sodinokibi | f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d

Analysis

max time kernel
139s
max time network
131s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d.dll
Size

339KB
MD5

3a0458663d70cbde0099df95da451529
SHA1

cae4d2752133e9351d2ad63fba4699558c7c922a
SHA256

f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d
SHA512

d7fa5a2f15e5820afa9bdeda0af65ee4327df4a36c9fd09f5539686a5a2557e7c6cda20ab4afabfa903733371390afe5ea3f3ea0aa1a332078131299aad9c51b

Score

10^/10

sodinokibi 10 7 ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

lyricalduniya.com

theboardroomafrica.com

chris-anne.com

ownidentity.com

web865.com

paradigmlandscape.com

envomask.com

scentedlair.com

jlgraphisme.fr

andrealuchesi.it

mursall.de

letterscan.de

metcalfe.ca

dentourage.com

chomiksy.net

yayasanprimaunggul.org

opticahubertruiz.com

affligemsehondenschool.be

zealcon.ae

craftingalegacy.com

Attributes

net
true
pid
10
prc
mysql.exe
ransom_oneliner
Your files are encrypted! Open {EXT}.info.txt!
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
7

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1560 set thread context of 1104 1560 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1560 set thread context of 1104	1560	rundll32.exe	rundll32.exe

Drops file in Windows directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_3077981303bb82bb.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_365b53d91b3ce4ff.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-feclient_31bf3856ad364e35_6.1.7600.16385_none_1acf02d27145db87_feclient-ppdlic.xrm-ms_690f532f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_winipsec.dll_abfff1a2	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bb8769138813077.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d55cb67837a57f2b_wmpdui.dll.mui_92411657	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_6.1.7601.17514_none_c0c6eceaf97c4827.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2_aclui.dll.mui_adadbfb7	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-capi2_31bf3856ad364e35_6.1.7600.16385_none_5803d21d45e2e6dc.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad8e52591f53bae.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fc5eccf9ae290445_auditpol.exe.mui_df4767d7	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a96db6468fda66c8.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84_winhttp.dll.mui_f661192f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_umpnpmgr.mof_112f9e6c	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-events_31bf3856ad364e35_6.1.7600.16385_none_0c4ed7b1a5ec567a.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdcd9cc255349b63_mssign32.dll.mui_d663578f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a1b24ce63b235c75.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..trics-sensoradapter_31bf3856ad364e35_6.1.7600.16385_none_6fa6b9c88f2a3ba1.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6211bdd913a2fd8_setupapi.dll.mui_bcc172a4	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a32fbc5b737d33de_kernel32.dll.mui_c29170cd	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_716121f19d2cc442_ntdll.dll.mui_d908d391	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f3317575c0f924ac_rascfg.dll.mui_0b036e1f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fc87dadf824f537e_mswsock.dll.mui_d7c2a730	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_354c8605d3d714f3_wiaservc.dll.mui_54051b53	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_j8514sys.fon_cfb116c0	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf6ea48f3390359c_provsvc.dll.mui_3a2926ae	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_a739b25289bf5dc4_hbaapi.dll_4e36083f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_odbcinst.chm_608e33e2	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5c4db2c1103b4a92.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2dfecca11d70a2c0_winscard.dll.mui_4a82d97e	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1_kmddsp.tsp.mui_80ddeedb	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57_advapi32.dll_9512793c	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23a966a2fe2f7ffb_iscsidsc.mfl_20ed5374	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_f8210304686499ec.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b0ea14b1ebdba53.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311_credui.dll.mui_34721171	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ed2b9deda058eaf3.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b12fe15175794c34_partmgr.sys.mui_b800c491	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f4c280f4fcec33c8_services.exe.mui_86ea5e71	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a42f6ce2a37ffaa6.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f26f103cfb71516a_webclnt.dll.mui_e8f04040	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12_wmiapres.dll.mui_c1b8803f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_1efd7779877beccf_bootmgr.exe.mui_c434701f	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_1706c73dfc4b3026_comdlg32.dll.mui_ac8e62f4	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1464d7ce9d7c138_setupapi.dll.mui_bcc172a4	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_netrasa.inf_87e7f515	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_44de21d027258ae6.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d1df508d1784285.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb_dhcpcmonitor.dll_aa545cc8	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1a79f13a9b705cc9.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_cee73286fc6746d9.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8618f8f77422454f.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_edcef7c9160396ab.manifest	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d9783c715c7b1c_wudfplatform.dll.mui_d815d31a	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcore6.dll.mui_27872349	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_706d5c0cccb0eca8_irclass.dll.mui_c67cedc8	rundll32.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39abefffc16e5209_lsasrv.dll.mui_d47f7e1c	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1592 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1104 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1364 vssvc.exe
Token: SeRestorePrivilege 1364 vssvc.exe
Token: SeAuditPrivilege 1364 vssvc.exe

pid	process
1592	vssadmin.exe

pid	process
1104	rundll32.exe

description	pid	process
Token: SeBackupPrivilege	1364	vssvc.exe
Token: SeRestorePrivilege	1364	vssvc.exe
Token: SeAuditPrivilege	1364	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

rundll32.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1560	1736	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1104	1560	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 1244	1104	rundll32.exe	cmd.exe
PID 1104 wrote to memory of 1244	1104	rundll32.exe	cmd.exe
PID 1104 wrote to memory of 1244	1104	rundll32.exe	cmd.exe
PID 1104 wrote to memory of 1244	1104	rundll32.exe	cmd.exe
PID 1244 wrote to memory of 1592	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 1592	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 1592	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 1592	1244	cmd.exe	vssadmin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
3⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1560-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download
memory/1560-55-0x00000000001E0000-0x0000000000238000-memory.dmp

Filesize
352KB

Download
memory/1560-56-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-58-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-59-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-60-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-61-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-62-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-64-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-63-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-57-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-65-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-66-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-67-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-68-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-69-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-70-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-72-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-71-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-73-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-74-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-75-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-76-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-77-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-78-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-79-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-81-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-80-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-83-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-82-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-85-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-84-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-86-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-87-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-89-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-91-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-90-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-88-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-92-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-93-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-94-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-95-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-96-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-97-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-99-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-98-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-100-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-101-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-102-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-104-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-103-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-105-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-107-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-108-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-109-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-106-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-110-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-111-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-112-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-114-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-113-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-116-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-115-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-117-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1560-185-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads