Malware Analysis Report

2025-01-18 18:54

Sample ID 220130-jsp8wshafn
Target 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6
SHA256 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6
Tags
sodinokibi ransomware 20 47
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6

Threat Level: Known bad

The file 245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6 was found to be: Known bad.

Malicious Activity Summary

sodinokibi ransomware 20 47

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Sodinokibi family

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 07:56

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 07:56

Reported

2022-01-30 13:08

Platform

win7-en-20211208

Max time kernel

141s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InvokeUnblock.tif => \??\c:\users\admin\pictures\InvokeUnblock.tif.ysc1r6lz6c C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeEnter.tif => \??\c:\users\admin\pictures\RevokeEnter.tif.ysc1r6lz6c C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nrf61e6o79ju4.bmp" C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\DismountDisable.wax C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ExitAdd.midi C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\ysc1r6lz6c-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\ysc1r6lz6c-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\ysc1r6lz6c-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ClearStep.docm C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ReceiveEnable.vsdm C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RemoveStop.mpeg2 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files\ysc1r6lz6c-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\InitializeEnable.ttc C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\MergeInitialize.php C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\AssertResume.gif C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ConvertToTrace.wmf C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\DebugUnlock.odp C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\DenyDisconnect.midi C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RedoDebug.xlsx C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ResolveOpen.wdp C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\SyncExit.wma C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ConvertToRead.vsd C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\ysc1r6lz6c-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe

"C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 monstarrsoccer.com udp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 8.8.8.8:53 keuken-prijs.nl udp
NL 185.95.44.62:443 keuken-prijs.nl tcp
NL 185.95.44.62:443 keuken-prijs.nl tcp
US 8.8.8.8:53 chris-anne.com udp
US 192.124.249.118:443 chris-anne.com tcp
US 192.124.249.118:443 chris-anne.com tcp
US 8.8.8.8:53 polynine.com udp
IN 13.126.239.8:443 polynine.com tcp
US 8.8.8.8:53 direitapernambuco.com udp
US 8.8.8.8:53 albcleaner.fr udp
FR 188.165.112.23:443 albcleaner.fr tcp
US 8.8.8.8:53 www.albcleaner.fr udp
FR 188.165.112.23:443 www.albcleaner.fr tcp
US 8.8.8.8:53 eshop.design udp
DE 64.190.62.111:443 eshop.design tcp
US 8.8.8.8:53 pourlabretagne.bzh udp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
US 8.8.8.8:53 smartworkplaza.com udp
FI 31.217.192.177:443 smartworkplaza.com tcp
FI 31.217.192.177:443 smartworkplaza.com tcp
US 8.8.8.8:53 bescomedical.de udp
DE 185.233.54.65:443 bescomedical.de tcp
DE 185.233.54.65:443 bescomedical.de tcp
US 8.8.8.8:53 wineandgo.hu udp
HU 77.111.95.167:443 wineandgo.hu tcp
HU 77.111.95.167:443 wineandgo.hu tcp
US 8.8.8.8:53 agenceassemble.fr udp
FR 87.98.150.35:443 agenceassemble.fr tcp
US 8.8.8.8:53 computer-place.de udp
DE 85.214.125.43:443 computer-place.de tcp
DE 85.214.125.43:443 computer-place.de tcp
US 8.8.8.8:53 bellesiniacademy.org udp
US 198.71.233.64:443 bellesiniacademy.org tcp
US 198.71.233.64:443 bellesiniacademy.org tcp
US 8.8.8.8:53 quitescorting.com udp
US 8.8.8.8:53 bodymindchallenger.com udp
US 8.8.8.8:53 rino-gmbh.com udp
DE 212.90.148.124:443 rino-gmbh.com tcp
DE 212.90.148.124:443 rino-gmbh.com tcp
US 8.8.8.8:53 lidkopingsnytt.nu udp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
US 8.8.8.8:53 goddardleadership.org udp
US 172.80.63.61:443 goddardleadership.org tcp
US 8.8.8.8:53 profiz.com udp
FI 31.217.192.121:443 profiz.com tcp
FI 31.217.192.121:443 profiz.com tcp
US 8.8.8.8:53 buerocenter-butzbach-werbemittel.de udp
US 8.8.8.8:53 dennisverschuur.com udp
DK 46.30.215.120:443 dennisverschuur.com tcp
DK 46.30.215.120:443 dennisverschuur.com tcp
US 8.8.8.8:53 thehovecounsellingpractice.co.uk udp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp
US 8.8.8.8:53 projektparkiet.pl udp
US 104.21.35.9:443 projektparkiet.pl tcp
US 8.8.8.8:53 hospitalitytrainingsolutions.co.uk udp
GB 178.79.130.40:443 hospitalitytrainingsolutions.co.uk tcp
GB 178.79.130.40:443 hospitalitytrainingsolutions.co.uk tcp
US 8.8.8.8:53 cuadc.org udp
GB 131.111.179.82:443 cuadc.org tcp
GB 131.111.179.82:443 cuadc.org tcp
US 8.8.8.8:53 malzomattalar.com udp
DE 195.201.15.240:443 malzomattalar.com tcp
DE 195.201.15.240:443 malzomattalar.com tcp
US 8.8.8.8:53 astrographic.com udp
CA 104.152.168.46:443 astrographic.com tcp
CA 104.152.168.46:443 astrographic.com tcp
US 8.8.8.8:53 zuerich-umzug.ch udp
CH 149.126.4.46:443 zuerich-umzug.ch tcp
CH 149.126.4.46:443 zuerich-umzug.ch tcp
US 8.8.8.8:53 t3brothers.com udp
US 8.8.8.8:53 mrcar.nl udp
NL 37.34.48.68:443 mrcar.nl tcp
US 8.8.8.8:53 gardenpartner.pl udp
PL 109.95.158.173:443 gardenpartner.pl tcp
US 8.8.8.8:53 richardiv.com udp
US 35.208.109.165:443 richardiv.com tcp
US 35.208.109.165:443 richardiv.com tcp
US 8.8.8.8:53 birthplacemag.com udp
US 173.236.246.195:443 birthplacemag.com tcp
US 173.236.246.195:443 birthplacemag.com tcp
US 8.8.8.8:53 furland.ru udp
RU 31.31.196.191:443 furland.ru tcp
RU 31.31.196.191:443 furland.ru tcp
US 8.8.8.8:53 shortysspices.com udp
CA 104.152.168.42:443 shortysspices.com tcp
CA 104.152.168.42:443 shortysspices.com tcp
US 8.8.8.8:53 cascinarosa33.it udp
FR 217.70.186.111:443 cascinarosa33.it tcp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 clemenfoto.dk udp
DK 46.30.215.230:443 clemenfoto.dk tcp
DK 46.30.215.230:443 clemenfoto.dk tcp
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.136.52:443 craftingalegacy.com tcp
US 50.87.136.52:443 craftingalegacy.com tcp
US 8.8.8.8:53 istantidigitali.com udp
IT 89.40.173.167:443 istantidigitali.com tcp
US 8.8.8.8:53 nuohous.com udp
FI 185.55.85.6:443 nuohous.com tcp
US 8.8.8.8:53 camini.fi udp
FI 95.217.170.222:443 camini.fi tcp
FI 95.217.170.222:443 camini.fi tcp
US 8.8.8.8:53 triavlete.com udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 eventosvirtualesexitosos.com udp
US 165.227.207.223:443 eventosvirtualesexitosos.com tcp
US 8.8.8.8:53 gratiocafeblog.wordpress.com udp
US 192.0.78.12:443 gratiocafeblog.wordpress.com tcp
US 192.0.78.12:443 gratiocafeblog.wordpress.com tcp
US 8.8.8.8:53 juergenblaetz.de udp
DE 185.30.32.169:443 juergenblaetz.de tcp
DE 185.30.32.169:443 juergenblaetz.de tcp
US 8.8.8.8:53 ruggestar.ch udp
CH 92.43.216.137:443 ruggestar.ch tcp
US 8.8.8.8:53 schulz-moelln.de udp
DE 212.53.130.250:443 schulz-moelln.de tcp
DE 212.53.130.250:443 schulz-moelln.de tcp
US 8.8.8.8:53 trainiumacademy.com udp
SG 35.213.151.161:443 trainiumacademy.com tcp
SG 35.213.151.161:443 trainiumacademy.com tcp
US 8.8.8.8:53 thiagoperez.com udp
US 209.133.222.158:443 thiagoperez.com tcp
US 209.133.222.158:443 thiagoperez.com tcp
US 8.8.8.8:53 billigeflybilletter.dk udp
DK 94.231.103.92:443 billigeflybilletter.dk tcp
DK 94.231.103.92:443 billigeflybilletter.dk tcp
US 8.8.8.8:53 docarefoundation.org udp
US 162.241.244.141:443 docarefoundation.org tcp
US 162.241.244.141:443 docarefoundation.org tcp
US 8.8.8.8:53 innervisions-id.com udp
GB 95.215.225.4:443 innervisions-id.com tcp
GB 95.215.225.4:443 innervisions-id.com tcp
US 8.8.8.8:53 vitoriaecoturismo.com.br udp
US 209.145.52.46:443 vitoriaecoturismo.com.br tcp
US 209.145.52.46:443 vitoriaecoturismo.com.br tcp
US 8.8.8.8:53 b3b.ch udp
CH 83.166.128.63:443 b3b.ch tcp
CH 83.166.128.63:443 b3b.ch tcp
US 8.8.8.8:53 ceocenters.com udp
US 188.114.96.0:443 ceocenters.com tcp
US 8.8.8.8:53 stage-infirmier.fr udp
FR 46.105.39.239:443 stage-infirmier.fr tcp
US 8.8.8.8:53 letsstopsmoking.co.uk udp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
US 8.8.8.8:53 customroasts.com udp
US 35.209.109.205:443 customroasts.com tcp
US 35.209.109.205:443 customroasts.com tcp
US 8.8.8.8:53 elliemaccreative.wordpress.com udp
US 192.0.78.13:443 elliemaccreative.wordpress.com tcp
US 192.0.78.13:443 elliemaccreative.wordpress.com tcp
US 8.8.8.8:53 renehartman.nl udp
NL 82.94.246.8:443 renehartman.nl tcp
NL 82.94.246.8:443 renehartman.nl tcp
US 8.8.8.8:53 neonodi.be udp
FR 185.98.131.132:443 neonodi.be tcp
US 8.8.8.8:53 ziliak.com udp
US 184.154.119.210:443 ziliak.com tcp
US 184.154.119.210:443 ziliak.com tcp
US 8.8.8.8:53 neolaiamedispa.com udp
US 8.8.8.8:53 bakingismyyoga.com udp
US 15.197.142.173:443 bakingismyyoga.com tcp

Files

memory/528-54-0x0000000076121000-0x0000000076123000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 07:56

Reported

2022-01-30 13:08

Platform

win10-en-20211208

Max time kernel

167s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\HideRevoke.tif => \??\c:\users\admin\pictures\HideRevoke.tif.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\LockUnregister.tiff => \??\c:\users\admin\pictures\LockUnregister.tiff.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeClear.tif => \??\c:\users\admin\pictures\RevokeClear.tif.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\users\admin\pictures\RegisterResize.tiff C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\ClearRemove.png => \??\c:\users\admin\pictures\ClearRemove.png.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterResize.tiff => \??\c:\users\admin\pictures\RegisterResize.tiff.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\LockDismount.tiff => \??\c:\users\admin\pictures\LockDismount.tiff.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\users\admin\pictures\LockUnregister.tiff C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureGet.tiff => \??\c:\users\admin\pictures\MeasureGet.tiff.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveBlock.raw => \??\c:\users\admin\pictures\RemoveBlock.raw.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\users\admin\pictures\LockDismount.tiff C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\users\admin\pictures\MeasureGet.tiff C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\SelectJoin.raw => \??\c:\users\admin\pictures\SelectJoin.raw.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\EditJoin.png => \??\c:\users\admin\pictures\EditJoin.png.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File renamed C:\Users\Admin\Pictures\PingCompare.tif => \??\c:\users\admin\pictures\PingCompare.tif.ft272 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h4o5.bmp" C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ReceiveLimit.ini C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RestartNew.mp4v C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\AssertCompare.rm C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\FindOut.wmv C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\HideCopy.au3 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\SetConvert.pot C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\SkipOpen.midi C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\TraceRequest.xlt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\PingWait.vb C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\PopEnable.7z C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ExpandTest.kix C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\SaveOut.mhtml C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files\ft272-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\23ed88b0.lock C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\BackupShow.ADTS C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\PublishUnpublish.ex_ C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ReceiveConvert.mpeg C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RequestConfirm.eprtx C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\AddFind.mp2 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\LimitSubmit.zip C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\PingCompare.raw C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File created \??\c:\program files (x86)\ft272-readme.txt C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\PopRequest.csv C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ReadStep.vdx C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\SwitchRequest.gif C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\GrantAssert.tif C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\JoinStep.html C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\StopUnblock.csv C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\MoveClose.cr2 C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RemoveShow.html C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\AddShow.fon C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ConvertToUnlock.htm C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\ExportGroup.js C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A
File opened for modification \??\c:\program files\RequestInstall.jpeg C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe

"C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 monstarrsoccer.com udp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 74.208.236.128:443 monstarrsoccer.com tcp
US 8.8.8.8:53 keuken-prijs.nl udp
NL 185.95.44.62:443 keuken-prijs.nl tcp
US 8.8.8.8:53 chris-anne.com udp
US 192.124.249.118:443 chris-anne.com tcp
US 8.8.8.8:53 polynine.com udp
IN 13.126.239.8:443 polynine.com tcp
US 8.8.8.8:53 direitapernambuco.com udp
US 8.8.8.8:53 albcleaner.fr udp
FR 188.165.112.23:443 albcleaner.fr tcp
US 8.8.8.8:53 www.albcleaner.fr udp
FR 188.165.112.23:443 www.albcleaner.fr tcp
US 8.8.8.8:53 eshop.design udp
DE 64.190.62.111:443 eshop.design tcp
US 8.8.8.8:53 pourlabretagne.bzh udp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
US 8.8.8.8:53 www.pourlabretagne.bzh udp
FR 135.125.16.232:443 www.pourlabretagne.bzh tcp
US 8.8.8.8:53 smartworkplaza.com udp
FI 31.217.192.177:443 smartworkplaza.com tcp
US 8.8.8.8:53 bescomedical.de udp
DE 185.233.54.65:443 bescomedical.de tcp
US 8.8.8.8:53 wineandgo.hu udp
HU 77.111.95.167:443 wineandgo.hu tcp
US 8.8.8.8:53 agenceassemble.fr udp
FR 87.98.150.35:443 agenceassemble.fr tcp
US 8.8.8.8:53 computer-place.de udp
DE 85.214.125.43:443 computer-place.de tcp
US 8.8.8.8:53 bellesiniacademy.org udp
US 198.71.233.64:443 bellesiniacademy.org tcp
US 8.8.8.8:53 quitescorting.com udp
US 8.8.8.8:53 bodymindchallenger.com udp
US 8.8.8.8:53 rino-gmbh.com udp
DE 212.90.148.124:443 rino-gmbh.com tcp
US 8.8.8.8:53 lidkopingsnytt.nu udp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
US 8.8.8.8:53 goddardleadership.org udp
US 172.80.63.61:443 goddardleadership.org tcp
US 8.8.8.8:53 profiz.com udp
FI 31.217.192.121:443 profiz.com tcp
US 8.8.8.8:53 buerocenter-butzbach-werbemittel.de udp
US 8.8.8.8:53 dennisverschuur.com udp
DK 46.30.215.120:443 dennisverschuur.com tcp
US 8.8.8.8:53 thehovecounsellingpractice.co.uk udp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp

Files

N/A