Malware Analysis Report

2025-01-18 18:28

Sample ID 241224-ws3v7stmhr
Target JaffaCakes118_b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32
SHA256 b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32
Tags
sodinokibi $2a$12$wsdkyj/flqr3lz6h4k2qmenp6qlhkwtltahlc0fur6s4afxkjrehy 7029 discovery evasion persistence privilege_escalation ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32

Threat Level: Known bad

The file JaffaCakes118_b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32 was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$12$wsdkyj/flqr3lz6h4k2qmenp6qlhkwtltahlc0fur6s4afxkjrehy 7029 discovery evasion persistence privilege_escalation ransomware

Sodin,Sodinokibi,REvil

Sodinokibi family

Modifies Windows Firewall

Adds Run key to start application

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 18:11

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 18:11

Reported

2024-12-24 18:14

Platform

win7-20241010-en

Max time kernel

134s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe" C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j8sa584s8r8ba.bmp" C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\SubmitRedo.xht C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\WaitPublish.aiff C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\CheckpointSuspend.ppt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ConvertAdd.pot C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\MoveSync.odt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\OpenSplit.wmv C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SplitInvoke.xltm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\UndoUnpublish.mpv2 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\UpdateFind.wmf C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\AddClear.emf C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\FindInitialize.mp4v C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SendComplete.mp2 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SendSet.search-ms C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\GetUnlock.mp3 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SearchConfirm.m4v C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\67ny35-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ConvertToReset.xsl C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\67ny35-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\67ny35-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\GrantSync.docx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\RenameRegister.xlsm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\RestartGroup.pptm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\WaitStart.csv C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files\67ny35-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\EnableDeny.vst C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\InvokePop.WTV C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\NewCheckpoint.wps C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\HideUndo.xhtml C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\PublishResume.m4v C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\RenameUnprotect.vstx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\67ny35-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe

"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cuspdental.com udp
US 200.69.18.145:443 cuspdental.com tcp
US 200.69.18.145:443 cuspdental.com tcp
US 8.8.8.8:53 humanityplus.org udp
US 198.49.23.145:443 humanityplus.org tcp
US 198.49.23.145:443 humanityplus.org tcp
US 8.8.8.8:53 sportsmassoren.com udp
DK 94.231.106.24:443 sportsmassoren.com tcp
DK 94.231.106.24:443 sportsmassoren.com tcp
US 8.8.8.8:53 adoptioperheet.fi udp
US 172.67.222.184:443 adoptioperheet.fi tcp
US 8.8.8.8:53 www.adoptioperheet.fi udp
US 104.21.25.53:443 www.adoptioperheet.fi tcp
US 8.8.8.8:53 kafu.ch udp
CH 83.166.138.66:443 kafu.ch tcp
CH 83.166.138.66:443 kafu.ch tcp
US 8.8.8.8:53 innote.fi udp
DE 18.197.248.23:443 innote.fi tcp
DE 18.197.248.23:443 innote.fi tcp
US 8.8.8.8:53 polychromelabs.com udp
US 172.67.133.246:443 polychromelabs.com tcp
US 8.8.8.8:53 milanonotai.it udp
DE 195.201.220.228:443 milanonotai.it tcp
US 8.8.8.8:53 www.milanonotai.it udp
US 52.223.53.203:443 www.milanonotai.it tcp
US 52.223.53.203:443 www.milanonotai.it tcp
US 8.8.8.8:53 logopaedie-blomberg.de udp
FR 92.205.210.41:443 logopaedie-blomberg.de tcp
FR 92.205.210.41:443 logopaedie-blomberg.de tcp
US 8.8.8.8:53 theletter.company udp
US 3.33.130.190:443 theletter.company tcp
US 3.33.130.190:443 theletter.company tcp
US 8.8.8.8:53 conexa4papers.trade udp
US 8.8.8.8:53 tampaallen.com udp
US 192.124.249.9:443 tampaallen.com tcp
US 192.124.249.9:443 tampaallen.com tcp
US 8.8.8.8:53 patrickfoundation.net udp
US 8.8.8.8:53 visiativ-industry.fr udp
FR 51.68.244.60:443 visiativ-industry.fr tcp
US 8.8.8.8:53 www.visiativ-solutions.fr udp
FR 51.68.244.60:443 www.visiativ-solutions.fr tcp
FR 51.68.244.60:443 www.visiativ-solutions.fr tcp
US 8.8.8.8:53 www.visiativ.com udp
FR 5.39.7.194:443 www.visiativ.com tcp
FR 5.39.7.194:443 www.visiativ.com tcp
US 8.8.8.8:53 idemblogs.com udp
US 8.8.8.8:53 copystar.co.uk udp
DE 217.160.0.115:443 copystar.co.uk tcp
DE 217.160.0.115:443 copystar.co.uk tcp
US 8.8.8.8:53 paulisdogshop.de udp
DE 85.10.215.20:443 paulisdogshop.de tcp
US 8.8.8.8:53 atozdistribution.co.uk udp
US 8.8.8.8:53 sinal.org udp
IT 93.95.216.98:443 sinal.org tcp
IT 93.95.216.98:443 sinal.org tcp
US 8.8.8.8:53 purposeadvisorsolutions.com udp
US 76.76.21.21:443 purposeadvisorsolutions.com tcp
US 76.76.21.21:443 purposeadvisorsolutions.com tcp
US 8.8.8.8:53 crediacces.com udp
DE 217.160.0.85:443 crediacces.com tcp
DE 217.160.0.85:443 crediacces.com tcp
US 8.8.8.8:53 girlillamarketing.com udp
US 99.83.190.102:443 girlillamarketing.com tcp
US 99.83.190.102:443 girlillamarketing.com tcp
US 8.8.8.8:53 lachofikschiet.nl udp
NL 212.32.242.248:443 lachofikschiet.nl tcp
US 8.8.8.8:53 nurturingwisdom.com udp
US 35.215.73.168:443 nurturingwisdom.com tcp
US 35.215.73.168:443 nurturingwisdom.com tcp
US 8.8.8.8:53 smessier.com udp
US 8.8.8.8:53 team-montage.dk udp
DE 46.4.208.59:443 team-montage.dk tcp
DE 46.4.208.59:443 team-montage.dk tcp
US 8.8.8.8:53 lbcframingelectrical.com udp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
DE 3.124.100.143:443 lbcframingelectrical.com tcp
US 8.8.8.8:53 artotelamsterdam.com udp
US 141.193.213.20:443 artotelamsterdam.com tcp
US 141.193.213.20:443 artotelamsterdam.com tcp
US 8.8.8.8:53 maineemploymentlawyerblog.com udp
NL 108.156.60.110:443 maineemploymentlawyerblog.com tcp
US 8.8.8.8:53 www.maineemploymentlawyerblog.com udp
NL 108.156.60.124:443 www.maineemploymentlawyerblog.com tcp
US 8.8.8.8:53 vyhino-zhulebino-24.ru udp
US 8.8.8.8:53 jameskibbie.com udp
CA 66.70.219.208:443 jameskibbie.com tcp
CA 66.70.219.208:443 jameskibbie.com tcp
US 8.8.8.8:53 associacioesportivapolitg.cat udp
FR 94.23.80.4:443 associacioesportivapolitg.cat tcp
FR 94.23.80.4:443 associacioesportivapolitg.cat tcp
US 8.8.8.8:53 eglectonk.online udp
US 8.8.8.8:53 diversiapsicologia.es udp
DE 217.160.0.121:443 diversiapsicologia.es tcp
DE 217.160.0.121:443 diversiapsicologia.es tcp
US 8.8.8.8:53 lefumetdesdombes.com udp
FR 164.132.235.17:443 lefumetdesdombes.com tcp
FR 164.132.235.17:443 lefumetdesdombes.com tcp
US 8.8.8.8:53 atmos-show.com udp
CZ 46.8.8.145:443 atmos-show.com tcp
US 8.8.8.8:53 international-sound-awards.com udp
DE 217.160.0.46:443 international-sound-awards.com tcp
DE 217.160.0.46:443 international-sound-awards.com tcp
US 8.8.8.8:53 sachnendoc.com udp
SG 172.96.191.104:443 sachnendoc.com tcp
SG 172.96.191.104:443 sachnendoc.com tcp
US 8.8.8.8:53 iyengaryogacharlotte.com udp
US 65.60.36.230:443 iyengaryogacharlotte.com tcp
US 65.60.36.230:443 iyengaryogacharlotte.com tcp
US 8.8.8.8:53 people-biz.com udp
US 8.8.8.8:53 brigitte-erler.com udp
US 8.8.8.8:53 denovofoodsgroup.com udp
US 8.8.8.8:53 maureenbreezedancetheater.org udp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 8.8.8.8:53 biortaggivaldelsa.com udp
IT 185.221.175.252:443 biortaggivaldelsa.com tcp
IT 185.221.175.252:443 biortaggivaldelsa.com tcp
US 8.8.8.8:53 ikads.org udp
US 8.8.8.8:53 qualitus.com udp
DE 136.243.1.43:443 qualitus.com tcp
DE 136.243.1.43:443 qualitus.com tcp
US 8.8.8.8:53 whyinterestingly.ru udp
US 8.8.8.8:53 kevinjodea.com udp
US 172.67.220.52:443 kevinjodea.com tcp
US 8.8.8.8:53 enovos.de udp
DE 185.175.199.0:443 enovos.de tcp
US 8.8.8.8:53 dupontsellshomes.com udp
US 70.40.220.182:443 dupontsellshomes.com tcp
US 70.40.220.182:443 dupontsellshomes.com tcp
US 8.8.8.8:53 kirkepartner.dk udp
DK 94.231.106.25:443 kirkepartner.dk tcp
DK 94.231.106.25:443 kirkepartner.dk tcp
US 8.8.8.8:53 despedidascostablanca.es udp
FR 46.105.204.5:443 despedidascostablanca.es tcp
FR 46.105.204.5:443 despedidascostablanca.es tcp
US 8.8.8.8:53 lucidinvestbank.com udp
DE 95.111.241.115:443 lucidinvestbank.com tcp
US 8.8.8.8:53 steampluscarpetandfloors.com udp
US 35.209.122.3:443 steampluscarpetandfloors.com tcp
US 35.209.122.3:443 steampluscarpetandfloors.com tcp
US 8.8.8.8:53 katiekerr.co.uk udp
GB 141.0.160.22:443 katiekerr.co.uk tcp
GB 141.0.160.22:443 katiekerr.co.uk tcp
US 8.8.8.8:53 plv.media udp
US 66.42.112.66:443 plv.media tcp
US 8.8.8.8:53 bigbaguettes.eu udp
US 8.8.8.8:53 bauertree.com udp
US 199.16.173.137:443 bauertree.com tcp
US 199.16.173.137:443 bauertree.com tcp
US 8.8.8.8:53 stefanpasch.me udp
US 151.101.0.119:443 stefanpasch.me tcp
US 151.101.0.119:443 stefanpasch.me tcp
US 8.8.8.8:53 mountsoul.de udp
DE 35.207.98.7:443 mountsoul.de tcp
DE 35.207.98.7:443 mountsoul.de tcp
US 8.8.8.8:53 carriagehousesalonvt.com udp
US 64.225.91.73:443 carriagehousesalonvt.com tcp
US 64.225.91.73:443 carriagehousesalonvt.com tcp
US 8.8.8.8:53 mooreslawngarden.com udp
US 8.8.8.8:53 compliancesolutionsstrategies.com udp
IE 213.168.224.186:443 compliancesolutionsstrategies.com tcp
US 8.8.8.8:53 theshungiteexperience.com.au udp
US 192.124.249.65:443 theshungiteexperience.com.au tcp
US 192.124.249.65:443 theshungiteexperience.com.au tcp
US 8.8.8.8:53 makeitcount.at udp
DE 89.110.151.38:443 makeitcount.at tcp
DE 89.110.151.38:443 makeitcount.at tcp
US 8.8.8.8:53 shadebarandgrillorlando.com udp
US 190.92.159.133:443 shadebarandgrillorlando.com tcp
US 190.92.159.133:443 shadebarandgrillorlando.com tcp
US 8.8.8.8:53 x-ray.ca udp
US 192.124.249.26:443 x-ray.ca tcp
US 192.124.249.26:443 x-ray.ca tcp
US 8.8.8.8:53 marietteaernoudts.nl udp
NL 141.138.169.211:443 marietteaernoudts.nl tcp
NL 141.138.169.211:443 marietteaernoudts.nl tcp
US 8.8.8.8:53 romeguidedvisit.com udp
NL 35.214.139.14:443 romeguidedvisit.com tcp
NL 35.214.139.14:443 romeguidedvisit.com tcp
US 8.8.8.8:53 extensionmaison.info udp
FR 213.186.33.5:443 extensionmaison.info tcp
US 8.8.8.8:53 veybachcenter.de udp
DE 85.13.161.99:443 veybachcenter.de tcp
DE 85.13.161.99:443 veybachcenter.de tcp
US 8.8.8.8:53 commercialboatbuilding.com udp
US 8.8.8.8:53 aarvorg.com udp
US 66.235.200.30:443 aarvorg.com tcp
US 66.235.200.30:443 aarvorg.com tcp
US 8.8.8.8:53 zonamovie21.net udp
US 8.8.8.8:53 havecamerawilltravel2017.wordpress.com udp
US 192.0.78.12:443 havecamerawilltravel2017.wordpress.com tcp
US 192.0.78.12:443 havecamerawilltravel2017.wordpress.com tcp
US 8.8.8.8:53 pridoxmaterieel.nl udp
NL 94.247.76.79:443 pridoxmaterieel.nl tcp
NL 94.247.76.79:443 pridoxmaterieel.nl tcp
US 8.8.8.8:53 csgospeltips.se udp
US 8.8.8.8:53 bierensgebakkramen.nl udp
NL 128.140.223.200:443 bierensgebakkramen.nl tcp
NL 128.140.223.200:443 bierensgebakkramen.nl tcp
US 8.8.8.8:53 mbfagency.com udp
US 173.236.205.247:443 mbfagency.com tcp
US 173.236.205.247:443 mbfagency.com tcp
US 8.8.8.8:53 xlarge.at udp
DE 5.22.145.16:443 xlarge.at tcp
DE 5.22.145.121:443 xlarge.at tcp
US 8.8.8.8:53 blossombeyond50.com udp
US 8.8.8.8:53 spd-ehningen.de udp
DE 109.237.138.15:443 spd-ehningen.de tcp
DE 109.237.138.15:443 spd-ehningen.de tcp
US 8.8.8.8:53 ilive.lt udp
LT 185.5.53.29:443 ilive.lt tcp
LT 185.5.53.29:443 ilive.lt tcp
US 8.8.8.8:53 yousay.site udp
US 162.241.224.155:443 yousay.site tcp
US 162.241.224.155:443 yousay.site tcp
US 8.8.8.8:53 buroludo.nl udp
NL 185.37.70.69:443 buroludo.nl tcp
NL 185.37.70.69:443 buroludo.nl tcp
US 8.8.8.8:53 jyzdesign.com udp
US 192.124.249.185:443 jyzdesign.com tcp
US 192.124.249.185:443 jyzdesign.com tcp
US 8.8.8.8:53 insigniapmg.com udp
US 151.101.66.159:443 insigniapmg.com tcp
US 151.101.66.159:443 insigniapmg.com tcp
US 8.8.8.8:53 vancouver-print.ca udp
US 24.38.41.117:443 vancouver-print.ca tcp
US 24.38.41.117:443 vancouver-print.ca tcp
US 8.8.8.8:53 gaiam.nl udp
DE 78.46.9.130:443 gaiam.nl tcp
DE 78.46.9.130:443 gaiam.nl tcp
US 8.8.8.8:53 pasvenska.se udp
US 172.67.203.128:443 pasvenska.se tcp
US 8.8.8.8:53 moveonnews.com udp
US 8.8.8.8:53 nestor-swiss.ch udp
CH 217.26.53.205:443 nestor-swiss.ch tcp
CH 217.26.53.205:443 nestor-swiss.ch tcp
US 8.8.8.8:53 noskierrenteria.com udp
ES 5.250.188.83:443 noskierrenteria.com tcp
ES 5.250.188.83:443 noskierrenteria.com tcp
US 8.8.8.8:53 sairaku.net udp
JP 202.210.8.84:443 sairaku.net tcp
JP 202.210.8.84:443 sairaku.net tcp
US 8.8.8.8:53 rostoncastings.co.uk udp
GB 185.151.30.130:443 rostoncastings.co.uk tcp
GB 185.151.30.130:443 rostoncastings.co.uk tcp
US 8.8.8.8:53 winrace.no udp
NO 77.88.77.99:443 winrace.no tcp
US 8.8.8.8:53 www.winrace.no udp
NO 77.88.77.99:443 www.winrace.no tcp
US 8.8.8.8:53 kedak.de udp
US 104.21.12.218:443 kedak.de tcp
US 8.8.8.8:53 fax-payday-loans.com udp
US 8.8.8.8:53 nacktfalter.de udp
DE 138.201.122.4:443 nacktfalter.de tcp
DE 138.201.122.4:443 nacktfalter.de tcp
US 8.8.8.8:53 udp

Files

memory/2496-0-0x00000000012D0000-0x00000000012F2000-memory.dmp

C:\Users\67ny35-readme.txt

MD5 60939ce5d16926d93289f3118430cd10
SHA1 88163a2a654d6f8d5e5cb728abf8d6fa718f0a0e
SHA256 3b49c2505a2644f840019e41d51647988765250bf055e0c0c96938030fa7d6b9
SHA512 c41f15d40c4ccbc004ec505646b8bf922555e539bacd9009de27952f13ab45dba8635c6d7d8342cb490e8ab60ef4ba9877b678d248235eb5a96b8a7baf983c0d

C:\Users\Admin\AppData\Local\Temp\Cab45E8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar460A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2496-566-0x00000000012D0000-0x00000000012F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 18:11

Reported

2024-12-24 18:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe" C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0u9a3.bmp" C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\2u7c3r0-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files (x86)\2u7c3r0-readme.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\PingDisconnect.tif C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\StartBlock.jpeg C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\UndoLock.asx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\UseSet.mpg C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ExportInitialize.mov C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\GroupSend.midi C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ProtectConnect.fon C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SearchRemove.avi C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SelectRestore.ppsx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\MoveReceive.snd C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ProtectGrant.dib C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ResolveReceive.fon C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\RevokeConvert.mp3 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\EnableTrace.midi C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ConnectCompare.js C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\CopyResolve.ADTS C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\DismountUninstall.i64 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\EnableNew.M2TS C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SelectWatch.wmf C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\WaitCopy.vssx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\EditConnect.ADTS C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\FindCompress.midi C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\InitializeRestart.jpeg C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SaveEnter.xltm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SetRequest.asx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SkipOpen.m4a C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\UnblockRevoke.xsl C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ApproveSave.png C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ConnectUndo.docm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\DenyJoin.txt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\ExpandGrant.emf C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\MergeShow.ppsm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SuspendPing.wmv C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\EditRepair.easmx C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\GetWait.au3 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\PopMount.ppt C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
File opened for modification \??\c:\program files\SwitchWait.dotm C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe

