sodinokibi | a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2

General

Target

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
Size

1.7MB
MD5

f41d66b74e77fea64949ec3188080ddd
SHA1

613f1d7c336496e419734b6e5630695e4f7cf5f4
SHA256

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2
SHA512

34815b5248a0b81a0d6dcf9756e4d286511f499eb623559ab4c17afc1e105c19f1636266036b7e948d0216709791be56bfeae1bf7c435d65ca1c94254f9e7ce6

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

description	ioc	process
File opened (read-only)	\??\I:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\L:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\M:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\R:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\T:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\A:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\E:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\H:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\W:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\X:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\J:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\U:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\Y:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\B:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\F:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\G:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\P:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\Q:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\V:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\Z:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\K:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\N:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\O:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened (read-only)	\??\S:	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

Drops file in Windows directory 64 IoCs

Processes:

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.15063.0_none_6c839b1516a28042.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_72ae0481be0160c2.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_es-es_ff6a001fa544bde2.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1a52bffe303ba629.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sl-si_40fad639bb52c987_comctl32.dll.mui_0da4e682	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_53ab704c5bfd8301_drvinst.exe.mui_e88f4c73	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_en-us_4d64ef6218a1ebe5_nsisvc.dll.mui_237a741f	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072_vdsutil.dll.mui_0caf9b0e	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_885e3a56f370809b.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_b4c2e4b843761379_comctl32.dll.mui_0da4e682	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_8f3419f68fe61192.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_03474fa863a84227.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.15063.0_none_b7972f79a940b072_psapi.dll_e8b5b4d1	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_d21d37cff862835d.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidsvc.dll_b571c01a	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.15063.0_none_e7c8d45e6a1c8c7b.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga852.fon_0a8e74dc	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_c8d121395a04e07d.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf_netlogon.dll_90e0458e	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5_workerdd.dll_a9a6f55a	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_993ce3e93eba8262.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_fdf8a75c105fcf0a_umpnpmgr.dll.mui_d66aed17	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d6133df613164066_bootmgr.exe.mui_c434701f	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.15063.0_en-us_97bbad8acf6a108f_lsasrv.dll.mui_d47f7e1c	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_ce6bccb1aa74baa3.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508_mpssvc.dll.mui_4b194b5f	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_97104af0d7031f5b.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_7f6609be4b2dcbcf.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.15063.0_none_da4e3d83edc5d78f.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.15063.0_none_3816518ced62ca02_kernelbase.dll_7f3dc5f6	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f0a3dce56b0ecafa.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_fwremotesvr.dll_afaa5ea8	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_ce1403c73448ec90_oleaut32.dll_730e3d41	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.15063.0_none_bf8a1f019f8c15f7.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b6139f14f6c955d6.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_2ed22fa716fc8ba6.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_0db76bcd0aaf78a5_msimsg.dll.mui_72e8994f	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_bc1b3f5b642099f1.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.15063.0_none_fce6a4f7a7da6cb9.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc9c46454adb8ec6.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89_shcore.dll_c9cc19cc	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc172dc3df31b12e.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.15063.0_en-us_76b6693524012765_hidserv.dll.mui_561adfc8	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.15063.0_none_8f74af7c219a26c7_smss.exe_d7209c3a	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733_mprdim.dll.mui_11b5ef08	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_fr-fr_062dd68942622861_winhttp.dll.mui_f661192f	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bd1d1a4af7dd55de_wiaservc.dll.mui_54051b53	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_d1c976e3059aeb0e_comctl32.dll.mui_0da4e682	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_577e152805b98c1f.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.15063.0_none_7c75c42fae043d1e_winhttp.dll_6cd72d6e	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0bafa5afe5ef93e0.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_de-de_7a7bbe6b4471ea21.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_de-de_532657caf053a569.manifest	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga737.fon_11d63f16	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1624 vssadmin.exe

pid	process
1624	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

pid	process
2300	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
2300	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3224 vssvc.exe
Token: SeRestorePrivilege 3224 vssvc.exe
Token: SeAuditPrivilege 3224 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.execmd.exe

description	pid	process	target process
PID 2300 wrote to memory of 3572	2300	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe	cmd.exe
PID 2300 wrote to memory of 3572	2300	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe	cmd.exe
PID 2300 wrote to memory of 3572	2300	a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe	cmd.exe
PID 3572 wrote to memory of 1624	3572	cmd.exe	vssadmin.exe
PID 3572 wrote to memory of 1624	3572	cmd.exe	vssadmin.exe
PID 3572 wrote to memory of 1624	3572	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe
"C:\Users\Admin\AppData\Local\Temp\a3357f13aefee0a14ffa3ccabc8c93b06b9ef15e43e63d615429cc83b5ace0a2.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3572