Malware Analysis Report

2025-01-18 18:52

Sample ID 220124-btgn5shef8
Target a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e
SHA256 a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e
Tags
20 45 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e

Threat Level: Known bad

The file a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e was found to be: Known bad.

Malicious Activity Summary

20 45 sodinokibi ransomware

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Sodinokibi family

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:25

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:59

Platform

win7-en-20211208

Max time kernel

151s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SearchSync.tiff C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokePush.tiff C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.ssf707bc5 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00391_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART9.BDR C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105526.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0158007.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\ssf707bc5-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe

"C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1164-54-0x0000000076491000-0x0000000076493000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:59

Platform

win10-en-20211208

Max time kernel

168s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\GetOut.png => C:\Users\Admin\Pictures\GetOut.png.h04u1 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureEnter.raw => C:\Users\Admin\Pictures\MeasureEnter.raw.h04u1 C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\h04u1-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_48x48x32.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5666_24x24x32.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_1c.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Lollipop.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shuttle.3mf C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.Services.winmd C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gu_60x42.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go-for_the_Gold_Unearned_small.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_classic.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-80.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eyebrow.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\h04u1-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireLargeTile.scale-200.jpg C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\h04u1-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1937_36x36x32.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\highfive.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\logo.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_40x40x32.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gf_16x11.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\iq_16x11.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\h04u1-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.format.ps1xml C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\h04u1-readme.txt C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe

"C:\Users\Admin\AppData\Local\Temp\a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

N/A