Analysis
-
max time kernel
169s -
max time network
184s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:01
Static task
static1
Behavioral task
behavioral1
Sample
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
Resource
win10-en-20211208
General
-
Target
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe
-
Size
1.6MB
-
MD5
bd79e0f7bc063b12ace75cf119bffa7e
-
SHA1
646be1f7d7ece285af8f89844760032ed2608a4e
-
SHA256
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae
-
SHA512
938b1461e894b7ec3417a25c4e0a59f9aa52c606a7aadc077afa98d22fc53cdd0869c2319dfd1e155fd5720b8b2b369f769627529ca9d72633cac07f61cca8f0
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exedescription ioc process File opened (read-only) \??\B: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\G: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\N: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\O: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\P: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\S: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\U: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\Z: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\A: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\F: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\J: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\M: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\R: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\T: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\E: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\L: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\X: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\Y: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\H: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\I: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\K: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\Q: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\V: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened (read-only) \??\W: 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe -
Drops file in Windows directory 64 IoCs
Processes:
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-offlinefiles-core_31bf3856ad364e35_10.0.15063.0_none_af5c222094b6037e_cscmig.dll_0a75eb56 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.15063.0_none_e9be2557d1df757f.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7a7b32b1837335e4_wudfhost.exe.mui_1fc689ff 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.15063.0_none_67af460eee1c40c7_netio.sys_a06e75d0 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_55a7888f18467879_vdsutil.dll.mui_0caf9b0e 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_8efb8f901141355a.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1b72f2a049408d5f.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_de-de_0f3fa4a4b52c0aed.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05_drvcfg.exe.mui_ff2bc967 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_c6cf32da3e1c774d_svchost.exe_4dd0f0bc 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_10.0.15063.0_none_8815846f65bab26d_drvinst.exe_6593e92a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_de-de_52bbcd224381180e.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_237c910efbe734b6_storsvc.dll.mui_2fc7b1d3 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_193bb5ceb03ac714_sti.dll.mui_00a4f15b 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_e2aafdd9e59cf01f_msaudite.dll_9eacd00a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_el-gr_a0ff2691894d4ea2_comctl32.dll.mui_0da4e682 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_b1f083c49b33a6e0.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgfw.efi.mui_a6e78cfa 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-gb_5223dd027971150e.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b6139f14f6c955d6.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948_svchost.exe_4dd0f0bc 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_a2d137bdfba7a703_mpssvc.dll.mui_4b194b5f 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_aaf722a283f6bf8c_rasautou.exe.mui_55686a97 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.15063.0_none_edd835534ba7e8ec_wevtsvc.dll_add42ce6 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0f8188edc39e208e_dsregcmd.exe.mui_8ce2c638 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-fr_c91c6b2aff85138d_comctl32.dll.mui_0da4e682 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpoav.dll_f715ad21 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_766b128d9dd121a0_wintypes.dll.mui_36d5f25a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_e5198e8fc265078f.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_810921f84ce2cbc4_memtest.efi.mui_71e15c22 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_f36e75da064e5e59_bootmgr.efi.mui_be5d0075 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.15063.0_none_c4afd53ef6b024d5.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.15063.0_none_00c212fed2df9e6b_wintrust.dll_abec426a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_4a395d1c23946704_applockercsp.dll_771a831b 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34_mofd.dll.mui_793ef98d 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_84a6e53ddce0735f.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_de-de_2f0789d5a19c2218_wudfplatform.dll.mui_d815d31a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_59d1ffcc04432003_msimsg.dll.mui_72e8994f 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_c394b857e4b20c8d_iscsicli.exe.mui_64c0a23c 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_5ffc32e14ca73a74_vdsutil.dll.mui_0caf9b0e 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_es-es_6ead483edc26f335_axinstui.exe.mui_aea34130 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794_dnsrslvr.dll.mui_1e1a1ed1 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.cpu.ppkg_d2e30320 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9c4fb75c7c756c69.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_es-es_dd21af760619a9aa_netiougc.exe.mui_ad7a9e4d 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.15063.0_none_42e3ac5a0cd7f838.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_bc452e16cf9468db.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_es-es_b7fbd781a4310857.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_de-de_7ca341af89682490_samsrv.dll.mui_32250491 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f0a3dce56b0ecafa_mountmgr.sys.mui_71b54a25 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_156eb89290ac6cb1.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_7c26da6bc6b0c02c_rasautou.exe.mui_55686a97 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shacct_31bf3856ad364e35_10.0.15063.0_none_e16ab7358ea4c785.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_8791ae697f2b6922.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_winipsec.mof_abfff45a 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_779b49ff3d698fc7.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_439feb4b4bf29ff6_comctl32.dll.mui_0da4e682 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_j8514sys.fon_cfb116c0 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_es-es_4af765598c2696d8.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.15063.0_none_a32b60693a25b222.manifest 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 516 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exepid process 2324 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe 2324 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1572 vssvc.exe Token: SeRestorePrivilege 1572 vssvc.exe Token: SeAuditPrivilege 1572 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.execmd.exedescription pid process target process PID 2324 wrote to memory of 1984 2324 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe cmd.exe PID 2324 wrote to memory of 1984 2324 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe cmd.exe PID 2324 wrote to memory of 1984 2324 5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe cmd.exe PID 1984 wrote to memory of 516 1984 cmd.exe vssadmin.exe PID 1984 wrote to memory of 516 1984 cmd.exe vssadmin.exe PID 1984 wrote to memory of 516 1984 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe"C:\Users\Admin\AppData\Local\Temp\5941557368568811e75bbaab62f4229c4909c9c8ad61c4f11b693a9dd12335ae.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken