Analysis
-
max time kernel
143s -
max time network
14s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
06-05-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
Resource
win10v200430
General
-
Target
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
-
Size
157KB
-
MD5
3c343d72b1400d84d203063f8c4597e3
-
SHA1
8ce10c6ca73a4e2279f9aecc19892df2c215bc6c
-
SHA256
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02
-
SHA512
16a9eb417f17c362a8440450cceac5d34cc7d19704c4988ea19f3cb51f601f7486e94fee4efd3d0edfe00a5d32ef0b68536a2b771dbce52621c26d80b16a6ad1
Malware Config
Extracted
C:\Recovery\ssq83-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/370FDE11F2739669
http://decryptor.top/370FDE11F2739669
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbp.bmp" afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exepid process 800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.execmd.exedescription pid process target process PID 800 wrote to memory of 1060 800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe cmd.exe PID 800 wrote to memory of 1060 800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe cmd.exe PID 800 wrote to memory of 1060 800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe cmd.exe PID 800 wrote to memory of 1060 800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe cmd.exe PID 1060 wrote to memory of 1508 1060 cmd.exe vssadmin.exe PID 1060 wrote to memory of 1508 1060 cmd.exe vssadmin.exe PID 1060 wrote to memory of 1508 1060 cmd.exe vssadmin.exe PID 1060 wrote to memory of 1508 1060 cmd.exe vssadmin.exe -
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1508 vssadmin.exe -
Drops file in Windows directory 3276 IoCs
Processes:
afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_6.1.7600.16385_none_252f55f1cea824ce.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_wfp.mof_c9297d9b afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_4dd43f34b0b06f44_wintrust.dll_abec426a afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_ba5ac0f18b8dd799_mswsock.dll_e2ad0f2d afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_6.1.7600.16385_none_68bfdc7cfd6bd477_basesrv.dll_8c1ad808 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_8514oemg.fon_dbdce127 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuiz.ttf_ea46f861 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_047062a1736af5b9_consent.exe_9075a1c2 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b2d5db50d653001.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_web.xml_c9566883 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_c226845cde5874a9_comctl32.dll.mui_0da4e682 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_330f86d55de64a40.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_2addd390b4e226f5.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_caf6c1e0049b2c40.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-videoport_31bf3856ad364e35_6.1.7600.16385_none_180f3dba1e158073_videoprt.sys_3ed5b0a0 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsidsc.dll_20ed5065 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890_keyiso.dll.mui_4bbf12ff afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sechost_31bf3856ad364e35_6.1.7600.16385_none_879933012e49cc30.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_dbc2bcef30ac84b9.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b7cfcc08ef7b2e35.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasctrnm.h_17610c72 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smae1257.fon_bf9a78ea afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-laoui_31bf3856ad364e35_6.1.7600.16385_none_d02cc17733960c0e_laouib.ttf_9bbcb09e afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_8048648522902070.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_766749e698668441.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_bc83aeba06823a38.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidcertstorecheck.exe_03352f5f afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_ssee1257.fon_9d31b9ac afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallfg.fon_f49c104b afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7113e0d248e375bc.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63_msobjs.dll_052c8a60 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7b0ad52b3bcfdb6_wsock32.dll.mui_18b23987 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e16e6ac995e69f7b.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_05699821fc9b6205_cryptui.dll.mui_9728c1dd afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2507f83c52d906be_iscsiprf.mfl_24c6459c afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg_31bf3856ad364e35_6.1.7600.16385_none_13644a6db4b698b9_mprmsg.dll_6fff912a afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sf-capi2_31bf3856ad364e35_6.1.7600.16385_none_0a5c77de98c9331c.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsied.dll_e933fb0e afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-gishabold_31bf3856ad364e35_6.1.7600.16385_none_f50009547b049b77.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-homegroup-provsvc_31bf3856ad364e35_6.1.7601.17514_none_efe3724a04606825_provsvc.dll_a438d02f afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-861_31bf3856ad364e35_6.1.7600.16385_none_2ade17e8b4e1da12.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cbdad699e9d079ee_storsvc.dll.mui_2fc7b1d3 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25_udfs.sys_cf08a343 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749_nsiproxy.sys_ebb6a83d afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_8ca949062551c8d6_comctl32.dll.mui_0da4e682 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_iprtrmgr.dll.mui_eb023b92 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_be0701531dbe7588_comctl32.dll.mui_0da4e682 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_6.1.7600.16385_none_0825f3c37efb390e_wevtapi.dll_df064540 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_b6e83386a0ddbab4_msimsg.dll.mui_72e8994f afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-qos_31bf3856ad364e35_6.1.7601.17514_none_0c716dff6e442c24_pacer.sys_c93de3d8 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a4a29137774b81b0.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_a9a74ccae735a589_comdlg32.dll.mui_ac8e62f4 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_619e13eec4db6369.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.1.7601.17514_none_bb2c4d9ee6dcc35c_scesrv.dll_07b1e224 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shacct_31bf3856ad364e35_6.1.7601.17514_none_c8099d957fb7652d.manifest afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuii.ttf_ea35f432 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_b6de6c0835b43484_sendmail.dll_a8a54aff afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1352 vssvc.exe Token: SeRestorePrivilege 1352 vssvc.exe Token: SeAuditPrivilege 1352 vssvc.exe -
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe"C:\Users\Admin\AppData\Local\Temp\afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1352