Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:32
Static task
static1
Behavioral task
behavioral1
Sample
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
Resource
win10-en-20211208
General
-
Target
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
-
Size
1.6MB
-
MD5
d6d93656172bd60bbfac554de1014b09
-
SHA1
af85b83f01c748ac8f3dd58176a7e7ec4671f570
-
SHA256
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7
-
SHA512
342fa797c6b3c0730aaacba66b159febc341634baff44caae54f742aacd2ef9ea16b414d961247bf48f005d7c5b189c01476aab3f32b12970931aec6de909587
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exedescription ioc process File opened (read-only) \??\E: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\T: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Y: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Z: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\A: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\J: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\M: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Q: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\V: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\H: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\L: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\O: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\R: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\S: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\N: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\P: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\U: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\B: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\F: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\G: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\I: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\K: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\W: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\X: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Drops file in Windows directory 64 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_f1cc51dc6cfd0cbf.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_95503b1f4b07b926.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasbase-rassstp-repl.man_f9e15598 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_517d915ca0c7b0ce.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_86663b85e279cca2.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104_apphelp.dll_7ce69c4a 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-iskoolapota_31bf3856ad364e35_6.1.7600.16385_none_2a668cf479ef0388.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_a7c5fb6de18360b8_msimsg.dll.mui_72e8994f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpclientdll.ptxml_6a7470ef 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29d62e2c7d66c554_mswsock.dll.mui_d7c2a730 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_8c963396bc18f3f1.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-708_31bf3856ad364e35_6.1.7600.16385_none_2ae246a0b4dfd97e.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_22b18c66b73f6810.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210_services_d4a357ca 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_shimeng.dll_2036b947 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_efdb39f58f7fc483.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kokila_31bf3856ad364e35_6.1.7601.17514_none_4d4bb384a78cecc3_kokilabi.ttf_822b42fe 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1d298d428a973659.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7b09044d73c37a9.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a_ndadmin.exe_8e57269f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_426cfc30c37c5a4e_spp.dll_d7bb2b05 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_14159d5b488c6fa1_actxprxy.dll_82133921 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_es-es_120b6f55750a1517_efscore.dll.mui_5a74c206 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d_bootmgfw.efi.mui_a6e78cfa 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4748bb972be4cdaa_drvinst.exe.mui_e88f4c73 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_667ff2e88dc1b9c6_keyiso.dll.mui_4bbf12ff 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1_services.mof_abfc36b4 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_mprdim.dll.mui_11b5ef08 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_58ec176c913d7aa6.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsiwmi.dll_272dd9e6 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_cis.scp_0303a193 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6137e73d441ccb81_powrprof.dll.mui_a2448a34 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcsvc.dll.mui_186571e1 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_f1cc51dc6cfd0cbf_kernel32.dll_ef9eca7e 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-loader_31bf3856ad364e35_6.1.7600.16385_none_c72819e06acceb59.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service_31bf3856ad364e35_6.1.7600.16385_none_e49c555686fbabd6_w32time.dll_2a7540a9 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_mdminst.dll.mui_19a87063 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41850747ece57d4a_vsstrace.dll.mui_3a1fe238 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winresume.exe_85cd1215 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-arial_31bf3856ad364e35_6.1.7601.17514_none_d0a9759ec3fa9e2d_arial.ttf_e828c109 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9fd3daa29505fb3c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_91cbec40d69be922_sendmail.dll.mui_cbac108c 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9bb11a054c9491fa.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_474fefd249f1db0e_wbiosrvc.dll.mui_d5b8b2b8 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5f8cc8189e9fc533_mofcomp.exe.mui_35badf56 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94d14c6cb3fd8b81.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1220a4865bb3d9a0_rpcrt4.dll_5aa847dd 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_75107e8ff0ade521_winload.efi.mui_35ee487d 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f1814dbfdb6aeac1_userprofilewmiprovider.mfl_b1cb99f9 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2680d87b94823709_rpcrt4.dll.mui_9745823e 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b35cdcc8215d3ecd.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb2f4087360ed21.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_f8210304686499ec.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cb446d33b8328ccb_appidapi.dll.mui_b6af37bb 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7b614a5dfbb391be.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335_angsab.ttf_2615c880 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_he-il_8bea70024ec7fc32_msimsg.dll.mui_72e8994f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_de-de_260fca3a475cc286_ndadmin.exe.mui_2e106c3e 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4a338035a6b605bd_wsock32.dll.mui_18b23987 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_618833a5b4f8d33b.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 772 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exepid process 1040 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1072 vssvc.exe Token: SeRestorePrivilege 1072 vssvc.exe Token: SeAuditPrivilege 1072 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.execmd.exedescription pid process target process PID 1040 wrote to memory of 1404 1040 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1040 wrote to memory of 1404 1040 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1040 wrote to memory of 1404 1040 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1040 wrote to memory of 1404 1040 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1404 wrote to memory of 772 1404 cmd.exe vssadmin.exe PID 1404 wrote to memory of 772 1404 cmd.exe vssadmin.exe PID 1404 wrote to memory of 772 1404 cmd.exe vssadmin.exe PID 1404 wrote to memory of 772 1404 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe"C:\Users\Admin\AppData\Local\Temp\0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB