Analysis
-
max time kernel
160s -
max time network
178s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe
Resource
win10-en-20211208
General
-
Target
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe
-
Size
161KB
-
MD5
f8a509a13601bcb0170956ec9c284a2a
-
SHA1
f11a903626588a5ab8a038b1deafef2f63603591
-
SHA256
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c
-
SHA512
24d3567694322e4f927cf20fa6fdef05a598a1b06dbfd1ceb56cfa79447ec1896069a006096c24db18851fc8700e0d3da9476e9e5f367323c3bbd14246c6c6ee
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exedescription ioc process File opened (read-only) \??\J: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\N: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\O: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\P: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\U: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\A: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\F: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\G: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\H: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\M: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\Q: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\E: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\L: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\T: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\V: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\X: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\Y: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\Z: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\I: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\K: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\R: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\S: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\W: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened (read-only) \??\B: e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe -
Drops file in Windows directory 64 IoCs
Processes:
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_b35dd4580ff3e7bd_provsvc.dll.mui_3a2926ae e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsiwmiv2.dll_daf801c2 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ja-jp_5569e07ec9d20ae6_comctl32.dll.mui_0da4e682 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.15063.0_none_1dd4f4fd8d1ebaaf_bcd.dll_047e2c4d e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_es-es_6099713577ddb2af_wininit.exe.mui_997435f5 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_es-es_6ead483edc26f335_axinstui.exe.mui_aea34130 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.15063.0_de-de_a53034098937b72e.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_en-us_7b1120505ec3e729.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.15063.0_none_2f06793a4bbe30eb_niswfp.dll_19b9e3fb e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-advapi32_31bf3856ad364e35_10.0.15063.0_none_983d8f6006f300e2.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgaf1256.fon_9bd7a63b e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_polstore.dll_6cd3e56e e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_scardsvr.dll_b84d047c e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_es-es_135c291603f73f74_apphelp.dll.mui_59096153 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_c394b857e4b20c8d_iscsiexe.dll.mui_7d81b1cc e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2b73c2b7262e9b8a_wbiosrvc.dll.mui_d5b8b2b8 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_de-de_88e19e6ec3d70899.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925_comctl32.dll.mui_0da4e682 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_6b728fdb06b63f73.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_es-es_a29c94a1fbce98a8.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootmgr_07e7e7fe e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga855.fon_0b81b0a9 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f_msimsg.dll.mui_72e8994f e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0715be263c5430c2_rasauto.dll.mui_12fa2c50 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..rservice-extensions_31bf3856ad364e35_10.0.15063.0_none_dda2d70f5ef170e7_umpoext.dll_fd62cdf4 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf_wbiosrvc.dll.mui_d5b8b2b8 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_es-es_8a7b9e0a56c331ec_wmpdui.dll.mui_92411657 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.15063.0_none_210709721af4ec88_cryptdll.dll_e0da7eac e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_e617457ad1e00a3e_bootmgr.exe.mui_c434701f e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_de-de_0cb68f8bd1dc0cd2.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.15063.0_none_aaf025d620bd03ae_rasl2tp.sys_d69e0fa7 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_en-us_f9cce479897c6462_fidocredprov.dll.mui_4ca89266 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_8177e8a18f7d801c.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_d3e83faaaad81999_combase.dll.mui_6db10b33 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1ea9ad4eb9a9c833_rasauto.dll.mui_12fa2c50 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.15063.0_none_fb51a18514e4621f_tdx.sys_d0cc4fd9 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-fr_fc2f6b036792d0da_comctl32.dll.mui_0da4e682 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_0ed5b4a952aaf957.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3aff604eba3fed0f.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_0c6c3963abedbb7f_wuceffects.dll_0c15b7d5 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_06c8a8054dc02d3d_wudfplatform.dll.mui_d815d31a e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_10.0.15063.0_none_13342771e2a38a67.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e_httpprxp.dll_53541354 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_1ef4411ab33dfe81_pad.inf_dbf42768 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_de4c457aa62b389a_user32.dll_55f4ed20 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d1a17ff4b8eda663.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71_comctl32.dll.mui_0da4e682 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_54645fdf358c2fb5_samsrv.dll.mui_32250491 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.15063.0_none_6b88878235493b61.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_848d8c2152ade85d_provsvc.dll.mui_3a2926ae e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.15063.0_none_c32c99d8bd9714e6.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga861.fon_0763ad86 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_de-de_50dc0e809a9e589d.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_de-de_97e6882a68c0d773_netlogon.dll.mui_ecbeb9bd e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_d1c976e3059aeb0e_comctl32.dll.mui_0da4e682 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_582a3867b3b3209e.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_aa80fca424a5c223_ngcsvc.dll.mui_96312421 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.15063.0_none_f7ee6fbe2edc3d66_gdiplus.dll_423f7010 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-etw-ese_31bf3856ad364e35_10.0.15063.0_none_eac35629f38bb48f.manifest e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_67761cd42c549b57_iscsiexe.dll.mui_7d81b1cc e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-br_9188049a8e6fa576_bootmgfw.efi.mui_a6e78cfa e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_pad.inf_dbf42768 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7a7b32b1837335e4_wudfhost.exe.mui_1fc689ff e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2028 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exepid process 3776 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe 3776 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.execmd.exedescription pid process target process PID 3776 wrote to memory of 900 3776 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe cmd.exe PID 3776 wrote to memory of 900 3776 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe cmd.exe PID 3776 wrote to memory of 900 3776 e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe cmd.exe PID 900 wrote to memory of 2028 900 cmd.exe vssadmin.exe PID 900 wrote to memory of 2028 900 cmd.exe vssadmin.exe PID 900 wrote to memory of 2028 900 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe"C:\Users\Admin\AppData\Local\Temp\e639306c7587cc302a5c6c6e638ea552d652c6b0e69457c373b50f89dab5b94c.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176