Analysis
-
max time kernel
170s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe
Resource
win10-en-20211208
General
-
Target
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe
-
Size
36.4MB
-
MD5
efe5bbdc18e99ade9eca07e952168431
-
SHA1
4a78576b9183a21c533482132962d08619b6b8d1
-
SHA256
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac
-
SHA512
48af7a018c25b4bb8fd37786cb0cb9dc1c04121c21a6c759e75e7f7618d82e4eda1ed010cd9c58d7f2251abc2eda45f81527f529c4d3d8ef960f1a4154564d2c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exedescription ioc process File opened (read-only) \??\G: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\N: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\Q: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\R: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\S: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\A: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\E: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\F: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\T: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\U: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\V: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\H: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\P: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\W: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\O: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\Z: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\B: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\I: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\M: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\X: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\Y: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\J: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\K: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened (read-only) \??\L: 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe -
Drops file in Windows directory 64 IoCs
Processes:
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-irdaircomm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_552ff139ad4f66bd.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-core_31bf3856ad364e35_6.1.7600.16385_none_f08d2472ee3ef611_rootmdm.sys_69a65c29 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4353abdbd172892d.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5e6a23443d69bea1_netlogon.dll.mui_ecbeb9bd 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sechost_31bf3856ad364e35_6.1.7600.16385_none_879933012e49cc30.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e6e8dfde09845c37.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa8c8b00989fc5d5.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1256_31bf3856ad364e35_6.1.7600.16385_none_7fd6dd5722d91be9_c_1256.nls_72f6d1a9 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2c7f379a97f4b72.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca302e6ca7955c8f_webclnt.dll.mui_e8f04040 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winresume.exe.mui_ff8b5358 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_84c970b54d5773ed.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_polstore.dll_6cd3e56e 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_6.1.7601.17514_none_3fc218fad10f1ad4.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c4612d3f03b3254c_rascfg.dll.mui_0b036e1f 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5cdeb702884cb6ba_mpr.dll.mui_a313505c 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efdfcb5915f876ae_certenroll.dll.mui_a77d5a29 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_61418855a28d13d4.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8d800996682973c_efssvc.dll.mui_03cc4e41 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app857.fon_e51c02f4 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9365f544be6e4e04.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0e32b701c9788fec_esent.dll.mui_e30e3b90 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-865_31bf3856ad364e35_6.1.7600.16385_none_cebf2144fc84cf60.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgr.efi.mui_be5d0075 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_fc20fc2ea15dceba_kernel32.dll_ef9eca7e 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e_scecli.dll_149e0f7b 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7600.16385_none_1207cf88785de24d_bcryptprimitives.dll_5dcb347c 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_e59f63655b441f61.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_c05aebf71c48096c.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_netrass.inf_8745cd37 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_f8210304686499ec_security.dll_d5b65abe 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7601.17514_none_ddb772a467bcf964.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_4863cdbaf2b532f8_tdx.sys_d0cc4fd9 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cdc890961bc0fbb5_crypt32.dll.mui_4268f86a 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8ad3df5d5fd57a4_dui70.dll.mui_de5f27e2 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_442e570e6aa0d70c_msimsg.dll.mui_72e8994f 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdbcaf727d38d49f.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9c7e941ccd7912c3.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-feclient_31bf3856ad364e35_6.1.7600.16385_none_1acf02d27145db87.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9d7dfd0cf7954f6_netrasa.inf_loc_67293ca2 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6137e73d441ccb81_powrprof.dll.mui_a2448a34 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c19781a304e374a4.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4_cmiv2.dll_be06aa9f 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37_fwpkclnt.sys_cbbab82c 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleaccrc_31bf3856ad364e35_6.1.7600.16385_none_df738b47d574e668.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa97652addc65bf0.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_14424567ab0c4d42_mlang.dll.mui_2904864a 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_de1ab0599ca9e41e.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06b640479d085066_basecsp.dll.mui_04bea7ac 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a1b28f7a4df93e20.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_puiapi.dll_0bf3f842 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app949.fon_e898de78 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad0a17d9536dd7dc.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea_profprov.dll_dd5044f6 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_47bc5d47064ce3d9.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsass.exe_682060de 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973_user32.dll_55f4ed20 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7c17224363fafaf9_iscsiprf.mfl_24c6459c 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7497a71c57e547ec_winscard.dll.mui_4a82d97e 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8a6ad183d1aaa86_serialui.dll.mui_7d29d2a3 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_c4c039aed9f6cc39.manifest 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c_netrass.inf_loc_17636d00 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 288 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exepid process 1756 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1832 vssvc.exe Token: SeRestorePrivilege 1832 vssvc.exe Token: SeAuditPrivilege 1832 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.execmd.exedescription pid process target process PID 1756 wrote to memory of 736 1756 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe cmd.exe PID 1756 wrote to memory of 736 1756 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe cmd.exe PID 1756 wrote to memory of 736 1756 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe cmd.exe PID 1756 wrote to memory of 736 1756 3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe cmd.exe PID 736 wrote to memory of 288 736 cmd.exe vssadmin.exe PID 736 wrote to memory of 288 736 cmd.exe vssadmin.exe PID 736 wrote to memory of 288 736 cmd.exe vssadmin.exe PID 736 wrote to memory of 288 736 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe"C:\Users\Admin\AppData\Local\Temp\3ec2993e228456d47e6f285ea6dbea7e9ef09dd9789f9069d0cd5b8562f61fac.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1756-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB