sodinokibi | 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e

General

Target

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
Size

161KB
MD5

adcf55265a209bad0f166437319396ef
SHA1

00e99ecb276e96f54dd99759c72a71aca09b4fa1
SHA256

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e
SHA512

98876cee418e7ab54f5e120c550c2be1050a4fd79e4102e343a446fd63ef9d4f8b49c7b6a9acccd49c2be1791665e9561c9b7c6e6d76a8168981f8cfde412c39

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

description	ioc	process
File opened (read-only)	\??\O:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\P:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\Q:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\A:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\B:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\F:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\J:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\K:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\S:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\M:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\U:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\V:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\X:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\Z:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\E:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\I:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\L:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\T:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\Y:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\G:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\H:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\N:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\R:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened (read-only)	\??\W:	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

Drops file in Windows directory 64 IoCs

Processes:

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_21e0c564d3266f5e_memtest.efi.mui_71e15c22	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_de-de_cbe51fcec4ccd94a_dsreg.dll.mui_5d9efc7e	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_el-gr_263eefe20cc3684f.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptbase_31bf3856ad364e35_10.0.15063.0_none_80ce59041b297298_cryptbase.dll_83e36053	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_es-es_6099713577ddb2af_wininit.exe.mui_997435f5	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3787be5b7df60a49_wmpdui.dll.mui_92411657	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-yugothicmedium_31bf3856ad364e35_10.0.15063.0_none_7577d1da9d88566e.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_d808e8331a1020ea.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_6c79cdb02823d69b.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-mx_5baee2aa73549e23_comctl32.dll.mui_0da4e682	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_zh-cn_b933028e5bbba2e5_comctl32.dll.mui_0da4e682	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.15063.0_de-de_7dcf93d1dba4d685.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_b1c695092fbfd7f6.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_66e3922ab91bb38c_memtest.efi.mui_71e15c22	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_en-gb_886312f82692f412_bootmgr.efi.mui_be5d0075	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_et-ee_51c0f1bb9bbbf098.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.15063.0_none_bcdc71d81c5b7ee4.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.15063.0_none_bcdc71d81c5b7ee4_dxgkrnl.sys_8aad3dfb	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.15063.0_none_0cc530a66b7bc511.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-gb_1f10dd2a116357c1.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lt-lt_175f1fe42af483ec.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_es-es_8e182ef83abe4823_sti.dll.mui_00a4f15b	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_5682eb806727225d_comctl32.dll.mui_0da4e682	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_6a80037cb6d3d7c4.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.15063.0_none_1e296d4a23494905.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.15063.0_es-es_01a6accecaca285e.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_e2aafdd9e59cf01f_msobjs.dll_052c8a60	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948_svchost.exe_4dd0f0bc	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_4058ea17e2072e4b_mswsock.dll.mui_d7c2a730	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_10.0.15063.0_none_609a7a0e009c5fa9_ws2ifsl.sys_2d588da9	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.15063.0_en-us_76b6693524012765.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_3839d6513809d2fd.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_es-es_794b71b522f7c9b2.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.15063.0_none_b6f8740d3f5e547a.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_el-gr_5951efba74d1259c_comctl32.dll.mui_0da4e682	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.15063.0_none_9e47f44c3a5e979a_netapi32.dll_8b1e859a	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f3f9edc83750aba_partmgr.sys.mui_b800c491	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bb2535b5b2501498.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_10.0.15063.0_none_90a5466e89ec288b_mrxsmb.sys_cf1a02fc	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a3a63dfe70f0e46f_userdeviceregistration.ngc.dll.mui_d2c6ca95	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.15063.0_es-es_e07c9d9b067f12d3_dsregcmd.exe.mui_8ce2c638	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_10.0.15063.0_none_77bea1a1e79a7865.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_pad.inf_dbf42768	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_628a7399cbefe45f.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.15063.0_none_fce6a4f7a7da6cb9.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_10.0.15063.0_none_da9b103ede2c5b31_csrsrv.dll_f50da7f9	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f_bridgemigplugin.dll_4c0b8021	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.15063.0_none_f7ee6fbe2edc3d66_gdiplus.dll_423f7010	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_es-es_06bc4d7b7f634266.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_b8dd2546aef29fc8.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_en-gb_ccee4c53ab398f02_bootmgr.exe.mui_c434701f	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_61f5adcf622ceaac.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fd92574f8ebc00c_tcpipcfg.dll.mui_a5479fc1	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice_31bf3856ad364e35_10.0.15063.0_none_bb1659e5012b4fbe_themeservice.dll_223a3220	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_de-de_cbe51fcec4ccd94a.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0adcb2fafa2b2b02.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ru-ru_6fbaaffc5d91072d.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_de-de_6a9ff63914f2420a_sdbinst.exe.mui_258ad624	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e_wiaservc.dll.mui_54051b53	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0118bd0b66fae87a_gpsvc.dll.mui_0c160ac2	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_es-es_dec072a29cab69ba.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_193bb5ceb03ac714.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_et-ee_f5a25637e35e7f62.manifest	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lt-lt_e44c200bc2e6c69f_comctl32.dll.mui_0da4e682	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4088 vssadmin.exe

pid	process
4088	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

pid	process
3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4076 vssvc.exe
Token: SeRestorePrivilege 4076 vssvc.exe
Token: SeAuditPrivilege 4076 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 592	3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe	cmd.exe
PID 3052 wrote to memory of 592	3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe	cmd.exe
PID 3052 wrote to memory of 592	3052	547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe	cmd.exe
PID 592 wrote to memory of 4088	592	cmd.exe	vssadmin.exe
PID 592 wrote to memory of 4088	592	cmd.exe	vssadmin.exe
PID 592 wrote to memory of 4088	592	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
"C:\Users\Admin\AppData\Local\Temp\547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:4088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-118-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/3052-119-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/3052-120-0x00000000008D0000-0x00000000008F3000-memory.dmp

Filesize
140KB

Download
memory/3052-121-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3052-122-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads