hidserv.dll.mui_561adfc8 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.15063.0_none_8f74af7c219a26c7_smss.exe_d7209c3a C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733_mprdim.dll.mui_11b5ef08 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_fr-fr_062dd68942622861_winhttp.dll.mui_f661192f C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bd1d1a4af7dd55de_wiaservc.dll.mui_54051b53 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_d1c976e3059aeb0e_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_577e152805b98c1f.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.15063.0_none_7c75c42fae043d1e_winhttp.dll_6cd72d6e C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0bafa5afe5ef93e0.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_de-de_7a7bbe6b4471ea21.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_de-de_532657caf053a569.manifest C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga737.fon_11d63f16 C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

N/A