"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cuspdental.com udp
US 200.69.18.145:443 cuspdental.com tcp
US 8.8.8.8:53 145.18.69.200.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 humanityplus.org udp
US 198.49.23.144:443 humanityplus.org tcp
US 8.8.8.8:53 sportsmassoren.com udp
DK 94.231.106.24:443 sportsmassoren.com tcp
US 8.8.8.8:53 144.23.49.198.in-addr.arpa udp
US 8.8.8.8:53 24.106.231.94.in-addr.arpa udp
US 8.8.8.8:53 adoptioperheet.fi udp
US 172.67.222.184:443 adoptioperheet.fi tcp
US 8.8.8.8:53 www.adoptioperheet.fi udp
US 172.67.222.184:443 www.adoptioperheet.fi tcp
US 8.8.8.8:53 184.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 kafu.ch udp
CH 83.166.138.66:443 kafu.ch tcp
US 8.8.8.8:53 innote.fi udp
DE 18.197.248.23:443 innote.fi tcp
US 8.8.8.8:53 polychromelabs.com udp
US 104.21.25.93:443 polychromelabs.com tcp
US 8.8.8.8:53 66.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 23.248.197.18.in-addr.arpa udp
US 8.8.8.8:53 milanonotai.it udp
DE 195.201.220.228:443 milanonotai.it tcp
US 8.8.8.8:53 www.milanonotai.it udp
US 99.83.185.157:443 www.milanonotai.it tcp
US 8.8.8.8:53 logopaedie-blomberg.de udp
US 8.8.8.8:53 93.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 228.220.201.195.in-addr.arpa udp
US 8.8.8.8:53 157.185.83.99.in-addr.arpa udp
FR 92.205.210.41:443 logopaedie-blomberg.de tcp
US 8.8.8.8:53 theletter.company udp
US 15.197.148.33:443 theletter.company tcp
US 8.8.8.8:53 conexa4papers.trade udp
US 8.8.8.8:53 tampaallen.com udp
US 192.124.249.9:443 tampaallen.com tcp
US 8.8.8.8:53 41.210.205.92.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 www.tampaallen.com udp
US 192.124.249.9:443 www.tampaallen.com tcp
US 8.8.8.8:53 9.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 patrickfoundation.net udp
US 8.8.8.8:53 visiativ-industry.fr udp
FR 51.68.244.60:443 visiativ-industry.fr tcp
US 8.8.8.8:53 www.visiativ-solutions.fr udp
FR 51.68.244.60:443 www.visiativ-solutions.fr tcp
FR 51.68.244.60:443 www.visiativ-solutions.fr tcp
US 8.8.8.8:53 www.visiativ.com udp
FR 5.39.7.193:443 www.visiativ.com tcp
US 8.8.8.8:53 60.244.68.51.in-addr.arpa udp
US 8.8.8.8:53 idemblogs.com udp
US 8.8.8.8:53 copystar.co.uk udp
DE 217.160.0.115:443 copystar.co.uk tcp
DE 217.160.0.115:443 copystar.co.uk tcp
DE 217.160.0.115:443 copystar.co.uk tcp
US 8.8.8.8:53 paulisdogshop.de udp
DE 85.10.215.20:443 paulisdogshop.de tcp
US 8.8.8.8:53 193.7.39.5.in-addr.arpa udp
US 8.8.8.8:53 115.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 atozdistribution.co.uk udp
US 8.8.8.8:53 sinal.org udp
US 8.8.8.8:53 20.215.10.85.in-addr.arpa udp
US 8.8.8.8:53 purposeadvisorsolutions.com udp
US 76.76.21.21:443 purposeadvisorsolutions.com tcp
US 8.8.8.8:53 www.purposeadvisors.com udp
US 76.76.21.164:443 www.purposeadvisors.com tcp
US 8.8.8.8:53 crediacces.com udp
DE 217.160.0.85:443 crediacces.com tcp
US 8.8.8.8:53 21.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 164.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 girlillamarketing.com udp
US 75.2.70.75:443 girlillamarketing.com tcp
US 8.8.8.8:53 www.girlillamarketing.com udp
IE 52.17.119.105:443 www.girlillamarketing.com tcp
US 8.8.8.8:53 85.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 lachofikschiet.nl udp
NL 212.32.242.248:443 lachofikschiet.nl tcp
US 8.8.8.8:53 nurturingwisdom.com udp
US 35.215.73.168:443 nurturingwisdom.com tcp
US 8.8.8.8:53 75.70.2.75.in-addr.arpa udp
US 8.8.8.8:53 105.119.17.52.in-addr.arpa udp
US 8.8.8.8:53 248.242.32.212.in-addr.arpa udp
US 8.8.8.8:53 smessier.com udp
US 8.8.8.8:53 team-montage.dk udp
DE 46.4.208.59:443 team-montage.dk tcp
US 8.8.8.8:53 168.73.215.35.in-addr.arpa udp
US 8.8.8.8:53 lbcframingelectrical.com udp
DE 3.125.36.175:443 lbcframingelectrical.com tcp
US 8.8.8.8:53 59.208.4.46.in-addr.arpa udp
US 8.8.8.8:53 artotelamsterdam.com udp
US 8.8.8.8:53 175.36.125.3.in-addr.arpa udp
US 141.193.213.20:443 artotelamsterdam.com tcp
US 8.8.8.8:53 20.213.193.141.in-addr.arpa udp
US 8.8.8.8:53 maineemploymentlawyerblog.com udp
NL 108.156.60.110:443 maineemploymentlawyerblog.com tcp
US 8.8.8.8:53 www.maineemploymentlawyerblog.com udp
NL 108.156.60.119:443 www.maineemploymentlawyerblog.com tcp
US 8.8.8.8:53 110.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 vyhino-zhulebino-24.ru udp
US 8.8.8.8:53 jameskibbie.com udp
CA 66.70.219.208:443 jameskibbie.com tcp
US 8.8.8.8:53 associacioesportivapolitg.cat udp
FR 94.23.80.4:443 associacioesportivapolitg.cat tcp
US 8.8.8.8:53 119.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 eglectonk.online udp
US 8.8.8.8:53 diversiapsicologia.es udp
DE 217.160.0.121:443 diversiapsicologia.es tcp
US 8.8.8.8:53 208.219.70.66.in-addr.arpa udp
US 8.8.8.8:53 4.80.23.94.in-addr.arpa udp
US 8.8.8.8:53 121.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2348-0-0x0000000000FF0000-0x0000000001012000-memory.dmp

C:\Users\2u7c3r0-readme.txt

MD5 91c25d5b5fd286d19b026b8c4af97742
SHA1 ae5d14ba4a91a63d043ff1d07f7b6820686cdd14
SHA256 3387c33457c16c6893dfc86c8fd32dc8d5b0c2143f95ca9aee7c0787f9ea6e44
SHA512 da5e3e72c1db625481b56ba5ac072a1ba8bb69cbb6d6d10196f8123c7eef68e34070798d0e1c0266934f67e834a24506bf8ae122ff77d90176a9f481054e2e6a

memory/2348-514-0x0000000000FF0000-0x0000000001012000-memory.dmp