Analysis
-
max time kernel
1784s -
max time network
1796s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-08-2021 11:16
Static task
static1
Behavioral task
behavioral1
Sample
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe
Resource
win10v20210410
General
-
Target
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe
-
Size
157KB
-
MD5
6be0f4220e001e482cd0323d2908832d
-
SHA1
78194af69506ece5ef37500ff38cdcab09167065
-
SHA256
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8
-
SHA512
d3c01cfdcb1d97f3a85d84356a4ad2015085f8293dc8cbc42e9d636f36ff486e2f16634c1bacbe203f5a77a3f4721c204e8fc44a94b9e8496df711918dcf29bf
Malware Config
Extracted
C:\odt\x3nd484s-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/614F6CD6972849CC
http://decryptor.top/614F6CD6972849CC
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\StepResolve.crw => C:\Users\Admin\Pictures\StepResolve.crw.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\StepRename.tif => C:\Users\Admin\Pictures\StepRename.tif.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\UnblockClear.tif => C:\Users\Admin\Pictures\UnblockClear.tif.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Users\Admin\Pictures\LimitEdit.tiff 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\LimitEdit.tiff => C:\Users\Admin\Pictures\LimitEdit.tiff.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\ResizeConfirm.tif => C:\Users\Admin\Pictures\ResizeConfirm.tif.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\SelectRevoke.tif => C:\Users\Admin\Pictures\SelectRevoke.tif.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\ConvertToRepair.crw => C:\Users\Admin\Pictures\ConvertToRepair.crw.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File renamed C:\Users\Admin\Pictures\RequestSelect.png => C:\Users\Admin\Pictures\RequestSelect.png.x3nd484s 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exedescription ioc process File opened (read-only) \??\O: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\Q: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\W: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\I: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\L: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\N: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\Z: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\F: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\T: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\Y: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\J: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\K: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\M: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\P: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\X: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\A: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\B: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\H: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\S: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\U: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\V: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\D: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\E: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\G: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened (read-only) \??\R: 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tt2710925b5.bmp" 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Drops file in Windows directory 64 IoCs
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.15063.0_en-us_af1aa8cbf99dbd7d_wevtsvc.dll.mui_f41bf7b7 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winload.exe.mui_3bc5b827 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652_winbrand.dll_9cd6a3cf 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_ae887af47a91ddcd_dcomp.dll_a2e93a7d 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.15063.0_none_0aed8b3ddd7da4b2.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.0_none_43a14f3b47f396e6_comctl32.dll_9c499789 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_53639d962243b4e0_clipsvc.dll.mui_18823613 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_27839b07aafca9cf_memtest.efi.mui_71e15c22 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_2664f52c0cb2fd2b_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nb-no_82c9d6ba4bb6c1ef_memtest.efi.mui_71e15c22 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_en-us_1b9eda7aacdf6c87.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_ea6b6d97f2f4c7b4.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_72b493d71f56c769.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsitargetportal.cdxml_98b1c4de 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_et-ee_ce022fe5aa8f10fb_bootmgr.exe.mui_c434701f 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_en-us_259417a878463055.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8_iscsicli.exe.mui_64c0a23c 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.15063.0_none_6a69576e60dac525.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_uk-ua_823ef85ec5aa50a3_msimsg.dll.mui_72e8994f 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.15063.498_none_008383882272dab0.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_ce5152af8ee877a4.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sv-se_e1332fed275fb730.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winresume.exe.mui_ff8b5358 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc_offlinesam.dll_5e21eef0 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_jvgasys.fon_d163c032 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-etw-ese_31bf3856ad364e35_10.0.15063.0_none_e06eabd7bf2af294.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-us_269998480c8c0b86_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_apps.inf_0b7d7d89 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nb-no_e1663e689467fdb8_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidsvc.dll_b571c01a 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_dc9d1f26de15ab15.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-us_6e46cf1f2108348c_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_fd61363b291ec882_kerbclientshared.dll_1fa7b356 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_de-de_1f0c5aa0d4fcc3f8_memtest.efi.mui_71e15c22 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.15063.0_none_4e7f7ad6cb1d2087_lsass.exe_682060de 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_d787b63d5a04598e.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_en-us_57b999b44d02ade0.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_8b4d2222606ec8fc_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_6e122c03212f2631_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_10.0.15063.0_none_df8fa7e794d7be79.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_e25bed23d101e5a7.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.disk.ppkg_2c825c35 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_21e0c564d3266f5e_memtest.efi.mui_71e15c22 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pcw_31bf3856ad364e35_10.0.15063.0_none_c1256f978f4f2084_pcw.sys_dbeb0bbd 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lv-lv_182c8e682a72c4dc_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_8a1c400bf11ec208_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-mx_a35c198187d0c729_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_svgasys.fon_32986711 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.15063.0_none_8375fc1900429a0a.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_e71b894d9eb700bd.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.15063.0_none_e90c5eeaeffd537f.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894_winmgmtr.dll.mui_741bfb68 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pt-br_5b48cea4e14dc672.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_d868ae1968a9ae8b.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_cis.scp_0303a193 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_e5198e8fc265078f_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgasysg.fon_af7316fb 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_ca38bcecc16963b9.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsi.psd1_8e91985d 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidpolicyconverter.exe_83972af0 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sr-..-rs_2ed8755544e099be_comctl32.dll.mui_0da4e682 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.15063.0_none_2612286889b4755c_version.dll_406ddf44 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.15063.0_none_420692083d1f600a.manifest 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1596 vssadmin.exe -
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exepid process 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.execmd.exedescription pid process target process PID 3936 wrote to memory of 2992 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe cmd.exe PID 3936 wrote to memory of 2992 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe cmd.exe PID 3936 wrote to memory of 2992 3936 2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe cmd.exe PID 2992 wrote to memory of 1596 2992 cmd.exe vssadmin.exe PID 2992 wrote to memory of 1596 2992 cmd.exe vssadmin.exe PID 2992 wrote to memory of 1596 2992 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe"C:\Users\Admin\AppData\Local\Temp\2cc2dda39d7c8d859a69ccbaaaf40d2d6495006696cdd50f13306398f82044b8.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1596
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-120-0x0000000000000000-mapping.dmp
-
memory/2992-119-0x0000000000000000-mapping.dmp
-
memory/3936-115-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/3936-114-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/3936-116-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/3936-117-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/3936-118-0x0000000000640000-0x0000000000646000-memory.dmpFilesize
24KB