Analysis
-
max time kernel
112s -
resource
win7v191014 -
submitted
09-12-2019 16:34
Task
task1
Sample
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
Resource
win10v191014
0 signatures
General
-
Target
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
-
Sample
191209-5gbby7dm12
-
SHA256
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
Score
10/10
Malware Config
Extracted
Path
C:\Recovery\r79rrm-readme.txt
Family
sodinokibi
Ransom Note
Hello dear friend!
Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process.
All encrypted files have got r79rrm extension.
Instructions into the TOR network
-----------------------------
Install TOR browser from https://torproject.org/
Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF11B64AF0992ACD
Instructions into WWW (The following link can not be in work state, if true, use TOR above):
-----------------------------
Visit the following link: http://decryptor.top/BF11B64AF0992ACD
Page will ask you for the key, here it is:
EpaHPpziuhud5akAau5Va5wrGrsKgJbrUuNVQXyD7DuThnb1qeM+u/CxWxzmbJJO
8VEpeiU+93fhUYa7MEuK2NgUd0IKlOmZe76wmmm0ApxnVBKyv8UmTg6KVhcDp4nd
RPzJu9MPl4VnFM2j8+s7OrQ87smJ3nq5cID8Bcaj+j/fp4xDRaDK7Lb0KX01Oulp
15xcIuP414se8ACLgtdMmnINdsA8MR9xyb/zNrlM1ypeL2QzN6P0P6ZYQ05bGADe
+tUCHWDHD16O+jJ+Yg+zjBbw1qTNW1ZYsTN1cOcGq+N83ObW3ygJLSJEwi8y2m62
xHigVNnzwhVjgMcdXUf2r+LOZ6G4L8Ab/UYqQ/25VZfzAXTBEdtPYY756T88F1/I
BNX+eX7UAlCetqg2w+f6aO7lCNVTeZtcOI4GcmhtZm1jx3f+O4Xi3i6AGE5Zh3Ur
VfsHyjzOlvxe0jOtKpYiMy2JnUr3ergRn5dJiZFDjlYUhII0v5V6dC706Lo7WU18
oetgZuhiU//bhDlLQXAdjHVzh0upoiIJjFT7oCh9p/aBPj1bY9+dsklotAEtox3w
8gSH85p+3fLLr+qqfdQGaS59lEaEShGwqrC6uj7ajuChooQ7ZC1P6YQ/bGK8s0bN
y32IBC84N/sBB4TdPhh7JCDBiHwWdfh71iwMpaSf86HjK922jZ2dg8VkUJM4qzac
PgmMn2KYHgi1YhKT4bIdvZUqar7lV4aka3NrIgmcoXb2RU+ykblCnVp4fIpKKEtW
9ZDetzPJH7TOoQNPROC0Yz9bil9oX4hmlqzLS6VuQbcszulhPebpIW/WxhP/h6sW
z7g2zUbUj8mdEczj/uV1iRDCy6L3VOu/MtEceQlcOdloDKM0Po59e3uk9llS2O3X
aGHtCAw09WLCai5LV2AZIwE6tIJcS1wHQSod6PS4QfYWsg35YH6nc3dY34Md9tyZ
WF46g7IxwViGGl9s/N70w0at/FNHu+6/cjcPMleWNqlvxJ+rKyvyhkdDToKRcBNP
RA2hb9Fzj1weoJcBghRZ1DdbjJG+C8iNpktDgycRmA9WVfUVz91eGiOUJclGxysc
LzbSsAv4TNBSXzSqO/iwRfkLmCt0iw==
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF11B64AF0992ACD
http://decryptor.top/BF11B64AF0992ACD
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uo9.bmp" -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exepid process 1996 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.execmd.exedescription pid process target process PID 1996 wrote to memory of 1480 1996 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe cmd.exe PID 1480 wrote to memory of 1256 1480 cmd.exe vssadmin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1400 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe -
Drops file in Windows directory 3276 IoCs
Processes:
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cbdad699e9d079ee.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_50803feab2c2b869.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_578b05f45f6e5c68.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3165765b03216fd8_msimsg.dll.mui_72e8994f 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_85be50917459a218_mlang.dll.mui_2904864a 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_359174e350f0ded0_comctl32.dll.mui_0da4e682 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7214f10d6056e81a_uxtheme.dll.mui_15ce9297 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aac11498ff0f4ac.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_lt-lt_fc1e49e41600d762_mlang.dll.mui_2904864a 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_certprop.dll.mui_602eaab4 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4cbc6858ab8583f8.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a2ffc87595d912be_comdlg32.dll.mui_ac8e62f4 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-couriernew_31bf3856ad364e35_6.1.7600.16385_none_32383eb7c6ebfd9b_courbd.ttf_7d4db8d5 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1258_31bf3856ad364e35_6.1.7600.16385_none_80b9ebb3224724f7_c_1258.nls_7398f987 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61_userprofilewmiprovider.mfl_b1cb99f9 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-installer-handler_31bf3856ad364e35_6.1.7601.17514_none_e0e1f307aa11a690_msihnd.dll_f541a087 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8_bootmgr.efi.mui_be5d0075 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_en-us_74a88136fae6c08c.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a3645f7773564239.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_7.2.7601.23317_en-us_f76df1ed557634f4.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_49429473d09ea38c_comctl32.dll.mui_0da4e682 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae_msimsg.dll.mui_72e8994f 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_couret.fon_79d1ee47 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_he-il_d3a012aba7980adc_comdlg32.dll.mui_ac8e62f4 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-euphemia_31bf3856ad364e35_6.1.7600.16385_none_14191eff72a98c54.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_polstore.mof_6cd3e826 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rasdiag.dll.mui_15cb4ec4 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7b09044d73c37a9.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.1.7601.17514_none_174ae9229f3a3492_scesrv.dll_07b1e224 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cef288146d0ec16c.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_ef7b9e173a536f62.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-fmifs_31bf3856ad364e35_6.1.7600.16385_none_56e4c7a892eacb36_fmifs.dll_cfc1a67d 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_6.1.7601.17514_none_604653a7c0745b40_hwpolicy.sys_e58c38aa 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922_certenrollctrl.exe_9495aa75 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_perfhost.exe_df3332ad 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasrqs-repl.man_b28d8556 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-936_31bf3856ad364e35_6.1.7600.16385_none_ceb139b2fc8fb8ed.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_cf3a10abc52740f6.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_cb895be592db1acb.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_28f060a37f09ef5c_mlang.dll.mui_2904864a 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sr-..-cs_690f4f26ec911a81.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_b6fce3b112cd3657.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..-rasmobilitymanager_31bf3856ad364e35_6.1.7600.16385_none_8819a134fb8a8d41_rasmbmgr.dll_81994e79 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_pad.inf_dbf42768 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-agpsettings_31bf3856ad364e35_6.1.7600.16385_none_6ee43cca3e1ad238.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_ac9edb6e6b20299f_comdlg32.dll.mui_ac8e62f4 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7600.16385_none_782caecbca6c3448_iphlpsvcmigplugin.dll_b4697821 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.1.7600.16385_none_2516994551e62499.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_findnetprinters.dll_d9721533 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_ad816c4fbe2e97f9_bootmgr.exe.mui_c434701f 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_7d8982db6f41dca8_bootmgr.exe.mui_c434701f 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-708_31bf3856ad364e35_6.1.7600.16385_none_cec3ab1cfc826848_c_708.nls_a9f9a85e 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_c9617fb603a37c36_msasn1.dll_e56dbc57 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_ndptsp.tsp.mui_5bee9ce3 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e5eadf52d4094a8.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6578e61f4c86036e.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9.manifest 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_9616b4da8e0572c5_authz.dll_c0d80602 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_128443f66743685c_apisetschema.dll_d4a833e3 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Discovering connected drives 3 TTPs 5 IoCs
Processes:
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exedescription ioc process File opened (read-only) \??\F: 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened (read-only) \??\C: 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened (read-only) \??\A: 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened (read-only) \??\B: 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe File opened (read-only) \??\E: 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Deletes shadow copies 2 TTPs 1 IoCs
Processes:
vssadmin.exepid process 1256 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe"C:\Users\Admin\AppData\Local\Temp\74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Discovering connected drives
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Deletes shadow copies
PID:1256
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "184422301228799135618944460-322814422-178056611075657119908867499-803790831"1⤵
- Suspicious use of SetWindowsHookEx
PID:1400
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104