Analysis
-
max time kernel
173s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe
Resource
win10-en-20211208
General
-
Target
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe
-
Size
164KB
-
MD5
5117dc6337d71e68262ddc6124ff1b33
-
SHA1
41890b9a7043d3d6300ed2a128425f321c69ea0c
-
SHA256
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04
-
SHA512
71534faf779387a35e28f64d26a8d032c93f4273a30d0102ac8265399f198c9dbd119ae1e186d902ebd5b19e0c57094ec171bc101d5c073a75346f62d17fbc8c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exedescription ioc process File opened (read-only) \??\J: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\L: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\O: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\R: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\M: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\P: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\T: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\U: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\N: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\W: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\B: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\E: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\F: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\G: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\H: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\K: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\Z: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\Y: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\A: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\I: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\Q: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\S: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\V: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened (read-only) \??\X: 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe -
Drops file in Windows directory 64 IoCs
Processes:
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_69eab77b34fc657e_ntdll.dll_ae4ef39c 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_6419a60bccec5b88.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nl-nl_12b8897efda1c4da_comctl32.dll.mui_0da4e682 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b6139f14f6c955d6_sdbinst.exe.mui_258ad624 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_7fe70d284c85fc03_comctl32.dll.mui_0da4e682 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_j8514oem.fon_cf1af1d6 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_848d8c2152ade85d_provsvc.dll.mui_3a2926ae 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a58aebbbaa94540c_drvcfg.exe.mui_ff2bc967 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel-minwin_31bf3856ad364e35_10.0.15063.0_none_490d7cf764513c99.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspppoe_31bf3856ad364e35_10.0.15063.0_none_67475d59d366927c.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.15063.0_en-us_a9002bc219171b71_shsvcs.dll.mui_b69fccab 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b1b128a97e9410e9_scdeviceenum.dll.mui_815e7662 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.15063.0_none_4464579592b24b23_ahcache.sys_7c377a94 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_de-de_1f0c5aa0d4fcc3f8.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.15063.0_none_8f9673e6605abf5d_clfs.sys_04dfdff9 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_bae6f1b1935516b4_lpk.dll_ebdc1de9 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8_iscsiexe.dll.mui_7d81b1cc 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3aff604eba3fed0f_mpssvc.dll.mui_4b194b5f 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_33fd71df8d841cd9_bootmgr.exe.mui_c434701f 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_863d51a018a47471.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_d90ce5ca72c0a37e_bootmgfw.efi.mui_a6e78cfa 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2a2f66220fcb97e2_winload.exe.mui_3bc5b827 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.15063.0_none_420692083d1f600a_wininit.exe_7a527f28 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e_wiarpc.dll.mui_0c913b87 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2a2f66220fcb97e2_winload.efi.mui_35ee487d 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.15063.0_none_6a69576e60dac525_ndistrace.mof_39e216d3 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_96ef0532fcd119b5_ntmarta.dll_cd048e61 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_bc1b3f5b642099f1_winmgmt.exe_8f8eb7b1 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d2d_31bf3856ad364e35_10.0.15063.0_none_c3056a4fc9207495.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_es-es_0ef9b2aa8bc1fa87_scdeviceenum.dll.mui_815e7662 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_8bcc92f3c3de4217.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_scdeviceenum.dll_01ce0fa9 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_es-es_74a152abb3d1d6b4_dsreg.dll.mui_5d9efc7e 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_5977f50474c0ba78.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_es-es_6376608a4f9011ff.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_en-us_3ca247a449704013.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_hid-user.resources_31bf3856ad364e35_10.0.15063.0_es-es_1a632a956bcaa7d4_hidserv.dll.mui_561adfc8 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.15063.0_es-es_0f0afbc0839bfc5f_partmgr.sys.mui_b800c491 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_en-us_5ed8287abe95c9de_mpsdrv.sys.mui_b2aea3b6 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_adfae850a551a66a_userdeviceregistration.dll.mui_22ab8f29 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_29579edbbad6dd55_gpapi.dll.mui_ef0a9748 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.15063.0_es-es_268bc6aecaa9d3ef.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_en-us_d251daebf83b91b8_memtest.exe.mui_77b8cbcc 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_b8c0e267f83754d0.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_443aebdfd447e1c0.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_10.0.15063.0_none_e8fc1bcb973bd8b8_afd.sys_084af4a8 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_e5a6c458009e6a39_mofd.dll.mui_793ef98d 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_da-dk_807d2d131bd7ab27_comctl32.dll.mui_0da4e682 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_de-de_7d02aed3f26222bd_keyiso.dll.mui_4bbf12ff 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.15063.0_none_7946d91d5ecb8a06_ncrypt.dll_0f36c580 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nb-no_2913753fa8e426be_comctl32.dll.mui_0da4e682 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_ca38bcecc16963b9_scesrv.dll_07b1e224 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_es-es_ea36ca7bf31bb959_wiarpc.dll.mui_0c913b87 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.15063.0_none_78f4fe0cdd696494_luafv.sys_602842f9 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0adcb2fafa2b2b02.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.15063.0_none_438be56a54322168.manifest 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_es-es_9674f4b52991c8d8_iprtrmgr.dll.mui_eb023b92 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_f868f8fe9a37e614_comctl32.dll.mui_0da4e682 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c_appidsvc.dll.mui_6717e231 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05_drvcfg.exe.mui_ff2bc967 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 908 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exepid process 3184 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe 3184 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1176 vssvc.exe Token: SeRestorePrivilege 1176 vssvc.exe Token: SeAuditPrivilege 1176 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.execmd.exedescription pid process target process PID 3184 wrote to memory of 1284 3184 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe cmd.exe PID 3184 wrote to memory of 1284 3184 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe cmd.exe PID 3184 wrote to memory of 1284 3184 40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe cmd.exe PID 1284 wrote to memory of 908 1284 cmd.exe vssadmin.exe PID 1284 wrote to memory of 908 1284 cmd.exe vssadmin.exe PID 1284 wrote to memory of 908 1284 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe"C:\Users\Admin\AppData\Local\Temp\40d8e3dae59e911ae1cd44a03eda87d36124450287fd4f81fc095a219d8a2e04.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken