sodinokibi | a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a

General

Target

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
Size

159KB
MD5

89b21e0bdc3be808c42a82e17372b4c6
SHA1

6a19a7205c51dc59938b0264f173eeb1815ff4e1
SHA256

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a
SHA512

22449634409904eda5f312266afb6f3200e35a1177222be0bc505b6bec2accc5ad3cef3ba43b17c2d2947f6b6f694ba7bc0b3fe825488365565b7972465354b4

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
File opened (read-only)	\??\H:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\M:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\R:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\W:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\X:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Y:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\B:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\J:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\K:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\P:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\S:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Z:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\A:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\L:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\N:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\O:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\T:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\U:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\I:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\F:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\G:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Q:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\V:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\E:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Drops file in Windows directory 64 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d95144dae1ebc183_ngcsvc.dll.mui_96312421	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_shell32.dll_0d29dca9	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_msvcp_win.dll_48149df4	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_60a2bc9e6ffb13be.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmilib_31bf3856ad364e35_10.0.15063.0_none_6a68d3903cfb6ab2.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_d3bf5352148cac82_bootmgr.exe.mui_c434701f	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-pt_70c4d50f8d2ba207_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.15063.0_none_6c3a936ba57599b0_winresume.exe_85cd1215	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2e6eeb726263cb9d.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_en-us_fbaca31b325f23d3.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_8a1c400bf11ec208.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1b72f2a049408d5f.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_326ea0f914b4afde_bootmgr.efi.mui_be5d0075	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga869.fon_09ec4cfe	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.15063.0_none_d55075a52ee8912b_keyiso.dll_897976dc	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.15063.0_none_c4afd53ef6b024d5_twinapi.appcore.dll_8d6512dc	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_36043fc5ada66c50_mswsock.dll.mui_d7c2a730	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_de-de_a78df7cf1a8f042b_webclnt.dll.mui_e8f04040	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_5705fc83f923aa47.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_6c16683b69705fa5_combase.dll.mui_6db10b33	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.15063.0_none_d7160ce35a44058a_shacct.dll_f953c950	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_ja-jp_927b4bdd0caf1fba_winhttp.dll.mui_f661192f	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_d52e5cec6165a196_dnsapi.dll.mui_97465f8a	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-gb_99d113d98ded3e14_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_e5a6c458009e6a39.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ar-sa_c50cf4a0af973ef3_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_c192b575045d79b3.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_4a395d1c23946704_appidtel.exe_b664fbc5	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_th-th_f86cf2fb5a7af7cf.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_8f3419f68fe61192_bootmgr.efi.mui_be5d0075	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_ef72388408dd81e9_bootmgfw.efi.mui_a6e78cfa	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1444ca153bdbf449.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_windowsshell.manifest_ad1cb5ce	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_174418e7a8ce4d04_applockercsp.dll.mui_d2a0df70	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_c6c4eadade764d0d_comdlg32.dll_b1ffde97	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..lecore-ras-base-vpn_31bf3856ad364e35_10.0.15063.0_none_a1af4bb1e5163dc9_rasapi32.dll_5418d87b	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_289d2cb046c263c2_fidocredprov.dll.mui_4ca89266	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.15063.0_none_04ced512d82feb94_naturalauthclient.dll_2d6e08dc	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_2af769b1bbfa0dd4_wintypes.dll.mui_36d5f25a	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.15063.0_none_314522d34b560919_windows.ui.xaml.controls.private.dll_8dc0d676	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_473f3bcd45fa2eca_mofcomp.exe.mui_35badf56	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_06c8a8054dc02d3d_wudfhost.exe.mui_1fc689ff	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c_keyiso.dll.mui_4bbf12ff	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_10.0.15063.0_none_b784197455bb2003_msfs.sys_ea96697c	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba_ntmarta.dll_cd048e61	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_es-es_5644c6e3437cf0b4.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-drivers_31bf3856ad364e35_10.0.15063.0_none_01e0e8792e07e99a_wdboot.sys_9bae05d2	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_6e122c03212f2631.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8_iscsicli.exe.mui_64c0a23c	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_72ae0481be0160c2.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1d93f33351bcef30_services.exe.mui_86ea5e71	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_74d5f5c7b3aae50f_userdeviceregistration.dll.mui_22ab8f29	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_a861864702eca1e1_windows.ui.xaml.maps.dll_b092594a	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_f39dd1f571ccd621_memtest.exe_01d80391	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_es-es_0ef9b2aa8bc1fa87_scdeviceenum.dll.mui_815e7662	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_c5ef67472648fded.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_de-de_7ca341af89682490_samsrv.dll.mui_32250491	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_4a6f22b16a256be7_keyiso.dll.mui_4bbf12ff	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_54c3cd039e862de2.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3972 vssadmin.exe

pid	process
3972	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

pid	process
1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2916 vssvc.exe
Token: SeRestorePrivilege 2916 vssvc.exe
Token: SeAuditPrivilege 2916 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.execmd.exe

description	pid	process	target process
PID 1300 wrote to memory of 3468	1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1300 wrote to memory of 3468	1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1300 wrote to memory of 3468	1300	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 3468 wrote to memory of 3972	3468	cmd.exe	vssadmin.exe
PID 3468 wrote to memory of 3972	3468	cmd.exe	vssadmin.exe
PID 3468 wrote to memory of 3972	3468	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1300-119-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1300-118-0x0000000000F60000-0x0000000000F83000-memory.dmp

Filesize
140KB

Download
memory/1300-120-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1300-121-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1300-122-0x00000000026C0000-0x00000000026C6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads