sodinokibi | 0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794

General

Target

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
Size

3.3MB
MD5

576fcb4d6324df3c549d2c5d5d4af022
SHA1

5724577c1776fe704f70271927d5101acb5e3c4a
SHA256

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794
SHA512

abcecb6cec254281b55f025de7a2f37967dc81009f87ac7ca532af76232806276314c0420f5aa90bfa75c7149e78ecc521b44e6a21f8c4dc9eeb66820ff34e93

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

description	ioc	process
File opened (read-only)	\??\A:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\I:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\M:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\N:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\S:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\V:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\Y:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\R:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\T:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\X:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\Z:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\F:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\H:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\K:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\L:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\B:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\E:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\G:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\J:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\O:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\P:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\Q:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\U:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened (read-only)	\??\W:	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

Drops file in Windows directory 64 IoCs

Processes:

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05_drvinst.exe.mui_e88f4c73	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298_nlsvc.mof_c4f094c8	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_51bcbc61a5466a58_certenroll.dll_d6e4c532	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f97a7f2743de2ff5.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..pe-malgungothicbold_31bf3856ad364e35_6.1.7600.16385_none_41783c072f347b6d_malgunbd.ttf_6ad5519c	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_perfc.dat_f4bd9339	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_688bce682bc4b24c_winbiosensoradapter.dll.mui_052ed7d8	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_odbcinst.chm_608e33e2	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_nshwfp.dll_a8fa0a82	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_es-es_32ceb24e175f8f83.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_a60989855737fdee_comdlg32.dll.mui_ac8e62f4	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_226c70953d052250_scfilter.sys.mui_cebab716	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a0388400ce247642_msimsg.dll.mui_72e8994f	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6b83d7cd687b9918_ole32.dll.mui_5035d60a	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_05b98a45d5a86346_dwm.exe.mui_706e052f	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_04ce5feb5c81cd4f.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d85a3923c5c7157_msdasc.chm_e6d620a3	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shfolder_31bf3856ad364e35_6.1.7600.16385_none_4b125fb438c5a314_shfolder.dll_4d2402cf	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_671c48b9c28e5906.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4353abdbd172892d_irclass.dll.mui_c67cedc8	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14e39707837fbde6.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ronment-dvd-bootfix_31bf3856ad364e35_6.1.7600.16385_none_7157b258f5bac0c5.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_d3425786c0003660_comdlg32.dll.mui_ac8e62f4	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_62c39dbcabda5813_credui.dll.mui_34721171	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_8514oeme.fon_dbdae0a9	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_cf512494a37b217c.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_02e1f48d8d7f349c.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ed028e8c78f92183.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204_authui.dll.mui_19b92789	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_d539b488144eefb8_comdlg32.dll.mui_ac8e62f4	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af38ff0e0c7a9cb9.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-gishabold_31bf3856ad364e35_6.1.7600.16385_none_f50009547b049b77.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-simsunb_31bf3856ad364e35_6.1.7600.16385_none_ecef7b9d35a0dabd.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-708_31bf3856ad364e35_6.1.7600.16385_none_2ae246a0b4dfd97e.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7601.17514_none_c4d0cdd7c56b493e_imm32.dll_53c2ab30	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7601.17514_en-us_86e740d52c04167e_mprmsg.dll.mui_210d8c31	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1b6385863b22bff1.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_caf6c1e0049b2c40.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d89a9aa5ed31424_mpr.dll.mui_a313505c	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_755f24abe639fb46_sti_ci.dll.mui_f0a16278	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_58531de323d90bc5_mlang.dll.mui_2904864a	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_2bf2f100dfb34cb2_mpssvc.dll.mui_4b194b5f	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bfac60257d903e60_gpapi.dll.mui_ef0a9748	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1b98cec386f4ee7b.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_kmddsp.tsp.mui_80ddeedb	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasdiag.dll_341d4299	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_a958e61749c0d36e_comctl32.dll.mui_0da4e682	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c2bf0e25e7a17c20_esent.dll.mui_e30e3b90	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb_puiapi.dll.mui_e94aeb19	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5db7df5b307ffadc_printui.exe.mui_5e66aade	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8dccb238c9862b1_kmddsp.tsp.mui_80ddeedb	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_13b9a88a2eaf457e.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_6.1.7601.17514_none_76234513809272a3_sccls.dll_921efb66	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7601.17514_none_50ddb631e4f59005.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_37da4de470bd3352_msorcl32.chm_650a727b	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e4d46cbfc094f384.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e4dacd214324325_clfs.sys.mui_1310ba12	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-pcw_31bf3856ad364e35_6.1.7600.16385_none_0c06880570316dc3.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasbase-rassstp-repl.man_f9e15598	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_146c699b1d830881.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5deef3a761f839a1.manifest	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_lt-lt_1b4d466a173e8550_msimsg.dll.mui_72e8994f	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-869_31bf3856ad364e35_6.1.7600.16385_none_2add61a8b4e2a71a_c_869.nls_a71cf43a	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571_iprtrmgr.dll.mui_eb023b92	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1820 vssadmin.exe

pid	process
1820	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

pid	process
1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 240 vssvc.exe
Token: SeRestorePrivilege 240 vssvc.exe
Token: SeAuditPrivilege 240 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	240	vssvc.exe
Token: SeRestorePrivilege	240	vssvc.exe
Token: SeAuditPrivilege	240	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 1748	1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe	cmd.exe
PID 1468 wrote to memory of 1748	1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe	cmd.exe
PID 1468 wrote to memory of 1748	1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe	cmd.exe
PID 1468 wrote to memory of 1748	1468	0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe	cmd.exe
PID 1748 wrote to memory of 1820	1748	cmd.exe	vssadmin.exe
PID 1748 wrote to memory of 1820	1748	cmd.exe	vssadmin.exe
PID 1748 wrote to memory of 1820	1748	cmd.exe	vssadmin.exe
PID 1748 wrote to memory of 1820	1748	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe
"C:\Users\Admin\AppData\Local\Temp\0bde4808da065b62a84c6bd7a3b1f3e3964892a5fc338d6a48a49492c2135794.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:240

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1468-56-0x00000000022C0000-0x000000000235F000-memory.dmp

Filesize
636KB

Download
memory/1468-58-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1468-60-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1468-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1468-57-0x00000000026C0000-0x00000000027ED000-memory.dmp

Filesize
1.2MB

Download
memory/1468-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1468-62-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/1468-63-0x0000000002980000-0x0000000002A89000-memory.dmp

Filesize
1.0MB

Download
memory/1468-64-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads