Malware Analysis Report

2025-01-18 18:34

Sample ID 220124-btlyvshdhq
Target a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a
SHA256 a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a
Tags
17 11 sodinokibi ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a

Threat Level: Known bad

The file a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a was found to be: Known bad.

Malicious Activity Summary

17 11 sodinokibi ransomware spyware stealer

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Sodinokibi family

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:26

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:26

Reported

2022-01-24 06:59

Platform

win7-en-20211208

Max time kernel

122s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExitClose.png => C:\Users\Admin\Pictures\ExitClose.png.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveEnter.tiff => C:\Users\Admin\Pictures\ResolveEnter.tiff.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveEnter.tiff C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromGet.crw => C:\Users\Admin\Pictures\ConvertFromGet.crw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\PushInitialize.crw => C:\Users\Admin\Pictures\PushInitialize.crw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveRename.png => C:\Users\Admin\Pictures\ReceiveRename.png.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\TestSkip.tif => C:\Users\Admin\Pictures\TestSkip.tif.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeSearch.tiff C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\OpenRestore.crw => C:\Users\Admin\Pictures\OpenRestore.crw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\ReadUndo.crw => C:\Users\Admin\Pictures\ReadUndo.crw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\EnableClose.raw => C:\Users\Admin\Pictures\EnableClose.raw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendGrant.raw => C:\Users\Admin\Pictures\SuspendGrant.raw.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File renamed C:\Users\Admin\Pictures\SyncLimit.png => C:\Users\Admin\Pictures\SyncLimit.png.g1r6cn8 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3vv9cbu305p1.bmp" C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec9de4f9127a9ac3.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e531c8a834aefdb9_vsstrace.dll.mui_3a1fe238 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidsvc.dll.mui_6717e231 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c_msxml6r.dll.mui_4516d602 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_6.1.7601.17514_none_3fc218fad10f1ad4_partmgr.sys_fcac898c C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-videoport_31bf3856ad364e35_6.1.7600.16385_none_180f3dba1e158073_videoprt.sys_3ed5b0a0 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c110f4bd66485354.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c464d2bacfbc42a4.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bca30fa029c53981_listsvc.dll.mui_27f0fc85 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-862_31bf3856ad364e35_6.1.7600.16385_none_2ade0120b4e1f3b3.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_98db12093f1c71e3_kernel32.dll.mui_c29170cd C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3ea6d01c34b5cc55.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_b04d655eff508002.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7600.16385_none_aa5813cb3a17070e_polstore.dll_6cd3e56e C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1_rasdiag.dll.mui_15cb4ec4 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-daunpenh_31bf3856ad364e35_6.1.7601.17514_none_65eab3ba3a64f6af.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_9ee1491f45855a27.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2e336fbd1d49b11b.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0e539441d9ce77a_uxtheme.dll.mui_15ce9297 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_85a00075758466ca_bootfix.bin_ee6f205e C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bb0de36cbae98857.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_es-es_616970d2c502550e_dui70.dll.mui_de5f27e2 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f5c532dcc8fdb89b_bootfix.bin_ee6f205e C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_49429473d09ea38c_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3165765b03216fd8.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06dfc9a050d64566.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3158500bccac60ee.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_671c48b9c28e5906.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6f6ef85e234a7943_advapi32.dll.mui_28c7718f C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4d08ffffd9f8bb31_bootfix.bin_ee6f205e C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44_dhcpcsvc6.dll.mui_b45c7567 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33bb1a534004f6c6.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_24ff5a886963291e_mlang.dll.mui_2904864a C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_442e570e6aa0d70c.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_perfc.dat_f4bd9339 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_lodctr.exe_b02cefba C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_61e865cf65610452.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_33b6644f20ba3abe_comdlg32.dll.mui_ac8e62f4 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_60de2899d60bf39a.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef147641e3c9d2c0_sendmail.dll.mui_cbac108c C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_33e993f0490559ab_powrprof.dll.mui_a2448a34 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44c69dc0653f7644.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9d7dfd0cf7954f6.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_30bc7fe1e159c5d3_wmiutils.dll.mui_42583eaf C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69d35b8da4b97527.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid.sys_fe1d01e3 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_a77de2d787af8188_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_caaa36f086983095_ddraw.dll.mui_95b8c3ab C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-installer-service_31bf3856ad364e35_6.1.7600.16385_none_f39e7046aecd86ef.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_468dbb8913417112_rpcepmap.dll.mui_349798e1 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_754bce83add5924d_printui.exe.mui_5e66aade C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3cb61b2fa392838e.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14400aaa57809682.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d16a6a0766330383_puiobj.dll.mui_b9c0c4d6 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0edef610009d2270_shell32.dll.mui_19f538b4 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b_winsockhc.dll_817ccaf3 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_37c1dc5aeeb79d37.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_305b8c9d36da5a85_searchfolder.dll.mui_8c30bdaf C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
BE 67.27.153.254:80 tcp

Files

memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmp

memory/1864-57-0x00000000000E0000-0x00000000000EA000-memory.dmp

memory/1864-58-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1864-59-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1864-60-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1864-56-0x0000000002030000-0x00000000020CF000-memory.dmp

memory/1864-61-0x0000000002190000-0x00000000022BD000-memory.dmp

memory/1864-62-0x00000000001A0000-0x00000000001BF000-memory.dmp

memory/1864-63-0x0000000000120000-0x0000000000126000-memory.dmp

memory/1864-64-0x0000000002690000-0x0000000002799000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:26

Reported

2022-01-24 06:59

Platform

win10-en-20211208

Max time kernel

162s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d95144dae1ebc183_ngcsvc.dll.mui_96312421 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_shell32.dll_0d29dca9 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_msvcp_win.dll_48149df4 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_60a2bc9e6ffb13be.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmilib_31bf3856ad364e35_10.0.15063.0_none_6a68d3903cfb6ab2.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_d3bf5352148cac82_bootmgr.exe.mui_c434701f C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-pt_70c4d50f8d2ba207_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.15063.0_none_6c3a936ba57599b0_winresume.exe_85cd1215 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2e6eeb726263cb9d.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_en-us_fbaca31b325f23d3.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_8a1c400bf11ec208.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1b72f2a049408d5f.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_326ea0f914b4afde_bootmgr.efi.mui_be5d0075 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga869.fon_09ec4cfe C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.15063.0_none_d55075a52ee8912b_keyiso.dll_897976dc C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.15063.0_none_c4afd53ef6b024d5_twinapi.appcore.dll_8d6512dc C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_36043fc5ada66c50_mswsock.dll.mui_d7c2a730 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_de-de_a78df7cf1a8f042b_webclnt.dll.mui_e8f04040 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_5705fc83f923aa47.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_6c16683b69705fa5_combase.dll.mui_6db10b33 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.15063.0_none_d7160ce35a44058a_shacct.dll_f953c950 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_ja-jp_927b4bdd0caf1fba_winhttp.dll.mui_f661192f C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_d52e5cec6165a196_dnsapi.dll.mui_97465f8a C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-gb_99d113d98ded3e14_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_e5a6c458009e6a39.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ar-sa_c50cf4a0af973ef3_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_c192b575045d79b3.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_4a395d1c23946704_appidtel.exe_b664fbc5 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_th-th_f86cf2fb5a7af7cf.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_8f3419f68fe61192_bootmgr.efi.mui_be5d0075 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_ef72388408dd81e9_bootmgfw.efi.mui_a6e78cfa C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1444ca153bdbf449.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_windowsshell.manifest_ad1cb5ce C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_174418e7a8ce4d04_applockercsp.dll.mui_d2a0df70 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_c6c4eadade764d0d_comdlg32.dll_b1ffde97 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..lecore-ras-base-vpn_31bf3856ad364e35_10.0.15063.0_none_a1af4bb1e5163dc9_rasapi32.dll_5418d87b C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_289d2cb046c263c2_fidocredprov.dll.mui_4ca89266 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.15063.0_none_04ced512d82feb94_naturalauthclient.dll_2d6e08dc C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_2af769b1bbfa0dd4_wintypes.dll.mui_36d5f25a C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.15063.0_none_314522d34b560919_windows.ui.xaml.controls.private.dll_8dc0d676 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_473f3bcd45fa2eca_mofcomp.exe.mui_35badf56 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_06c8a8054dc02d3d_wudfhost.exe.mui_1fc689ff C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c_keyiso.dll.mui_4bbf12ff C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_10.0.15063.0_none_b784197455bb2003_msfs.sys_ea96697c C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba_ntmarta.dll_cd048e61 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_es-es_5644c6e3437cf0b4.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-drivers_31bf3856ad364e35_10.0.15063.0_none_01e0e8792e07e99a_wdboot.sys_9bae05d2 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_6e122c03212f2631.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8_iscsicli.exe.mui_64c0a23c C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_72ae0481be0160c2.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1d93f33351bcef30_services.exe.mui_86ea5e71 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_74d5f5c7b3aae50f_userdeviceregistration.dll.mui_22ab8f29 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_a861864702eca1e1_windows.ui.xaml.maps.dll_b092594a C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_f39dd1f571ccd621_memtest.exe_01d80391 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_es-es_0ef9b2aa8bc1fa87_scdeviceenum.dll.mui_815e7662 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_c5ef67472648fded.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_de-de_7ca341af89682490_samsrv.dll.mui_32250491 C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_4a6f22b16a256be7_keyiso.dll.mui_4bbf12ff C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_54c3cd039e862de2.manifest C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 oneocsp.microsoft.com udp
US 204.79.197.203:80 oneocsp.microsoft.com tcp

Files

memory/1300-119-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/1300-118-0x0000000000F60000-0x0000000000F83000-memory.dmp

memory/1300-120-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/1300-121-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1300-122-0x00000000026C0000-0x00000000026C6000-memory.dmp