Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:35
Static task
static1
Behavioral task
behavioral1
Sample
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe
Resource
win10-en-20211208
General
-
Target
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe
-
Size
157KB
-
MD5
79f2341510d9fb5291aefc3e69d18253
-
SHA1
70f2bc8cc0861dc5ff4590821d67ac34272c929a
-
SHA256
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c
-
SHA512
6b3922e53960be8ef803706661384d1a92b85aa2225347cf27153ad5ebb79695bb0d73a861a0f95e1129512ff7f148d725172148584fa519796d79a301f365cb
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exedescription ioc process File opened (read-only) \??\F: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\L: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\Q: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\M: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\N: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\P: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\R: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\T: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\B: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\E: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\J: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\W: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\V: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\A: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\G: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\S: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\O: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\U: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\X: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\Y: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\Z: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\H: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\I: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened (read-only) \??\K: 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe -
Drops file in Windows directory 64 IoCs
Processes:
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_1b262ffd1219bd69.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caba3de2d9ce0d4b.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dcb97024f9925cb8.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_1706c73dfc4b3026.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_dwmredir.dll.mui_08a6874d 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-tunga_31bf3856ad364e35_6.1.7600.16385_none_e4baa884cb08804d_tungab.ttf_986e3427 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c37e840df1158.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c7b1292fddabef3e_irclass.dll.mui_c67cedc8 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_ca4e9bcdcac7feed_ntoskrnl.exe_0fb0ab79 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e_erofflps.txt_649e76ed 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_c8514oem.fon_9ff1fe45 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app852.fon_e3869f49 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b637ee56cb9487d.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23a966a2fe2f7ffb_iscsidsc.mfl_20ed5374 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_caf4456fff02c3ae.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_d8abbed91585a944.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ef6f7dfede59572.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasmigplugin-dl-mig.dll_c8bd1833 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4aab526590e1172b_scarddlg.dll.mui_300ae9df 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbe42c602e9e85b3_tcpipcfg.dll.mui_a5479fc1 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47c3a7a7b5db2631.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_98cd7f54591f01d7_mountmgr.sys.mui_71b54a25 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cba169dd0daf0482.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_40f3084378f264ba.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa73897e84783674_kernel32.dll.mui_c29170cd 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_98d212ed126c5e79_winmm.dll.mui_224f6445 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcsvc.dll.mui_186571e1 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_8911d4b604a223a8_xmllite.dll_ce078c31 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..gertransport-serial_31bf3856ad364e35_6.1.7600.16385_none_6daa7ec5c65bf5bc_kdcom.dll_db5e7744 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_10a851fdb05d695d_msimsg.dll.mui_72e8994f 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_de-de_73b9562f849a1d96.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25ed7915bb55b076_ntdll.dll.mui_d908d391 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dd93fd1708b38fd5_mofd.dll.mui_793ef98d 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sserifee.fon_12eef23f 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ec933d4f7ddcc091.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1645dc874dd8118e_mpr.dll.mui_a313505c 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-events_31bf3856ad364e35_6.1.7600.16385_none_0c4ed7b1a5ec567a.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e89294b2fdfa6c6f.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b68b0a67ec869d6b_memtest.exe.mui_77b8cbcc 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_e44a5bf35c1f91f1_mlang.dll.mui_2904864a 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a1b24ce63b235c75_ndadmin.exe.mui_2e106c3e 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d1df508d1784285_clfs.sys.mui_1310ba12 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsidsc.dll_20ed5065 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_6.1.7601.17514_none_51624d066d0b3e1c_wldap32.dll_09c99dc1 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_abfe0f492aa0f474.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_33e993f0490559ab.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210_protocol_e16769d2 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_mpssvc.mof_662b1c14 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_5c2b4262fb6368cb_comctl32.dll.mui_0da4e682 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0053dad6a1c3577b_volmgrx.sys.mui_b0c205d7 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_14159d5b488c6fa1_actxprxy.dll_82133921 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_128f8e6a93be7291.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f23d96c52b159c2d_sccls.dll.mui_f104be47 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1bb3b50a112e8e7_webservices.dll.mui_eecc809d 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_da91c3e3638f49b4_odbcjet.chm_2a003207 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dfa0d6aae0352fc_basecsp.dll.mui_04bea7ac 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_svgafix.fon_52683949 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-863_31bf3856ad364e35_6.1.7600.16385_none_cebf4ed4fc849c1e.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_mdminst.dll.mui_19a87063 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_764da6e9e903db65.manifest 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 552 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exepid process 1412 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.execmd.exedescription pid process target process PID 1412 wrote to memory of 324 1412 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe cmd.exe PID 1412 wrote to memory of 324 1412 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe cmd.exe PID 1412 wrote to memory of 324 1412 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe cmd.exe PID 1412 wrote to memory of 324 1412 0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe cmd.exe PID 324 wrote to memory of 552 324 cmd.exe vssadmin.exe PID 324 wrote to memory of 552 324 cmd.exe vssadmin.exe PID 324 wrote to memory of 552 324 cmd.exe vssadmin.exe PID 324 wrote to memory of 552 324 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe"C:\Users\Admin\AppData\Local\Temp\0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1412-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB