sodinokibi | 504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093

General

Target

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
Size

143KB
MD5

b202d8c78c7cd264dc28e6e709cf2cc0
SHA1

dd506f337d8b61bace0b4ffa6cb69fd3fe2ad2a1
SHA256

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093
SHA512

41b5f5c64919d5830eaef527c65a4393412c62ca8f13f4d76478760504610383c4c70ecd6bca714181da19663046ff6ebaf3dd668ca789dcfbd552b8684b9dbb

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

description	ioc	process
File opened (read-only)	\??\K:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\Q:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\R:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\S:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\U:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\W:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\A:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\F:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\G:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\J:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\M:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\P:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\X:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\E:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\H:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\I:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\L:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\Y:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\Z:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\B:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\N:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\O:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\T:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened (read-only)	\??\V:	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

Drops file in Windows directory 64 IoCs

Processes:

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-860_31bf3856ad364e35_6.1.7600.16385_none_cebf932cfc844f3b_c_860.nls_c0c442d9	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3e14c7a411d7ce7a_rpcrt4.dll.mui_9745823e	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_9d043a9bb45ba8b7_mlang.dll.mui_2904864a	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_e4b59a6b98a32400_mlang.dll.mui_2904864a	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17514_none_a505d556c9de886a_srclient.dll_f0619fc4	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7aec48ea1bde353f_iphlpapi.dll.mui_9531144c	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd289c780c8805eb.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-pcw_31bf3856ad364e35_6.1.7600.16385_none_165b3257a4922fbe_pcwum.dll_d77c78c6	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_6.1.7600.16385_none_2a70c05575ba0bb8_ebrima.ttf_8897b9ba	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_6.1.7601.17514_none_515e96306dea528f.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_06d3944f4edc080f_shlwapi.dll.mui_a6436c6f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_d102e18929d497cb_uiribbon.dll_8a707982	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6af7b482fe6cc74e_nsisvc.dll.mui_237a741f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040_umpnpmgr.dll.mui_d66aed17	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-homegroup-provsvc_31bf3856ad364e35_6.1.7601.17514_none_efe3724a04606825_provsvc.ptxml_9bf9819a	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_compstui.dll_a5f72f50	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4c47a945609340.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af8fc72c3de10579_shlwapi.dll.mui_a6436c6f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-font-registrysettings_31bf3856ad364e35_6.1.7601.17514_none_fe2c02fcfc1cf640_muifontsetup.dll_47a24edd	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec2d87cac9a713a6.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_de-de_802dc1012bd7f0b6.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bba4d715124a42df_certcli.dll.mui_1b6822cf	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9365f544be6e4e04.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-font-embedding_31bf3856ad364e35_6.1.7601.17514_none_b7c78d327d35e10e.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_es-es_893b7b01ece13650.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasbase-rassstp-repl.man_f9e15598	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_f8210304686499ec_security.dll_d5b65abe	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cfcb609ed0e709_ws2_32.dll.mui_f13ef3a5	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a97b93f9db5cdfdd_certenroll.dll.mui_a77d5a29	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_db0d9c648881a022_wldap32.dll.mui_065dbd9c	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasmanservice-dl.man_89e23b24	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3006d43cee449c00.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_1bac0b4d803e969e_comctl32.dll.mui_0da4e682	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui_31bf3856ad364e35_6.1.7600.16385_none_5ca7e61c63366a5f.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17514_none_f0e8ac03e1d6bb5b.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_ac9edb6e6b20299f.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_dwm.exe.mui_706e052f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_b3a9a17817cbcd9e_dui70.dll_5f097b0b	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7c16376770aeada7.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52_mdminst.dll.mui_19a87063	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55_mcupdate_authenticamd.dll_0c1b7cf5	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d6adfa39555da0ee_afd.sys.mui_ff192075	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_th-th_103f1cd3ad950892.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80e9298bf792ff3e.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0_perfhost.exe.mui_2046145e	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcsvc.dll.mui_186571e1	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_121d0d73cc0b7c92.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a6825ad66f6db77.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_adb3c1d9fa188607_winsockhc.dll.mui_a8a7d1fa	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_60149b9dfd3be56f_msimsg.dll.mui_72e8994f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_731b65ef7b59b60b_provsvc.dll.mui_3a2926ae	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-870_31bf3856ad364e35_6.1.7600.16385_none_cec09376fc836892_c_870.nls_c0c54318	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c1197d6e9baee0fb_mfc42.dll.mui_66106d85	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52_modemui.dll.mui_a710bc71	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1bf590f3721a2457.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_a6fad1d3f5b2f99e.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_6.1.7600.16385_none_026531e2369d6d42_msfs.sys_ea96697c	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4ebfba4be85e2be4.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63097ee7553ecff7_scksp.dll.mui_05f14191	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d33f52c4d452cdda_wmiapres.dll.mui_c1b8803f	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_f1795577af1fbb6f_mlang.dll.mui_2904864a	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_802b960d331fa12f_acledit.dll.mui_5f932ccb	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_11ed75c93fd15e23.manifest	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1940 vssadmin.exe

pid	process
1940	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

pid	process
316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 336 vssvc.exe
Token: SeRestorePrivilege 336 vssvc.exe
Token: SeAuditPrivilege 336 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	336	vssvc.exe
Token: SeRestorePrivilege	336	vssvc.exe
Token: SeAuditPrivilege	336	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.execmd.exe

description	pid	process	target process
PID 316 wrote to memory of 1108	316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe	cmd.exe
PID 316 wrote to memory of 1108	316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe	cmd.exe
PID 316 wrote to memory of 1108	316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe	cmd.exe
PID 316 wrote to memory of 1108	316	504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe	cmd.exe
PID 1108 wrote to memory of 1940	1108	cmd.exe	vssadmin.exe
PID 1108 wrote to memory of 1940	1108	cmd.exe	vssadmin.exe
PID 1108 wrote to memory of 1940	1108	cmd.exe	vssadmin.exe
PID 1108 wrote to memory of 1940	1108	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe
"C:\Users\Admin\AppData\Local\Temp\504a8ffeec1155b4a237742c90b20a5996940df8d7bf0cd3a37b647e2398e093.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-54-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download
memory/316-56-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/316-57-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/316-58-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/316-59-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/316-60-0x0000000001FD0000-0x000000000206F000-memory.dmp

Filesize
636KB

Download
memory/316-61-0x0000000002460000-0x000000000258D000-memory.dmp

Filesize
1.2MB

Download
memory/316-62-0x0000000000150000-0x000000000016F000-memory.dmp

Filesize
124KB

Download
memory/316-64-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/316-63-0x0000000002770000-0x0000000002879000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads