Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:03
Static task
static1
Behavioral task
behavioral1
Sample
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
Resource
win10-en-20211208
General
-
Target
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe
-
Size
318KB
-
MD5
8c9ef16fc701a75b0e33039c191947c8
-
SHA1
109a44f91ca28d84b7e617fc4f2b9cb8b017c582
-
SHA256
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa
-
SHA512
0382c27b6cf8dda0daae15ee4c5e7f18969b4574157ad5ce4d3bed6807bba46bc4a2c51772afb5708f34056afc36034c737ce36b231296a77f4d2d1d729046ee
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exedescription ioc process File opened (read-only) \??\V: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\X: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Y: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\A: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\H: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\T: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\U: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\E: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\L: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Z: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\N: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\Q: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\R: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\S: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\B: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\F: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\J: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\K: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\P: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\W: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\G: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\I: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\M: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened (read-only) \??\O: cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe -
Drops file in Windows directory 64 IoCs
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sseriffg.fon_12e7f086 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335_angsai.ttf_284d5409 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_76947f39c3323d43_kernelbase.dll.mui_16288a65 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_printupg.inf_f14c6ffa cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9d7dfd0cf7954f6_kmddsp.tsp.mui_80ddeedb cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06b4240709238ea6.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c040cad9b8e1500c_credui.dll.mui_34721171 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bea9fe0db5a8675c_ulib.dll.mui_bb7d4db5 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_4068f777147d0327.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgemigplugin.dll_4c0b8021 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0fcbd53df82fc1c_serwvdrv.dll.mui_6a9f4568 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_ce00766f323410b7.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bcfcc41d8e6964d0.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3a394bdd55075554.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_984607cff9843924_nsisvc.dll.mui_237a741f cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_a60989855737fdee_comdlg32.dll.mui_ac8e62f4 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_fr-fr_dfc46d1d99f9c2e6.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_a5f8bb0ccaefbe07_fms.dll_fbbb04ce cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21_puiobj.dll.mui_b9c0c4d6 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_rasdiag.dll_341d4299 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f06929b8f34f0467.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e7beb9cc5ed3e31f_wininit.exe.mui_997435f5 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_45087a86346590aa_scesrv.dll.mui_c6e979b7 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e_mofd.dll.mui_793ef98d cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_prflbmsg.dll.mui_4caa0054 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman_31bf3856ad364e35_6.1.7601.17514_none_32187fb040e2395a_ntlanman.dll_0a73d68d cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5c2875c09ce14e86.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hh.exe_f87e0044 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgafixr.fon_de339586 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_nshwfp.dll_a8fa0a82 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ecfd9826ce3001e7.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_05d30e9dd60825a9_msimsg.dll.mui_72e8994f cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7a625a05b8a58be0_wsock32.dll.mui_18b23987 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3539807cccb595a.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c37e840df1158_wldap32.dll.mui_065dbd9c cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_022879a9e697d06f.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e8b0c18f5629386_certprop.dll.mui_602eaab4 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_14bbcbf1639ed383.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ecc8f50ace56f38c.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d5be3a38b80bebf_ddraw.dll.mui_95b8c3ab cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_d12b8c440039b31e_msvcrt.dll_ee71f3d5 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14e39707837fbde6.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_b8406654aa00440b_mpssvc.dll.mui_4b194b5f cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsium.dll_edf4260f cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres_31bf3856ad364e35_6.1.7600.16385_none_38b294da11970cde.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2680d87b94823709_rpcrt4.dll.mui_9745823e cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_32516987997ca2b8_wldap32.dll.mui_065dbd9c cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17013cbdbd7efe45.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd_bootmgr.efi.mui_be5d0075 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7601.17514_none_7009184192f9f5e7.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a93cd3a078fdd9e5_imageres.dll.mui_3e41dee6 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_6b3b9980011a19de.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vrinda_31bf3856ad364e35_6.1.7600.16385_none_d2195f0f72f474c8_vrindab.ttf_790ee52a cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0e539441d9ce77a.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d2ee42c82e9fcb3.manifest cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_527d3f0d761d006f_wevtapi.dll.mui_27c9f5dd cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_iprtrmgr.dll.mui_eb023b92 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8471144553ebfbc_powrprof.dll.mui_a2448a34 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 576 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exepid process 1504 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1556 vssvc.exe Token: SeRestorePrivilege 1556 vssvc.exe Token: SeAuditPrivilege 1556 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.execmd.exedescription pid process target process PID 1504 wrote to memory of 1696 1504 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 1504 wrote to memory of 1696 1504 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 1504 wrote to memory of 1696 1504 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 1504 wrote to memory of 1696 1504 cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe cmd.exe PID 1696 wrote to memory of 576 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 576 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 576 1696 cmd.exe vssadmin.exe PID 1696 wrote to memory of 576 1696 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe"C:\Users\Admin\AppData\Local\Temp\cbd55fb595d43c2c8e2e8c425e960190d6ba132e5ded89f43a964d85c40cd8aa.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB