Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
Resource
win10-en-20211208
General
-
Target
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe
-
Size
164KB
-
MD5
7419fb7e3354a8d3fed0213d888312ae
-
SHA1
bbfe9e30414da1a127c65ed6915e30131dd6db81
-
SHA256
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919
-
SHA512
342d58371a58a1f3361dfaa51e27623d3a835782a196f0daa2349ecace963611ac2e839006be1db42ae6b4f591f591661ee062090ea8b2fd7c8a028fc1496072
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exedescription ioc process File opened (read-only) \??\G: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\H: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\M: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\T: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\U: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\E: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\I: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Q: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\X: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Y: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\Z: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\F: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\J: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\L: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\N: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\O: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\P: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\V: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\B: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\K: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\R: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\S: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\W: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened (read-only) \??\A: df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe -
Drops file in Windows directory 64 IoCs
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6eae29ee4c1be3c7.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelstreamingsupport_31bf3856ad364e35_6.1.7600.16385_none_bde9acc8f46cb6db_mspqm.sys_11b724dd df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_cis.scp_0303a193 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_winresume.exe_85cd1215 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c92bbd3b7c238f30.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-meiryo_31bf3856ad364e35_6.1.7600.16385_none_d054871761215689_meiryo.ttc_ab0401d6 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1143384e9ab8e550.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_63371b74ac7ec7e1.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_sqlsodbc.chm_92fe0a89 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lt-lt_34c4065f51729de0_comctl32.dll.mui_0da4e682 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369_acledit.dll.mui_5f932ccb df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5797a7f9b2be5a11_volmgrx.sys.mui_b0c205d7 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_sspicli.dll_bcec1809 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5db7df5b307ffadc_compstui.dll.mui_0724407b df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c686c1311f544cad.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1c083148b78fc347.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_prflbmsg.dll.mui_4caa0054 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b40d05c5d0aff0b4_dhcpcmonitor.dll.mui_478a7103 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a02b5db197af6758_comdlg32.dll.mui_ac8e62f4 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnscacheugc.exe_aa32623e df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-862_31bf3856ad364e35_6.1.7600.16385_none_2ade0120b4e1f3b3_c_862.nls_bb10dc0b df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d9e3ade733b127ba.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_4ce801e2e67e13c0.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a51352617586e4e2.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_apphelp.dll.mui_59096153 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c55c4b1f64558323_wudfplatform.dll.mui_d815d31a df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df_hid.dll.mui_cccd5ae0 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga850.fon_09ec4cfe df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fe3eecc5f0d634fc.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c1197d6e9baee0fb.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_cc2ae7a603d88da8.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_unlodctr.exe.mui_53acc4d0 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb_bootmgfw.efi.mui_a6e78cfa df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12_sqlsodbc.chm_92fe0a89 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssmbios.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_32c7dee1900794e3.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2e452ff3e70e56b2.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5f087cbd507d8e79_wer.dll.mui_e68ddae7 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega40857.fon_5e965632 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c0efc2e183d1cad0_appidsvc.dll.mui_6717e231 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d17bb570ccd9cec0_imageres.dll.mui_3e41dee6 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da_cmiv2.dll_be06aa9f df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc.dll.mui_186571e1 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgafixg.fon_de96ade3 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-tunga_31bf3856ad364e35_6.1.7600.16385_none_e4baa884cb08804d_tungab.ttf_986e3427 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1cef5e4caeb0e28c.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3760db0440b81fb3.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a18ee5b097220db7.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_45ba3c3f11126d07_mlang.dll.mui_2904864a df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37e3f297f894f855_mprmsg.dll.mui_210d8c31 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr_31bf3856ad364e35_6.1.7600.16385_none_09cabb1971a25848_mpr.dll_e8c35b01 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_0c40c3925a9ae4c4.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_4ab86a2ef34170bc.manifest df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga932.fon_1042dbe9 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smaller.fon_f3e7e3ff df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ecc2fd7371a03bd7_msxml3r.dll.mui_cd6e1e8f df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_e8c7e489ddaf3a0c_comctl32.dll.mui_0da4e682 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 620 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exepid process 1528 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1768 vssvc.exe Token: SeRestorePrivilege 1768 vssvc.exe Token: SeAuditPrivilege 1768 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.execmd.exedescription pid process target process PID 1528 wrote to memory of 292 1528 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 1528 wrote to memory of 292 1528 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 1528 wrote to memory of 292 1528 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 1528 wrote to memory of 292 1528 df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe cmd.exe PID 292 wrote to memory of 620 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 620 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 620 292 cmd.exe vssadmin.exe PID 292 wrote to memory of 620 292 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe"C:\Users\Admin\AppData\Local\Temp\df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB