Analysis
-
max time kernel
129s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
Resource
win10-en-20211208
General
-
Target
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
-
Size
164KB
-
MD5
f745cbd7dfd4a27653b477836737dbd1
-
SHA1
8a078b872b61b7b5de9dc34993331249702d3d7a
-
SHA256
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae
-
SHA512
5d66559b96697ad415ed10af0cbce4fe0c448aaf062a12ab6c64349482880695fceac509335f3d7a9eabd951b176391c4025c067a201d62887b129dc0f519488
Malware Config
Extracted
C:\6825sar84-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72BD99C1498ED29C
http://decryptor.top/72BD99C1498ED29C
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReadOpen.png => \??\c:\users\admin\pictures\ReadOpen.png.6825sar84 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\SkipBlock.tiff => \??\c:\users\admin\pictures\SkipBlock.tiff.6825sar84 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\users\admin\pictures\SkipBlock.tiff c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tif => \??\c:\users\admin\pictures\RepairEdit.tif.6825sar84 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File opened (read-only) \??\I: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Q: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\S: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\X: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Y: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\G: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\U: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\V: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\H: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\F: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\J: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\M: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\N: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\O: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\P: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\R: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\A: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\D: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\W: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\E: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\K: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\L: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\T: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\Z: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened (read-only) \??\B: c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Drops file in System32 directory 1 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w833shn4.bmp" c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Drops file in Program Files directory 19 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process File opened for modification \??\c:\program files\ApproveInvoke.vssx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\LimitSearch.pptx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\MergeSend.7z c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files (x86)\6825sar84-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\OutFormat.docx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\OutResolve.wav c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files\6825sar84-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\CheckpointRead.tmp c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\FindUnprotect.vdw c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\RedoConnect.pcx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\6825sar84-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\UseFormat.png c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\6825sar84-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\6825sar84-readme.txt c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\ApproveTest.wmf c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\FindAssert.png c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\ImportEnter.rle c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\MountAssert.xlsm c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe File opened for modification \??\c:\program files\UnblockProtect.docx c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1080 vssadmin.exe -
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC\Blob = 0300000001000000140000004c27431717565a3a07f3e6d0032c4258949cf9ec140000000100000014000000f5cdd53c0850f96a4f3ab797da5683e669d268f7040000000100000010000000342e1e02d91852d4a66f8a892167c8fa0f0000000100000020000000a2de33490c476d356e2dbc737c2779692249526b65ab8fba9a34280481c8bdfc19000000010000001000000014b989b317682449c76eb3c21dac16e7180000000100000010000000a823b4a20180beb460cab955c24d7e212000000001000000510400003082044d30820335a003020102020b040000000001444ef03631300d06092a864886f70d01010b05003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3134303232303130303030305a170d3234303232303130303030305a304c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613122302006035504031319416c70686153534c204341202d20534841323536202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100da01ece4ec7360fb7e8f6ab7c617e3926432d4ac00d9a20fb9edee6b8a86ca9267d974d75d47023c8f40d69e6d14cdc3da2939a70f050a68a2661a1ec4b28b7658e5ab5d1d8f40b3398bef1e837d22d0e3a9002eec53cf62198544284cc027cb7b0eec10640010a405cca072be416c315b48e4b1ecb923eb554dd07d624aa5b4a5a45985c52591a6fea6099f06106d8f810c64405e73009ae02e65985410007098c8e1ed345fd89cc70dc0d6235945fcfe557a86ee946022f1aed1e65546f699c51b08745facb064848f89381ca1a790214f026ebde06167d4f842870f0af7c9046d2aa92fef42a5dfdda353db981e81f99a727b5ade4f3e7fa258a0e217ad670203010001a38201233082011f300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e04160414f5cdd53c0850f96a4f3ab797da5683e669d268f730450603551d20043e303c303a0604551d20003032303006082b06010505070201162468747470733a2f2f7777772e616c70686173736c2e636f6d2f7265706f7369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e63726c303d06082b060105050701010431302f302d06082b060105050730018621687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f726f6f747231301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010b050003820101006040681647e7168ddb5ca1562acbf45c9bb01ea24bf5cb023ff80ba1f2a742d4b74cebe36680f32543782e1b1756075218cbd1a8ece6fb733ea4628c80b4d2c51273a3d3fa0238be633d84b899c1f1baf79fc340d1581853c162ddaf18427f344ec543d571b03000c7e390ae3f578697ceea0c128e2270e366a7547f2e28cbd454d0b31e626708f927e1cbe366b8241b896a894465f2d94cd2581c8c4ec095a1d4ef672f3820e82eff9651f0bad83d927047651c9e7372b4600c5ce2d17376e0af4ee2e537a5452f8a233e87c730e631387cf4dd52caf353042557566694e80beee603144eeefd6d94649e5ece79d4b2a6cf40b144a83e87195ee9f821165953 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exepid process 1892 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.execmd.exedescription pid process target process PID 1892 wrote to memory of 1952 1892 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1892 wrote to memory of 1952 1892 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1892 wrote to memory of 1952 1892 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1892 wrote to memory of 1952 1892 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe cmd.exe PID 1952 wrote to memory of 1080 1952 cmd.exe vssadmin.exe PID 1952 wrote to memory of 1080 1952 cmd.exe vssadmin.exe PID 1952 wrote to memory of 1080 1952 cmd.exe vssadmin.exe PID 1952 wrote to memory of 1080 1952 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1080
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1384
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-54-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB