Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe
Resource
win10-en-20211208
General
-
Target
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe
-
Size
158KB
-
MD5
4c41f129572df46a10434ec037a4c092
-
SHA1
657401643a0c6adfbbdbd76ecac54f889e3d7509
-
SHA256
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e
-
SHA512
18765a05703a0e2399697d52b1a43048199c624a1bc07d07e043030a252e69e8c4956f0abf452179bec716605cfacfc4bbddb0f1df8df3db488e3be351805965
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exedescription ioc process File opened (read-only) \??\O: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\U: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\W: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\Z: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\D: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\I: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\K: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\N: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\R: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\T: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\E: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\F: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\H: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\J: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\M: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\P: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\Q: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\V: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\B: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\Y: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\X: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\G: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\L: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\S: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened (read-only) \??\A: fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe -
Drops file in Windows directory 64 IoCs
Processes:
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_65b99de8d68f5c62_iscsidsc.dll.mui_6acb64a6 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7a37e84dbbdecc2a.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_a77de2d787af8188_comctl32.dll.mui_0da4e682 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-couriernew_31bf3856ad364e35_6.1.7600.16385_none_32383eb7c6ebfd9b_courbd.ttf_7d4db8d5 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga866.fon_08f91131 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_8a63f7a6bd8df93f_msimsg.dll.mui_72e8994f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c37e840df1158.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541_umpnpmgr.mof_112f9e6c fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b_ws2help.dll_2dd5d345 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_da24c6000f208238_bootmgr.exe.mui_c434701f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44_dhcpcore6.dll.mui_27872349 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid.sys_fe1d01e3 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_278d30f00dd1a156_sppsvc.exe.mui_40875a72 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_f333274052deb889_user32.dll.mui_14652dbb fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_0f6c30b96de81257.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_91d4a401bda62f20_wship6.dll.mui_1cca9bd8 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee_activeds.dll_662643d7 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e75d0c5c59459cc.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b5c5f27e73b45f19_msobjs.dll.mui_d054e07b fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_perfh.dat_e67d1236 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6a046e7c9ea9f564.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcore6.dll.mui_27872349 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4_hidserv.dll.mui_561adfc8 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winload.exe_75835076 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7601.17514_none_70577ed42da9d71d_bcryptprimitives.dll_5dcb347c fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_ee690d31c664eee4_msimsg.dll.mui_72e8994f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_185fce5712288508.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_es-es_616970d2c502550e.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuib.ttf_ea2ef279 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..update-genuineintel_31bf3856ad364e35_6.1.7601.17514_none_1ae611d0c8ecd885_mcupdate_genuineintel.dll_940e6a7f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_prflbmsg.dll.mui_4caa0054 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e26217990f7f049a.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c79917aabb8f3414_shdocvw.dll.mui_9b8f26d5 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallfg.fon_f49c104b fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga40866.fon_2c80a06e fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe05ce1a062fbdb1.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aac11498ff0f4ac_webservices.dll.mui_eecc809d fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.1.7601.17514_none_1aebe42ed7db518a.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_933696535248bc29_nsisvc.dll.mui_237a741f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e7beb9cc5ed3e31f_wininit.exe.mui_997435f5 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_05b98a45d5a86346_dwm.exe.mui_706e052f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-khmerui_31bf3856ad364e35_6.1.7600.16385_none_a4fa82598434113b_khmeruib.ttf_5516e039 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e_wmiapres.dll.mui_c1b8803f fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_14159d5b488c6fa1.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3_ifsutil.dll_7d6905f6 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f36785427fe61495_certprop.dll.mui_602eaab4 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_4a8185140916af36_bcrypt.dll_e2f091ac fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21_puiobj.dll.mui_b9c0c4d6 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_6.1.7601.17514_none_c5311c6f11729c15_bootmgr_07e7e7fe fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_cecaf17afc7bccc6.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3539807cccb595a.manifest fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv_31bf3856ad364e35_6.1.7601.17514_none_9247d45ea984f2ad_userenv.dll_1a3a70b6 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-batang_31bf3856ad364e35_6.1.7600.16385_none_13de7dc07ffbe591_batang.ttc_949601ce fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_unlodctr.exe.mui_53acc4d0 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasserver-repl.man_0cfe2e51 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d64e900a235326e_setupapi.dll.mui_bcc172a4 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d33f52c4d452cdda_ncprov.dll.mui_40240de1 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5b7c8d693744aea4_shell32.dll.mui_19f538b4 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_mdminst.dll.mui_19a87063 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_62cfb8af00872165_wshtcpip.dll.mui_042165f9 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_116d0e2f6d925d2e_lsasrv.dll.mui_d47f7e1c fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 788 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exepid process 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 364 vssvc.exe Token: SeRestorePrivilege 364 vssvc.exe Token: SeAuditPrivilege 364 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.execmd.exedescription pid process target process PID 1628 wrote to memory of 1104 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe cmd.exe PID 1628 wrote to memory of 1104 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe cmd.exe PID 1628 wrote to memory of 1104 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe cmd.exe PID 1628 wrote to memory of 1104 1628 fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe cmd.exe PID 1104 wrote to memory of 788 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 788 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 788 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 788 1104 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe"C:\Users\Admin\AppData\Local\Temp\fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:788
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1628-55-0x0000000000A10000-0x0000000000AD9000-memory.dmpFilesize
804KB
-
memory/1628-57-0x0000000002360000-0x000000000248D000-memory.dmpFilesize
1.2MB
-
memory/1628-58-0x00000000001D0000-0x00000000001EF000-memory.dmpFilesize
124KB
-
memory/1628-60-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1628-61-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1628-62-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1628-63-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1628-64-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/1628-59-0x0000000002620000-0x0000000002729000-memory.dmpFilesize
1.0MB