Analysis Overview
SHA256
b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32
Threat Level: Known bad
The file JaffaCakes118_b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32 was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Modifies Windows Firewall
Adds Run key to start application
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-24 18:11
Signatures
Sodinokibi family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-24 18:11
Reported
2024-12-24 18:14
Platform
win7-20241010-en
Max time kernel
134s
Max time network
154s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe" | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j8sa584s8r8ba.bmp" | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2496 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2496 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2496 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2496 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe
"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cuspdental.com | udp |
| US | 200.69.18.145:443 | cuspdental.com | tcp |
| US | 200.69.18.145:443 | cuspdental.com | tcp |
| US | 8.8.8.8:53 | humanityplus.org | udp |
| US | 198.49.23.145:443 | humanityplus.org | tcp |
| US | 198.49.23.145:443 | humanityplus.org | tcp |
| US | 8.8.8.8:53 | sportsmassoren.com | udp |
| DK | 94.231.106.24:443 | sportsmassoren.com | tcp |
| DK | 94.231.106.24:443 | sportsmassoren.com | tcp |
| US | 8.8.8.8:53 | adoptioperheet.fi | udp |
| US | 172.67.222.184:443 | adoptioperheet.fi | tcp |
| US | 8.8.8.8:53 | www.adoptioperheet.fi | udp |
| US | 104.21.25.53:443 | www.adoptioperheet.fi | tcp |
| US | 8.8.8.8:53 | kafu.ch | udp |
| CH | 83.166.138.66:443 | kafu.ch | tcp |
| CH | 83.166.138.66:443 | kafu.ch | tcp |
| US | 8.8.8.8:53 | innote.fi | udp |
| DE | 18.197.248.23:443 | innote.fi | tcp |
| DE | 18.197.248.23:443 | innote.fi | tcp |
| US | 8.8.8.8:53 | polychromelabs.com | udp |
| US | 172.67.133.246:443 | polychromelabs.com | tcp |
| US | 8.8.8.8:53 | milanonotai.it | udp |
| DE | 195.201.220.228:443 | milanonotai.it | tcp |
| US | 8.8.8.8:53 | www.milanonotai.it | udp |
| US | 52.223.53.203:443 | www.milanonotai.it | tcp |
| US | 52.223.53.203:443 | www.milanonotai.it | tcp |
| US | 8.8.8.8:53 | logopaedie-blomberg.de | udp |
| FR | 92.205.210.41:443 | logopaedie-blomberg.de | tcp |
| FR | 92.205.210.41:443 | logopaedie-blomberg.de | tcp |
| US | 8.8.8.8:53 | theletter.company | udp |
| US | 3.33.130.190:443 | theletter.company | tcp |
| US | 3.33.130.190:443 | theletter.company | tcp |
| US | 8.8.8.8:53 | conexa4papers.trade | udp |
| US | 8.8.8.8:53 | tampaallen.com | udp |
| US | 192.124.249.9:443 | tampaallen.com | tcp |
| US | 192.124.249.9:443 | tampaallen.com | tcp |
| US | 8.8.8.8:53 | patrickfoundation.net | udp |
| US | 8.8.8.8:53 | visiativ-industry.fr | udp |
| FR | 51.68.244.60:443 | visiativ-industry.fr | tcp |
| US | 8.8.8.8:53 | www.visiativ-solutions.fr | udp |
| FR | 51.68.244.60:443 | www.visiativ-solutions.fr | tcp |
| FR | 51.68.244.60:443 | www.visiativ-solutions.fr | tcp |
| US | 8.8.8.8:53 | www.visiativ.com | udp |
| FR | 5.39.7.194:443 | www.visiativ.com | tcp |
| FR | 5.39.7.194:443 | www.visiativ.com | tcp |
| US | 8.8.8.8:53 | idemblogs.com | udp |
| US | 8.8.8.8:53 | copystar.co.uk | udp |
| DE | 217.160.0.115:443 | copystar.co.uk | tcp |
| DE | 217.160.0.115:443 | copystar.co.uk | tcp |
| US | 8.8.8.8:53 | paulisdogshop.de | udp |
| DE | 85.10.215.20:443 | paulisdogshop.de | tcp |
| US | 8.8.8.8:53 | atozdistribution.co.uk | udp |
| US | 8.8.8.8:53 | sinal.org | udp |
| IT | 93.95.216.98:443 | sinal.org | tcp |
| IT | 93.95.216.98:443 | sinal.org | tcp |
| US | 8.8.8.8:53 | purposeadvisorsolutions.com | udp |
| US | 76.76.21.21:443 | purposeadvisorsolutions.com | tcp |
| US | 76.76.21.21:443 | purposeadvisorsolutions.com | tcp |
| US | 8.8.8.8:53 | crediacces.com | udp |
| DE | 217.160.0.85:443 | crediacces.com | tcp |
| DE | 217.160.0.85:443 | crediacces.com | tcp |
| US | 8.8.8.8:53 | girlillamarketing.com | udp |
| US | 99.83.190.102:443 | girlillamarketing.com | tcp |
| US | 99.83.190.102:443 | girlillamarketing.com | tcp |
| US | 8.8.8.8:53 | lachofikschiet.nl | udp |
| NL | 212.32.242.248:443 | lachofikschiet.nl | tcp |
| US | 8.8.8.8:53 | nurturingwisdom.com | udp |
| US | 35.215.73.168:443 | nurturingwisdom.com | tcp |
| US | 35.215.73.168:443 | nurturingwisdom.com | tcp |
| US | 8.8.8.8:53 | smessier.com | udp |
| US | 8.8.8.8:53 | team-montage.dk | udp |
| DE | 46.4.208.59:443 | team-montage.dk | tcp |
| DE | 46.4.208.59:443 | team-montage.dk | tcp |
| US | 8.8.8.8:53 | lbcframingelectrical.com | udp |
| DE | 3.124.100.143:443 | lbcframingelectrical.com | tcp |
| DE | 3.124.100.143:443 | lbcframingelectrical.com | tcp |
| US | 8.8.8.8:53 | artotelamsterdam.com | udp |
| US | 141.193.213.20:443 | artotelamsterdam.com | tcp |
| US | 141.193.213.20:443 | artotelamsterdam.com | tcp |
| US | 8.8.8.8:53 | maineemploymentlawyerblog.com | udp |
| NL | 108.156.60.110:443 | maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | www.maineemploymentlawyerblog.com | udp |
| NL | 108.156.60.124:443 | www.maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | vyhino-zhulebino-24.ru | udp |
| US | 8.8.8.8:53 | jameskibbie.com | udp |
| CA | 66.70.219.208:443 | jameskibbie.com | tcp |
| CA | 66.70.219.208:443 | jameskibbie.com | tcp |
| US | 8.8.8.8:53 | associacioesportivapolitg.cat | udp |
| FR | 94.23.80.4:443 | associacioesportivapolitg.cat | tcp |
| FR | 94.23.80.4:443 | associacioesportivapolitg.cat | tcp |
| US | 8.8.8.8:53 | eglectonk.online | udp |
| US | 8.8.8.8:53 | diversiapsicologia.es | udp |
| DE | 217.160.0.121:443 | diversiapsicologia.es | tcp |
| DE | 217.160.0.121:443 | diversiapsicologia.es | tcp |
| US | 8.8.8.8:53 | lefumetdesdombes.com | udp |
| FR | 164.132.235.17:443 | lefumetdesdombes.com | tcp |
| FR | 164.132.235.17:443 | lefumetdesdombes.com | tcp |
| US | 8.8.8.8:53 | atmos-show.com | udp |
| CZ | 46.8.8.145:443 | atmos-show.com | tcp |
| US | 8.8.8.8:53 | international-sound-awards.com | udp |
| DE | 217.160.0.46:443 | international-sound-awards.com | tcp |
| DE | 217.160.0.46:443 | international-sound-awards.com | tcp |
| US | 8.8.8.8:53 | sachnendoc.com | udp |
| SG | 172.96.191.104:443 | sachnendoc.com | tcp |
| SG | 172.96.191.104:443 | sachnendoc.com | tcp |
| US | 8.8.8.8:53 | iyengaryogacharlotte.com | udp |
| US | 65.60.36.230:443 | iyengaryogacharlotte.com | tcp |
| US | 65.60.36.230:443 | iyengaryogacharlotte.com | tcp |
| US | 8.8.8.8:53 | people-biz.com | udp |
| US | 8.8.8.8:53 | brigitte-erler.com | udp |
| US | 8.8.8.8:53 | denovofoodsgroup.com | udp |
| US | 8.8.8.8:53 | maureenbreezedancetheater.org | udp |
| US | 198.185.159.145:443 | maureenbreezedancetheater.org | tcp |
| US | 198.185.159.145:443 | maureenbreezedancetheater.org | tcp |
| US | 8.8.8.8:53 | biortaggivaldelsa.com | udp |
| IT | 185.221.175.252:443 | biortaggivaldelsa.com | tcp |
| IT | 185.221.175.252:443 | biortaggivaldelsa.com | tcp |
| US | 8.8.8.8:53 | ikads.org | udp |
| US | 8.8.8.8:53 | qualitus.com | udp |
| DE | 136.243.1.43:443 | qualitus.com | tcp |
| DE | 136.243.1.43:443 | qualitus.com | tcp |
| US | 8.8.8.8:53 | whyinterestingly.ru | udp |
| US | 8.8.8.8:53 | kevinjodea.com | udp |
| US | 172.67.220.52:443 | kevinjodea.com | tcp |
| US | 8.8.8.8:53 | enovos.de | udp |
| DE | 185.175.199.0:443 | enovos.de | tcp |
| US | 8.8.8.8:53 | dupontsellshomes.com | udp |
| US | 70.40.220.182:443 | dupontsellshomes.com | tcp |
| US | 70.40.220.182:443 | dupontsellshomes.com | tcp |
| US | 8.8.8.8:53 | kirkepartner.dk | udp |
| DK | 94.231.106.25:443 | kirkepartner.dk | tcp |
| DK | 94.231.106.25:443 | kirkepartner.dk | tcp |
| US | 8.8.8.8:53 | despedidascostablanca.es | udp |
| FR | 46.105.204.5:443 | despedidascostablanca.es | tcp |
| FR | 46.105.204.5:443 | despedidascostablanca.es | tcp |
| US | 8.8.8.8:53 | lucidinvestbank.com | udp |
| DE | 95.111.241.115:443 | lucidinvestbank.com | tcp |
| US | 8.8.8.8:53 | steampluscarpetandfloors.com | udp |
| US | 35.209.122.3:443 | steampluscarpetandfloors.com | tcp |
| US | 35.209.122.3:443 | steampluscarpetandfloors.com | tcp |
| US | 8.8.8.8:53 | katiekerr.co.uk | udp |
| GB | 141.0.160.22:443 | katiekerr.co.uk | tcp |
| GB | 141.0.160.22:443 | katiekerr.co.uk | tcp |
| US | 8.8.8.8:53 | plv.media | udp |
| US | 66.42.112.66:443 | plv.media | tcp |
| US | 8.8.8.8:53 | bigbaguettes.eu | udp |
| US | 8.8.8.8:53 | bauertree.com | udp |
| US | 199.16.173.137:443 | bauertree.com | tcp |
| US | 199.16.173.137:443 | bauertree.com | tcp |
| US | 8.8.8.8:53 | stefanpasch.me | udp |
| US | 151.101.0.119:443 | stefanpasch.me | tcp |
| US | 151.101.0.119:443 | stefanpasch.me | tcp |
| US | 8.8.8.8:53 | mountsoul.de | udp |
| DE | 35.207.98.7:443 | mountsoul.de | tcp |
| DE | 35.207.98.7:443 | mountsoul.de | tcp |
| US | 8.8.8.8:53 | carriagehousesalonvt.com | udp |
| US | 64.225.91.73:443 | carriagehousesalonvt.com | tcp |
| US | 64.225.91.73:443 | carriagehousesalonvt.com | tcp |
| US | 8.8.8.8:53 | mooreslawngarden.com | udp |
| US | 8.8.8.8:53 | compliancesolutionsstrategies.com | udp |
| IE | 213.168.224.186:443 | compliancesolutionsstrategies.com | tcp |
| US | 8.8.8.8:53 | theshungiteexperience.com.au | udp |
| US | 192.124.249.65:443 | theshungiteexperience.com.au | tcp |
| US | 192.124.249.65:443 | theshungiteexperience.com.au | tcp |
| US | 8.8.8.8:53 | makeitcount.at | udp |
| DE | 89.110.151.38:443 | makeitcount.at | tcp |
| DE | 89.110.151.38:443 | makeitcount.at | tcp |
| US | 8.8.8.8:53 | shadebarandgrillorlando.com | udp |
| US | 190.92.159.133:443 | shadebarandgrillorlando.com | tcp |
| US | 190.92.159.133:443 | shadebarandgrillorlando.com | tcp |
| US | 8.8.8.8:53 | x-ray.ca | udp |
| US | 192.124.249.26:443 | x-ray.ca | tcp |
| US | 192.124.249.26:443 | x-ray.ca | tcp |
| US | 8.8.8.8:53 | marietteaernoudts.nl | udp |
| NL | 141.138.169.211:443 | marietteaernoudts.nl | tcp |
| NL | 141.138.169.211:443 | marietteaernoudts.nl | tcp |
| US | 8.8.8.8:53 | romeguidedvisit.com | udp |
| NL | 35.214.139.14:443 | romeguidedvisit.com | tcp |
| NL | 35.214.139.14:443 | romeguidedvisit.com | tcp |
| US | 8.8.8.8:53 | extensionmaison.info | udp |
| FR | 213.186.33.5:443 | extensionmaison.info | tcp |
| US | 8.8.8.8:53 | veybachcenter.de | udp |
| DE | 85.13.161.99:443 | veybachcenter.de | tcp |
| DE | 85.13.161.99:443 | veybachcenter.de | tcp |
| US | 8.8.8.8:53 | commercialboatbuilding.com | udp |
| US | 8.8.8.8:53 | aarvorg.com | udp |
| US | 66.235.200.30:443 | aarvorg.com | tcp |
| US | 66.235.200.30:443 | aarvorg.com | tcp |
| US | 8.8.8.8:53 | zonamovie21.net | udp |
| US | 8.8.8.8:53 | havecamerawilltravel2017.wordpress.com | udp |
| US | 192.0.78.12:443 | havecamerawilltravel2017.wordpress.com | tcp |
| US | 192.0.78.12:443 | havecamerawilltravel2017.wordpress.com | tcp |
| US | 8.8.8.8:53 | pridoxmaterieel.nl | udp |
| NL | 94.247.76.79:443 | pridoxmaterieel.nl | tcp |
| NL | 94.247.76.79:443 | pridoxmaterieel.nl | tcp |
| US | 8.8.8.8:53 | csgospeltips.se | udp |
| US | 8.8.8.8:53 | bierensgebakkramen.nl | udp |
| NL | 128.140.223.200:443 | bierensgebakkramen.nl | tcp |
| NL | 128.140.223.200:443 | bierensgebakkramen.nl | tcp |
| US | 8.8.8.8:53 | mbfagency.com | udp |
| US | 173.236.205.247:443 | mbfagency.com | tcp |
| US | 173.236.205.247:443 | mbfagency.com | tcp |
| US | 8.8.8.8:53 | xlarge.at | udp |
| DE | 5.22.145.16:443 | xlarge.at | tcp |
| DE | 5.22.145.121:443 | xlarge.at | tcp |
| US | 8.8.8.8:53 | blossombeyond50.com | udp |
| US | 8.8.8.8:53 | spd-ehningen.de | udp |
| DE | 109.237.138.15:443 | spd-ehningen.de | tcp |
| DE | 109.237.138.15:443 | spd-ehningen.de | tcp |
| US | 8.8.8.8:53 | ilive.lt | udp |
| LT | 185.5.53.29:443 | ilive.lt | tcp |
| LT | 185.5.53.29:443 | ilive.lt | tcp |
| US | 8.8.8.8:53 | yousay.site | udp |
| US | 162.241.224.155:443 | yousay.site | tcp |
| US | 162.241.224.155:443 | yousay.site | tcp |
| US | 8.8.8.8:53 | buroludo.nl | udp |
| NL | 185.37.70.69:443 | buroludo.nl | tcp |
| NL | 185.37.70.69:443 | buroludo.nl | tcp |
| US | 8.8.8.8:53 | jyzdesign.com | udp |
| US | 192.124.249.185:443 | jyzdesign.com | tcp |
| US | 192.124.249.185:443 | jyzdesign.com | tcp |
| US | 8.8.8.8:53 | insigniapmg.com | udp |
| US | 151.101.66.159:443 | insigniapmg.com | tcp |
| US | 151.101.66.159:443 | insigniapmg.com | tcp |
| US | 8.8.8.8:53 | vancouver-print.ca | udp |
| US | 24.38.41.117:443 | vancouver-print.ca | tcp |
| US | 24.38.41.117:443 | vancouver-print.ca | tcp |
| US | 8.8.8.8:53 | gaiam.nl | udp |
| DE | 78.46.9.130:443 | gaiam.nl | tcp |
| DE | 78.46.9.130:443 | gaiam.nl | tcp |
| US | 8.8.8.8:53 | pasvenska.se | udp |
| US | 172.67.203.128:443 | pasvenska.se | tcp |
| US | 8.8.8.8:53 | moveonnews.com | udp |
| US | 8.8.8.8:53 | nestor-swiss.ch | udp |
| CH | 217.26.53.205:443 | nestor-swiss.ch | tcp |
| CH | 217.26.53.205:443 | nestor-swiss.ch | tcp |
| US | 8.8.8.8:53 | noskierrenteria.com | udp |
| ES | 5.250.188.83:443 | noskierrenteria.com | tcp |
| ES | 5.250.188.83:443 | noskierrenteria.com | tcp |
| US | 8.8.8.8:53 | sairaku.net | udp |
| JP | 202.210.8.84:443 | sairaku.net | tcp |
| JP | 202.210.8.84:443 | sairaku.net | tcp |
| US | 8.8.8.8:53 | rostoncastings.co.uk | udp |
| GB | 185.151.30.130:443 | rostoncastings.co.uk | tcp |
| GB | 185.151.30.130:443 | rostoncastings.co.uk | tcp |
| US | 8.8.8.8:53 | winrace.no | udp |
| NO | 77.88.77.99:443 | winrace.no | tcp |
| US | 8.8.8.8:53 | www.winrace.no | udp |
| NO | 77.88.77.99:443 | www.winrace.no | tcp |
| US | 8.8.8.8:53 | kedak.de | udp |
| US | 104.21.12.218:443 | kedak.de | tcp |
| US | 8.8.8.8:53 | fax-payday-loans.com | udp |
| US | 8.8.8.8:53 | nacktfalter.de | udp |
| DE | 138.201.122.4:443 | nacktfalter.de | tcp |
| DE | 138.201.122.4:443 | nacktfalter.de | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2496-0-0x00000000012D0000-0x00000000012F2000-memory.dmp
C:\Users\67ny35-readme.txt
| MD5 | 60939ce5d16926d93289f3118430cd10 |
| SHA1 | 88163a2a654d6f8d5e5cb728abf8d6fa718f0a0e |
| SHA256 | 3b49c2505a2644f840019e41d51647988765250bf055e0c0c96938030fa7d6b9 |
| SHA512 | c41f15d40c4ccbc004ec505646b8bf922555e539bacd9009de27952f13ab45dba8635c6d7d8342cb490e8ab60ef4ba9877b678d248235eb5a96b8a7baf983c0d |
C:\Users\Admin\AppData\Local\Temp\Cab45E8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar460A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2496-566-0x00000000012D0000-0x00000000012F2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-24 18:11
Reported
2024-12-24 18:14
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe" | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0u9a3.bmp" | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2348 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2348 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe | C:\Windows\SysWOW64\netsh.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe
"C:\Users\Admin\AppData\Local\Temp\b4015b2abf100140691ff5f32de9e7b903a82ae49af5bf5e1ea9b6d84e4f3205.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cuspdental.com | udp |
| US | 200.69.18.145:443 | cuspdental.com | tcp |
| US | 8.8.8.8:53 | 145.18.69.200.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humanityplus.org | udp |
| US | 198.49.23.144:443 | humanityplus.org | tcp |
| US | 8.8.8.8:53 | sportsmassoren.com | udp |
| DK | 94.231.106.24:443 | sportsmassoren.com | tcp |
| US | 8.8.8.8:53 | 144.23.49.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.106.231.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adoptioperheet.fi | udp |
| US | 172.67.222.184:443 | adoptioperheet.fi | tcp |
| US | 8.8.8.8:53 | www.adoptioperheet.fi | udp |
| US | 172.67.222.184:443 | www.adoptioperheet.fi | tcp |
| US | 8.8.8.8:53 | 184.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kafu.ch | udp |
| CH | 83.166.138.66:443 | kafu.ch | tcp |
| US | 8.8.8.8:53 | innote.fi | udp |
| DE | 18.197.248.23:443 | innote.fi | tcp |
| US | 8.8.8.8:53 | polychromelabs.com | udp |
| US | 104.21.25.93:443 | polychromelabs.com | tcp |
| US | 8.8.8.8:53 | 66.138.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.248.197.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | milanonotai.it | udp |
| DE | 195.201.220.228:443 | milanonotai.it | tcp |
| US | 8.8.8.8:53 | www.milanonotai.it | udp |
| US | 99.83.185.157:443 | www.milanonotai.it | tcp |
| US | 8.8.8.8:53 | logopaedie-blomberg.de | udp |
| US | 8.8.8.8:53 | 93.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.220.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.185.83.99.in-addr.arpa | udp |
| FR | 92.205.210.41:443 | logopaedie-blomberg.de | tcp |
| US | 8.8.8.8:53 | theletter.company | udp |
| US | 15.197.148.33:443 | theletter.company | tcp |
| US | 8.8.8.8:53 | conexa4papers.trade | udp |
| US | 8.8.8.8:53 | tampaallen.com | udp |
| US | 192.124.249.9:443 | tampaallen.com | tcp |
| US | 8.8.8.8:53 | 41.210.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.tampaallen.com | udp |
| US | 192.124.249.9:443 | www.tampaallen.com | tcp |
| US | 8.8.8.8:53 | 9.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | patrickfoundation.net | udp |
| US | 8.8.8.8:53 | visiativ-industry.fr | udp |
| FR | 51.68.244.60:443 | visiativ-industry.fr | tcp |
| US | 8.8.8.8:53 | www.visiativ-solutions.fr | udp |
| FR | 51.68.244.60:443 | www.visiativ-solutions.fr | tcp |
| FR | 51.68.244.60:443 | www.visiativ-solutions.fr | tcp |
| US | 8.8.8.8:53 | www.visiativ.com | udp |
| FR | 5.39.7.193:443 | www.visiativ.com | tcp |
| US | 8.8.8.8:53 | 60.244.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | idemblogs.com | udp |
| US | 8.8.8.8:53 | copystar.co.uk | udp |
| DE | 217.160.0.115:443 | copystar.co.uk | tcp |
| DE | 217.160.0.115:443 | copystar.co.uk | tcp |
| DE | 217.160.0.115:443 | copystar.co.uk | tcp |
| US | 8.8.8.8:53 | paulisdogshop.de | udp |
| DE | 85.10.215.20:443 | paulisdogshop.de | tcp |
| US | 8.8.8.8:53 | 193.7.39.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | atozdistribution.co.uk | udp |
| US | 8.8.8.8:53 | sinal.org | udp |
| US | 8.8.8.8:53 | 20.215.10.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | purposeadvisorsolutions.com | udp |
| US | 76.76.21.21:443 | purposeadvisorsolutions.com | tcp |
| US | 8.8.8.8:53 | www.purposeadvisors.com | udp |
| US | 76.76.21.164:443 | www.purposeadvisors.com | tcp |
| US | 8.8.8.8:53 | crediacces.com | udp |
| DE | 217.160.0.85:443 | crediacces.com | tcp |
| US | 8.8.8.8:53 | 21.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | girlillamarketing.com | udp |
| US | 75.2.70.75:443 | girlillamarketing.com | tcp |
| US | 8.8.8.8:53 | www.girlillamarketing.com | udp |
| IE | 52.17.119.105:443 | www.girlillamarketing.com | tcp |
| US | 8.8.8.8:53 | 85.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lachofikschiet.nl | udp |
| NL | 212.32.242.248:443 | lachofikschiet.nl | tcp |
| US | 8.8.8.8:53 | nurturingwisdom.com | udp |
| US | 35.215.73.168:443 | nurturingwisdom.com | tcp |
| US | 8.8.8.8:53 | 75.70.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.119.17.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.242.32.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smessier.com | udp |
| US | 8.8.8.8:53 | team-montage.dk | udp |
| DE | 46.4.208.59:443 | team-montage.dk | tcp |
| US | 8.8.8.8:53 | 168.73.215.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lbcframingelectrical.com | udp |
| DE | 3.125.36.175:443 | lbcframingelectrical.com | tcp |
| US | 8.8.8.8:53 | 59.208.4.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | artotelamsterdam.com | udp |
| US | 8.8.8.8:53 | 175.36.125.3.in-addr.arpa | udp |
| US | 141.193.213.20:443 | artotelamsterdam.com | tcp |
| US | 8.8.8.8:53 | 20.213.193.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maineemploymentlawyerblog.com | udp |
| NL | 108.156.60.110:443 | maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | www.maineemploymentlawyerblog.com | udp |
| NL | 108.156.60.119:443 | www.maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | 110.60.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vyhino-zhulebino-24.ru | udp |
| US | 8.8.8.8:53 | jameskibbie.com | udp |
| CA | 66.70.219.208:443 | jameskibbie.com | tcp |
| US | 8.8.8.8:53 | associacioesportivapolitg.cat | udp |
| FR | 94.23.80.4:443 | associacioesportivapolitg.cat | tcp |
| US | 8.8.8.8:53 | 119.60.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eglectonk.online | udp |
| US | 8.8.8.8:53 | diversiapsicologia.es | udp |
| DE | 217.160.0.121:443 | diversiapsicologia.es | tcp |
| US | 8.8.8.8:53 | 208.219.70.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.80.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2348-0-0x0000000000FF0000-0x0000000001012000-memory.dmp
C:\Users\2u7c3r0-readme.txt
| MD5 | 91c25d5b5fd286d19b026b8c4af97742 |
| SHA1 | ae5d14ba4a91a63d043ff1d07f7b6820686cdd14 |
| SHA256 | 3387c33457c16c6893dfc86c8fd32dc8d5b0c2143f95ca9aee7c0787f9ea6e44 |
| SHA512 | da5e3e72c1db625481b56ba5ac072a1ba8bb69cbb6d6d10196f8123c7eef68e34070798d0e1c0266934f67e834a24506bf8ae122ff77d90176a9f481054e2e6a |
memory/2348-514-0x0000000000FF0000-0x0000000001012000-memory.dmp