Malware Analysis Report

2025-01-18 18:21

Sample ID 241223-txh1gsvkg1
Target JaffaCakes118_bef5e19dd521e73f355fecd74f9a174a75f6d61e8fc8e6e738f8e1444ef597ee
SHA256 bef5e19dd521e73f355fecd74f9a174a75f6d61e8fc8e6e738f8e1444ef597ee
Tags
sodinokibi credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bef5e19dd521e73f355fecd74f9a174a75f6d61e8fc8e6e738f8e1444ef597ee

Threat Level: Known bad

The file JaffaCakes118_bef5e19dd521e73f355fecd74f9a174a75f6d61e8fc8e6e738f8e1444ef597ee was found to be: Known bad.

Malicious Activity Summary

sodinokibi credential_access discovery ransomware spyware stealer

Sodin,Sodinokibi,REvil

Sodinokibi family

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 16:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 16:26

Reported

2024-12-23 16:28

Platform

win7-20241010-en

Max time kernel

30s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pf6.bmp" C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\UndoDisable.jpe C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\r0585-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files\r0585-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\BlockPop.mhtml C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\JoinSuspend.fon C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\NewEnable.jfif C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ShowSplit.3gpp C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\SuspendDebug.odp C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\r0585-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ConnectUpdate.m1v C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ConvertCompare.php C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\OutDisconnect.mpp C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ProtectRevoke.html C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\PushClear.emf C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\MergeGroup.wmx C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\SyncNew.vsd C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\UndoSync.xltm C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\r0585-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\OpenWrite.vst C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\UnlockRead.wpl C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files (x86)\r0585-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\AddSuspend.midi C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\BlockRename.mov C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\CompressSplit.rtf C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\FormatAssert.ogg C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe

"C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2104-0-0x0000000000400000-0x0000000004748000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000004748000-memory.dmp

C:\Users\r0585-readme.txt

MD5 43d71c5fc58fc7c9ec5e6eb58e8ddf80
SHA1 f7d1692c9188be7a0b467292dfd9c52e8e31ae25
SHA256 6fcb58297e213edc609a89765021ecbc670f697a4de9e1cee2f02ae26d412cc1
SHA512 8c1a12ce4ae896914124a2b829fd2e226ae617bf4c573679cf596413a63ad33d4186d8143517e9da8da3f92d7bbb2a581c23ee56bfc8f0d0e511a3f403907e5c

memory/2104-487-0x0000000000400000-0x0000000004748000-memory.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2104-492-0x0000000000400000-0x0000000004748000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-23 16:26

Reported

2024-12-23 16:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atde00eg.bmp" C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\CompressAdd.xla C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ExpandRevoke.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\LimitUpdate.docx C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\StartConvert.inf C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\UninstallUndo.DVR C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\WaitAdd.bmp C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\WriteTrace.html C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ConnectBlock.ADTS C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ConvertUndo.wma C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\DismountMount.mpeg2 C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ExportOpen.php C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\MergeUninstall.xla C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ResizePush.DVR C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\UninstallUnregister.xlsm C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files\be8jl4u-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\GroupStep.pptx C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\InvokeFind.vb C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\SwitchBackup.ADT C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\UseSync.ttf C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File created \??\c:\program files (x86)\be8jl4u-readme.txt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\CompressStep.ppt C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\EnterInitialize.jpeg C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ResizeSave.vst C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\ResolveResume.jfif C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\SendConnect.mpp C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
File opened for modification \??\c:\program files\TraceSync.mpeg C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe

"C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/380-0-0x0000000000400000-0x0000000004748000-memory.dmp

C:\Users\be8jl4u-readme.txt

MD5 5552bb154be1d39d9ee1b129ddf0a263
SHA1 199f6fd314f41474d68aef73384f6f112b670799
SHA256 1636349615cb25dbda53bca9390a4be9d6ed10f9b67884a43d520ccf2c0ac83a
SHA512 4c096f56d09195ca69e2598e50b11f397844a4cbcbd96fa0890e17efb84047d45c8d5417af04983075e793230f5484048a77647eed3108372c63ab7f5823b882

memory/380-82-0x0000000000400000-0x0000000004748000-memory.dmp

memory/380-89-0x0000000000400000-0x0000000004748000-memory.dmp

memory/380-437-0x0000000000400000-0x0000000004748000-memory.dmp

memory/380-442-0x0000000000400000-0x0000000004748000-memory.dmp

memory/380-444-0x0000000000400000-0x0000000004748000-memory.dmp