Analysis
-
max time kernel
145s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
Resource
win10-en-20211208
General
-
Target
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
-
Size
179KB
-
MD5
dbfbc199086b40dd57c667844aefd9a9
-
SHA1
22d5bf8051eccff69ffcb3167b939312b9539378
-
SHA256
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce
-
SHA512
363306bca170923bf7a6c47b6531ae7bdc95fde7a4b481635fb55b38298a918757743291a4318b158a389ff36536eb49c3457150d71dce5ee58ead855f62c96e
Malware Config
Extracted
C:\n1e9f2pj3u-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/06DDE7DC57F89072
http://decryptor.top/06DDE7DC57F89072
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ShowGrant.tiff 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\users\admin\pictures\StopSet.tiff 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => \??\c:\users\admin\pictures\UpdateGet.tiff.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png => \??\c:\users\admin\pictures\ExpandGet.png.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw => \??\c:\users\admin\pictures\MountGrant.raw.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw => \??\c:\users\admin\pictures\PushUnregister.raw.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => \??\c:\users\admin\pictures\ShowGrant.tiff.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\users\admin\pictures\StopSet.tiff.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => \??\c:\users\admin\pictures\UnblockExit.tif.n1e9f2pj3u 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\users\admin\pictures\UpdateGet.tiff 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened (read-only) \??\G: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Q: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\S: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\X: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Z: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\M: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\N: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\A: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\B: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\H: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\J: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\K: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\L: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\O: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\P: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\T: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\U: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\V: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\Y: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\I: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\R: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\E: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\F: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\W: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened (read-only) \??\D: 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Drops file in System32 directory 1 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tm1gcw0gvid.bmp" 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Drops file in Program Files directory 49 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ConvertToNew.TS 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\DisconnectRemove.xsl 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RestoreWait.cab 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\StartDisconnect.7z 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\SubmitTest.mpg 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\WatchDeny.cmd 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\CheckpointSubmit.docx 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\GetEnable.mpp 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\PopOut.vssm 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RevokeDebug.rtf 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RemoveInitialize.ppt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ResetRevoke.asf 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\UnlockBlock.easmx 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\n1e9f2pj3u-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files\n1e9f2pj3u-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ConvertEdit.jfif 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\CopyConfirm.mov 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ImportGet.ps1 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceer35EN.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ResolveRequest.ods 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files (x86)\n1e9f2pj3u-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\InvokeUpdate.dotx 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\NewBlock.xml 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RequestPublish.gif 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\CompleteCheckpoint.pptm 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\MountNew.mpg 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\n1e9f2pj3u-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceqp35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\UnprotectExit.reg 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\CompareStep.ps1 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ConvertToSync.pptm 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\PingPush.svgz 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ResetUninstall.ttc 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\StepRestore.odt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ClosePush.M2TS 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\FormatExpand.xps 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\InstallShow.htm 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\ResetDebug.ex_ 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\UnlockClear.wps 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\n1e9f2pj3u-readme.txt 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\AddInitialize.mpeg3 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\EditSwitch.ttf 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\GroupResume.js 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe File opened for modification \??\c:\program files\RedoSplit.TTS 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1200 vssadmin.exe -
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exepid process 1688 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1824 vssvc.exe Token: SeRestorePrivilege 1824 vssvc.exe Token: SeAuditPrivilege 1824 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.execmd.exedescription pid process target process PID 1688 wrote to memory of 392 1688 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 1688 wrote to memory of 392 1688 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 1688 wrote to memory of 392 1688 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 1688 wrote to memory of 392 1688 89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe cmd.exe PID 392 wrote to memory of 1200 392 cmd.exe vssadmin.exe PID 392 wrote to memory of 1200 392 cmd.exe vssadmin.exe PID 392 wrote to memory of 1200 392 cmd.exe vssadmin.exe PID 392 wrote to memory of 1200 392 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe"C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB