Analysis Overview
SHA256
a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2
Threat Level: Known bad
The file a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2 was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
Sodinokibi family
Deletes shadow copies
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:25
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:25
Reported
2022-01-24 06:58
Platform
win7-en-20211208
Max time kernel
143s
Max time network
129s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_findnetprinters.dll_d9721533 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c26a086b301c0205.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_6.1.7600.16385_none_c79503ead5aed6b0.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4e286816448a8f66_bootmgr.exe.mui_c434701f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b5d51a51f05b818_rpcrt4.dll.mui_9745823e | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dba340d7365a2c01_slc.dll.mui_dc24f809 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_18a24a3dbedfab6e_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec8cf7a93a7ed3ff_dui70.dll.mui_de5f27e2 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b7a745f30be28bb.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7601.17514_none_50ddb631e4f59005.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_6.1.7600.16385_none_da778c54413d0c9c.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_1b262ffd1219bd69.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_25801b39bc00ed6c.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f653c49b01e27e2.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b91f4c11edec673.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_a74d96a66e8abfbf_comdlg32.dll.mui_ac8e62f4 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_ff2b8a4884ab92de.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652_ndadmin.exe.mui_2e106c3e | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7aec48ea1bde353f_iphlpapi.dll.mui_9531144c | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_07fbb9023f7f0b75_hid.dll.mui_cccd5ae0 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c2bf0e25e7a17c20.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5bb13085371dbcff_shell32.dll.mui_19f538b4 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_de-de_64f4fcfff76e7869.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6e4eb2f75bef81.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_04dbf9102154d42e.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-863_31bf3856ad364e35_6.1.7600.16385_none_cebf4ed4fc849c1e.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_411ad01ef696adaa.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dc840a10b75e8567.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c8f55cfc24b6b58_rascfg.dll.mui_0b036e1f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d7cf58e8c6d01cfa_wiaservc.dll.mui_54051b53 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468_services.exe.mui_86ea5e71 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wshtcpip.dll.mui_042165f9 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09d25d5db275f73d_winsockhc.dll.mui_a8a7d1fa | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66a957f5f121da3c.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec_comdlg32.dll.mui_ac8e62f4 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kartika_31bf3856ad364e35_6.1.7600.16385_none_66211148328492ad.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55_mcupdate_authenticamd.dll_0c1b7cf5 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2c7f379a97f4b72.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_57ee6a4218527f7e_dhcpcsvc6.dll.mui_b45c7567 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b56589636443993.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-embedding_31bf3856ad364e35_6.1.7601.17514_none_13e628b635935244.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afc46a483dba13d4_shlwapi.dll.mui_a6436c6f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78_msxml3.dll_eaee1698 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa8c8b00989fc5d5.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8a6ad183d1aaa86_modemui.dll.mui_a710bc71 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12_sqlsoldb.chm_9573a554 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_rasser.dll_4231e658 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68d891dc840c463a.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_4863cdbaf2b532f8_tdx.sys_d0cc4fd9 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25_udfs.sys_cf08a343 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aac12e1c9878d430.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876_dnsapi.dll.mui_97465f8a | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b12fe15175794c34.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..-rasmobilitymanager_31bf3856ad364e35_6.1.7600.16385_none_8819a134fb8a8d41.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba88bec7f5c72fd7.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4725641a6a4489b7.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_145f01d8625db541_mpssvc.dll.mui_4b194b5f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0_prflbmsg.dll.mui_4caa0054 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b4e9412e316844af_mlang.dll.mui_2904864a | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e_netmsg.dll.mui_ab0f7c73 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f0114c776a1a046d_mountmgr.sys.mui_71b54a25 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/524-54-0x0000000075531000-0x0000000075533000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:25
Reported
2022-01-24 06:58
Platform
win10-en-20211208
Max time kernel
172s
Max time network
174s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.15063.0_none_6c839b1516a28042.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_72ae0481be0160c2.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_es-es_ff6a001fa544bde2.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1a52bffe303ba629.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sl-si_40fad639bb52c987_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_53ab704c5bfd8301_drvinst.exe.mui_e88f4c73 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_en-us_4d64ef6218a1ebe5_nsisvc.dll.mui_237a741f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072_vdsutil.dll.mui_0caf9b0e | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_885e3a56f370809b.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_b4c2e4b843761379_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_8f3419f68fe61192.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_03474fa863a84227.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.15063.0_none_b7972f79a940b072_psapi.dll_e8b5b4d1 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_d21d37cff862835d.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidsvc.dll_b571c01a | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.15063.0_none_e7c8d45e6a1c8c7b.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga852.fon_0a8e74dc | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_c8d121395a04e07d.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf_netlogon.dll_90e0458e | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5_workerdd.dll_a9a6f55a | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_993ce3e93eba8262.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_fdf8a75c105fcf0a_umpnpmgr.dll.mui_d66aed17 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d6133df613164066_bootmgr.exe.mui_c434701f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.15063.0_en-us_97bbad8acf6a108f_lsasrv.dll.mui_d47f7e1c | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_ce6bccb1aa74baa3.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508_mpssvc.dll.mui_4b194b5f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_97104af0d7031f5b.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_7f6609be4b2dcbcf.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.15063.0_none_da4e3d83edc5d78f.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.15063.0_none_3816518ced62ca02_kernelbase.dll_7f3dc5f6 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f0a3dce56b0ecafa.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_fwremotesvr.dll_afaa5ea8 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_ce1403c73448ec90_oleaut32.dll_730e3d41 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.15063.0_none_bf8a1f019f8c15f7.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b6139f14f6c955d6.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_2ed22fa716fc8ba6.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_0db76bcd0aaf78a5_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_bc1b3f5b642099f1.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.15063.0_none_fce6a4f7a7da6cb9.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc9c46454adb8ec6.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89_shcore.dll_c9cc19cc | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc172dc3df31b12e.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.15063.0_en-us_76b6693524012765_hidserv.dll.mui_561adfc8 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.15063.0_none_8f74af7c219a26c7_smss.exe_d7209c3a | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733_mprdim.dll.mui_11b5ef08 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_fr-fr_062dd68942622861_winhttp.dll.mui_f661192f | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bd1d1a4af7dd55de_wiaservc.dll.mui_54051b53 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_d1c976e3059aeb0e_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_577e152805b98c1f.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.15063.0_none_7c75c42fae043d1e_winhttp.dll_6cd72d6e | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0bafa5afe5ef93e0.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_de-de_7a7bbe6b4471ea21.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_de-de_532657caf053a569.manifest | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga737.fon_11d63f16 | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2300 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2300 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3572 wrote to memory of 1624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 3572 wrote to memory of 1624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 3572 wrote to memory of 1624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe