Analysis
-
max time kernel
141s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe
Resource
win10-en-20211208
General
-
Target
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe
-
Size
143KB
-
MD5
fb9d11c5ff87dd9071ab44f4c562ca3e
-
SHA1
1e383b22a38c91373ba446a820d61883f282cb3e
-
SHA256
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea
-
SHA512
6c9f8caee949d0161bc7a37301a24af4c3ecf136f6afe66793cf01936fc31143308e527093776d4a5c1c323ac4fb06257570bd197e0549367281d2be47e3e4b4
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exedescription ioc process File opened (read-only) \??\H: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\K: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\R: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\Y: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\Z: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\B: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\F: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\G: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\W: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\L: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\O: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\T: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\M: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\P: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\S: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\V: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\A: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\I: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\J: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\U: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\X: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\E: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\N: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened (read-only) \??\Q: ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe -
Drops file in Windows directory 64 IoCs
Processes:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8a8178bbf463bc5f_shell32.dll.mui_19f538b4 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_6.1.7600.16385_none_56ada62f354bb10e_ktmw32.dll_835a43ee ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_798b5b93376ffdff.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kokila_31bf3856ad364e35_6.1.7601.17514_none_4d4bb384a78cecc3_kokilai.ttf_4e371084 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_lodctr.exe.mui_4ac7d1a1 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_6.1.7601.18972_none_09a44b6a3051f6fe.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_a958e61749c0d36e.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad8e52591f53bae_oleres.dll.mui_ff00d4cb ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_1bac0b4d803e969e.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a9629c8343cf4d6d_certcredprovider.dll.mui_b5ad161e ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b9af51d366400194.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0a02574e799f5bf.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8af9daaf6cb0394.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f1e1b0781b835e8_msorcl32.chm_650a727b ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fd87d192873f7a84.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_b022280ea23d738e.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_71891b41ac925104.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5514f8211751b1ec_vds.exe.mui_2268d934 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c5bb00ce4f9092e.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b0ea14b1ebdba53_winbiosensoradapter.dll.mui_052ed7d8 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f298e23b420b8828.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f2c0440c5db68635.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_6.1.7600.16385_none_6193778dc77677cc.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b5c5f27e73b45f19_auditpol.exe.mui_df4767d7 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f36785427fe61495_scfilter.sys.mui_cebab716 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_503694bced118e0e_wshelper.dll.mui_be261ecd ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_8896fee7e045b2ca_mlang.dll.mui_2904864a ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2923fe40760e3420_winscard.dll.mui_4a82d97e ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6695fe178d53374.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4748bb972be4cdaa_umpnpmgr.dll.mui_d66aed17 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c55cd6d925543760.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d85a3923c5c7157_sqlsodbc.chm_92fe0a89 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8b1dfaf7cd8149f2_oleaccrc.dll.mui_26339d25 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b79b0d067651d448.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_250c5db92cbbfe4b_crypt32.dll.mui_4268f86a ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_2a47a0022a1c5b6c.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kokila_31bf3856ad364e35_6.1.7601.17514_none_4d4bb384a78cecc3.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_70fb624d1eb400d4_mssign32.dll.mui_d663578f ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7102328b3bdd2f1c.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_78bddb838ba70741.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3de2b918dd486536.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac553040a56eff44_wshelper.dll.mui_be261ecd ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_ad070b6fb254bb8c.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43_wer.dll.mui_e68ddae7 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_77f9a2307a488167.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2738fff0220e9aeb_mprmsg.dll.mui_210d8c31 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_5c2b4262fb6368cb_comctl32.dll.mui_0da4e682 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_46e12cf1dd7ba188_comdlg32.dll.mui_ac8e62f4 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2f58c6295ee26536_volmgrx.sys.mui_b0c205d7 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e75d0c5c59459cc_iscsidsc.dll.mui_6acb64a6 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1cef5e4caeb0e28c_imageres.dll.mui_3e41dee6 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37e3f297f894f855_mprmsg.dll.mui_210d8c31 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_loadperf.dll.mui_f6faeae0 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3_ifsutil.dll_7d6905f6 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_33e993f0490559ab_powrprof.dll.mui_a2448a34 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1987390f017a5bf9.manifest ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_adb3c1d9fa188607_winsockhc.dll.mui_a8a7d1fa ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6eae29ee4c1be3c7_htui.dll.mui_038c60dd ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21_puiapi.dll.mui_e94aeb19 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fca38a2d57506000_partmgr.sys.mui_b800c491 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 572 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exepid process 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1120 vssvc.exe Token: SeRestorePrivilege 1120 vssvc.exe Token: SeAuditPrivilege 1120 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.execmd.exedescription pid process target process PID 1172 wrote to memory of 704 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe cmd.exe PID 1172 wrote to memory of 704 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe cmd.exe PID 1172 wrote to memory of 704 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe cmd.exe PID 1172 wrote to memory of 704 1172 ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe cmd.exe PID 704 wrote to memory of 572 704 cmd.exe vssadmin.exe PID 704 wrote to memory of 572 704 cmd.exe vssadmin.exe PID 704 wrote to memory of 572 704 cmd.exe vssadmin.exe PID 704 wrote to memory of 572 704 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe"C:\Users\Admin\AppData\Local\Temp\ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1172-57-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1172-56-0x00000000000E0000-0x00000000000EA000-memory.dmpFilesize
40KB
-
memory/1172-58-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1172-59-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1172-60-0x0000000002230000-0x00000000022CF000-memory.dmpFilesize
636KB
-
memory/1172-61-0x0000000002330000-0x000000000245D000-memory.dmpFilesize
1.2MB
-
memory/1172-62-0x0000000000210000-0x000000000022F000-memory.dmpFilesize
124KB
-
memory/1172-63-0x0000000002660000-0x0000000002769000-memory.dmpFilesize
1.0MB
-
memory/1172-64-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB