Analysis
-
max time kernel
181s -
max time network
184s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:32
Static task
static1
Behavioral task
behavioral1
Sample
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
Resource
win10-en-20211208
General
-
Target
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe
-
Size
1.6MB
-
MD5
d6d93656172bd60bbfac554de1014b09
-
SHA1
af85b83f01c748ac8f3dd58176a7e7ec4671f570
-
SHA256
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7
-
SHA512
342fa797c6b3c0730aaacba66b159febc341634baff44caae54f742aacd2ef9ea16b414d961247bf48f005d7c5b189c01476aab3f32b12970931aec6de909587
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exedescription ioc process File opened (read-only) \??\W: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\E: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\O: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Q: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\V: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\U: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\I: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\M: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\N: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\S: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\P: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\X: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\H: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\J: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\K: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\L: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\A: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\B: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\F: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\G: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\R: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\T: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Y: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened (read-only) \??\Z: 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Drops file in Windows directory 64 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_en-us_7b1120505ec3e729.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b7ed768c09faea67.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.15063.0_none_03cb89fc0724bf2c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_31d27467b2b5145e_win32kbase.sys.mui_07d441e9 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_8ead935787359bfd.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a8505d07e016d76d.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_78aafb7af9d71d92_bootmgr.efi.mui_be5d0075 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.display.ppkg_7381929e 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_6aa64f572618dbd7.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_74d5f5c7b3aae50f_userdeviceregistration.ngc.dll.mui_d2c6ca95 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ar-sa_91f9f4c8478981a6.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_es-es_3c6da488499731b8.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_es-es_6099713577ddb2af_wininit.exe.mui_997435f5 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.15063.0_none_aeceefba2520337c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-apisetschema-windows_31bf3856ad364e35_10.0.15063.0_none_3b4068c19378e16b.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_10.0.15063.0_none_1663b7b0fef8745d_malgun.ttf_166813d8 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_02b887e1681e18f9_combase.dll.mui_6db10b33 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pl-pl_6d8f1aff8f329e47.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.sleep.ppkg_fc8ae8fd 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_de-de_895cc75926317253.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-es_6255d07dcc16d604_msimsg.dll.mui_72e8994f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_d48d673ef5ca25b4_scesrv.dll_07b1e224 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_06be8d86c3187ada_bootmgr.efi.mui_be5d0075 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-endpointmapper_31bf3856ad364e35_10.0.15063.0_none_5ba657bf1b65363e.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.15063.0_none_8f74af7c219a26c7.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_55a7888f18467879.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_3cea917b11996ccf_wmiutils.dll.mui_42583eaf 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2d3314094995484e.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.15063.0_none_a1044f9c5a781c1a.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_pad.inf_dbf42768 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_ca38bcecc16963b9_scesrv.dll_07b1e224 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_es-es_7adc7d345eead8ce.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.15063.0_none_e9be2557d1df757f_windows.ui.xaml.inkcontrols.dll_523c865d 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.15063.0_none_6c839b1516a28042_crypt32.dll_9c3ccf73 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_1141baa620971e6b.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3a3e806dc2631896_lsasrv.dll.mui_d47f7e1c 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_33a9f3ab14804647_scfilter.sys.mui_cebab716 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0bafa5afe5ef93e0_mpsdrv.sys.mui_b2aea3b6 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_et-ee_9ae4f76b8d42c00d.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.15063.0_none_6c3a936ba57599b0_winresume.efi_85cd069f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a58aebbbaa94540c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-us_6e46cf1f2108348c_comctl32.dll.mui_0da4e682 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_c394b857e4b20c8d.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d2 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_scarddlg.dll_b3dbecec 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.15063.0_none_775b66db9a440a77_pshed.dll_f6ac239e 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_4058ea17e2072e4b.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_d90ce5ca72c0a37e.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_de-de_debbbd462df48416_winresume.exe.mui_ff8b5358 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40869.fon_5e8f5479 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_en-us_addbd04b6fa954b7_sppsvc.exe.mui_40875a72 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.15063.0_none_edf3c89e04cf9f63.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_8177e8a18f7d801c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_es-es_504a2aac09940195.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nb-no_e1663e689467fdb8_comctl32.dll.mui_0da4e682 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_el-gr_8f9125b021f304a0_bootmgfw.efi.mui_a6e78cfa 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.15063.0_none_98ae07171eea9e46.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9e9a00a6d22ab935.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_aaf722a283f6bf8c.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_de-de_af44f34ea8b1169f.manifest 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_577e152805b98c1f_msimsg.dll.mui_72e8994f 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77_rasmigplugin.dll_7ee2aa40 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1572 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exepid process 1448 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe 1448 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1732 vssvc.exe Token: SeRestorePrivilege 1732 vssvc.exe Token: SeAuditPrivilege 1732 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.execmd.exedescription pid process target process PID 1448 wrote to memory of 840 1448 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1448 wrote to memory of 840 1448 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 1448 wrote to memory of 840 1448 0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe cmd.exe PID 840 wrote to memory of 1572 840 cmd.exe vssadmin.exe PID 840 wrote to memory of 1572 840 cmd.exe vssadmin.exe PID 840 wrote to memory of 1572 840 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe"C:\Users\Admin\AppData\Local\Temp\0dc3670a24756dc50b247841027645b0e72ff0427ee11027e479a2bfa17c22d7.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken