sodinokibi | 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae

General

Target

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
Size

1.6MB
MD5

bd79e0f7bc063b12ace75cf119bffa7e
SHA1

646be1f7d7ece285af8f89844760032ed2608a4e
SHA256

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae
SHA512

938b1461e894b7ec3417a25c4e0a59f9aa52c606a7aadc077afa98d22fc53cdd0869c2319dfd1e155fd5720b8b2b369f769627529ca9d72633cac07f61cca8f0

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

description	ioc	process
File opened (read-only)	\??\P:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\Q:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\S:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\I:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\K:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\L:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\M:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\N:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\T:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\W:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\X:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\Y:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\F:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\G:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\R:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\Z:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\B:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\J:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\O:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\A:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\E:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\H:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\U:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened (read-only)	\??\V:	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

Drops file in Windows directory 64 IoCs

Processes:

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_6.1.7600.16385_none_b5d6a9d184d05567_netnb.inf_c581b89a	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aac12e1c9878d430_certcredprovider.dll.mui_b5ad161e	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1_objsel.dll.mui_9b915792	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e2a0ad92d67864d_efscore.dll.mui_5a74c206	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..e-sakkalmajallabold_31bf3856ad364e35_6.1.7600.16385_none_48cbf868d7b65eee_majallab.ttf_89ca3422	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga932.fon_1042dbe9	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31e8875e951df7c2_msimsg.dll.mui_72e8994f	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8_bootmgr.efi.mui_be5d0075	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_6.1.7601.17514_none_dcd8219f2b322141.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541_cfgmgr32.dll_7bc7e545	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba_comctl32.dll.mui_0da4e682	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a84306473c671bb0.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4f8ceabc4666dfe3_hdwwiz.cpl.mui_cdafedff	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e26822dcb0734f73.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4730168dcf6e8468.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_84ba675e1f78be8c.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9d7dfd0cf7954f6_kmddsp.tsp.mui_80ddeedb	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bf2cff0b66713162_sxproxy.dll.mui_f9d8f818	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_6.1.7601.17514_none_90ba4080c9f2e648_wiaservc.dll_08fa1e78	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47c3a7a7b5db2631_dnsrslvr.dll.mui_1e1a1ed1	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8_ntailu.ttf_c1891505	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-registrysettings_31bf3856ad364e35_6.1.7601.17514_none_f3d758aac7bc3445_muifontsetup.dll_47a24edd	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f36e4f388e096ead.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d_msobjs.dll_052c8a60	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aac11498ff0f4ac.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_fr-fr_3be308a15257341c.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_efdb39f58f7fc483_gpsvc.dll.mui_0c160ac2	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsicli.exe_20e14d4f	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridge.sys_4e5f368e	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_17eeca5539272d2f.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5_bootmgfw.efi.mui_a6e78cfa	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09_bootmgr.efi.mui_be5d0075	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_4b9a399af2b0e098.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7600.16385_none_782caecbca6c3448.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_vgasysr.fon_af0ffe9e	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80852.fon_608992fb	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2b20d65de15b2977.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7aec48ea1bde353f_iphlpapi.dll.mui_9531144c	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_646109f2014f4049_certcli.dll.mui_1b6822cf	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_80f1f0a40b5d6999.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_990fb5253ef5803e.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_76947f39c3323d43.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1bb3b50a112e8e7_webservices.dll.mui_eecc809d	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_030746ff6460d052.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_144ec08914537b72_irclass.dll.mui_c67cedc8	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7cf923f66d81e6b9_searchfolder.dll.mui_8c30bdaf	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sserifft.fon_12f4f3b9	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c_malgun.ttf_166813d8	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29d62e2c7d66c554.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8618f8f77422454f_mlang.dll.mui_2904864a	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_85f6c12b845befb7_printui.exe.mui_5e66aade	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d834d2eb290c1edd.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1251_31bf3856ad364e35_6.1.7600.16385_none_21809ded6be89410.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-filtermanager-core_31bf3856ad364e35_6.1.7601.17514_none_6f2f7861416b9bc6.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d835bdc71c586c2f_iscsiprf.mfl_24c6459c	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_6.1.7600.16385_none_bc7acb14d0edfca2.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_50b6d9399b37584b_hdwwiz.exe.mui_b4acc7bc	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f0b62b00a7235a_slc.dll.mui_dc24f809	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_lt-lt_bf218497286c0530.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a8a35d7d66a988e1_efssvc.dll.mui_03cc4e41	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674.manifest	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_7019de43f9e3a677_prflbmsg.dll.mui_4caa0054	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bae2a13a05218d0f_advapi32.dll.mui_28c7718f	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

268 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

pid process

960 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 768 vssvc.exe
Token: SeRestorePrivilege 768 vssvc.exe
Token: SeAuditPrivilege 768 vssvc.exe

pid	process
268	vssadmin.exe

pid	process
960	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe

description	pid	process
Token: SeBackupPrivilege	768	vssvc.exe
Token: SeRestorePrivilege	768	vssvc.exe
Token: SeAuditPrivilege	768	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 1884	960	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe	cmd.exe
PID 960 wrote to memory of 1884	960	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe	cmd.exe
PID 960 wrote to memory of 1884	960	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe	cmd.exe
PID 960 wrote to memory of 1884	960	5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe	cmd.exe
PID 1884 wrote to memory of 268	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 268	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 268	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 268	1884	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
"C:\Users\Admin\AppData\Local\Temp\5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1884