Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
Resource
win10-en-20211208
General
-
Target
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
-
Size
164KB
-
MD5
a516f397c9082f002550effe26f31628
-
SHA1
806784793ead7a2dadf85c257398d27a502e829a
-
SHA256
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3
-
SHA512
874901ef785aaf38586633c3f1968b33522f5e79dfd542b571bd720f63b954823b39aba9d4ffb4ee11657d8befc10eed06cc297fa9e05dc0fe9ec31366eaf812
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exedescription ioc process File opened (read-only) \??\X: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\A: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\G: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\L: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\O: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Q: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\S: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\W: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\E: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\J: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\T: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Y: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\B: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\H: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\I: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\M: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\N: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\V: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Z: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\F: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\K: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\P: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\R: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\U: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe -
Drops file in Windows directory 64 IoCs
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d0162c550c828a3.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba_comctl32.dll.mui_0da4e682 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_de-de_694f3c78860517ad.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0e32b701c9788fec_esent.dll.mui_e30e3b90 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_60de2899d60bf39a.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee_activeds.dll_662643d7 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8e70050b51da13ee.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_099b02651e31eb2c.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1256_31bf3856ad364e35_6.1.7600.16385_none_7fd6dd5722d91be9_c_1256.nls_72f6d1a9 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_06d3944f4edc080f.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa73897e84783674.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991_afd.sys_084af4a8 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8b9b6cce3abf5f.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_87e93ea72781141b_vsstrace.dll.mui_3a1fe238 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4bf9d57947dd35b9.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aff6dbf6c87c7754.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90082f740162cae1.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71e7f0186b288c9a.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9f72475f89cffa63_irclass.dll.mui_c67cedc8 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-core_31bf3856ad364e35_6.1.7600.16385_none_f08d2472ee3ef611.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_65b99de8d68f5c62_iscsiexe.dll.mui_7d81b1cc d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ee797247339fb7c_puiapi.dll.mui_e94aeb19 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61_userprofilewmiprovider.mfl_b1cb99f9 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rmcast_31bf3856ad364e35_6.1.7601.17514_none_b2a3d1a09e8a89b1.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210_protocol_e16769d2 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_85855.fon_f139fbdc d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1143384e9ab8e550.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_drvinst.exe_6593e92a d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1255_31bf3856ad364e35_6.1.7600.16385_none_7f65562923221762.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dd93fd1708b38fd5_mofd.dll.mui_793ef98d d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_serialui.dll.mui_7d29d2a3 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82ed82846d97d873_sdbinst.exe.mui_258ad624 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e_expand.exe.mui_3f54e013 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a02b5db197af6758.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7600.16385_none_782caecbca6c3448_iphlpsvcmigplugin.dll_b4697821 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_db423f80885aae7d_wldap32.dll.mui_065dbd9c d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_7b686a16c899af6f.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b9af51d366400194_pautoenr.dll.mui_9667d15f d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_ja-jp_a378c96db82cbfec.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c686c1311f544cad.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_f4d7f7b17ffe522a.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_730e32c11586bfeb.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sserifer.fon_12fbf572 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1255_31bf3856ad364e35_6.1.7600.16385_none_7f65562923221762_c_1255.nls_72a5bdba d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_2addd390b4e226f5_c_864.nls_b55d753d d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0a02574e799f5bf.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_perfd.dat_f1e3dfd2 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2_recdisc.exe_20690b49 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342_bootvid.dll_c188118d d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674_clusapi.dll_06332635 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app775.fon_dec57409 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_6.1.7600.16385_none_b7e7d4f746c595bb_pshed.dll_f6ac239e d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_28376affe6d50544_tcpipcfg.dll.mui_a5479fc1 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_513edc990604dfb2_sdbinst.exe.mui_258ad624 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb2a201373875c74.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_ce00766f323410b7_comctl32.dll.mui_0da4e682 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178_wmi.dll_cba0311d d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_perfh.dat_e67d1236 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.1.7600.16385_none_e33b8ccc72da5441.manifest d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1e96aa8ba8b5d8f4_mfc42u.dll.mui_64d23330 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 972 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exepid process 1448 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1100 vssvc.exe Token: SeRestorePrivilege 1100 vssvc.exe Token: SeAuditPrivilege 1100 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.execmd.exedescription pid process target process PID 1448 wrote to memory of 1944 1448 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 1448 wrote to memory of 1944 1448 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 1448 wrote to memory of 1944 1448 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 1448 wrote to memory of 1944 1448 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 1944 wrote to memory of 972 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 972 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 972 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 972 1944 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe"C:\Users\Admin\AppData\Local\Temp\d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:972
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1448-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB