Behavioral Report

General

Target

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
Size

1MB
MD5

bed6fc04aeb785815744706239a1f243
SHA1

3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
SHA512

1ed873577545dc52ffe3516b10848a0474c7f30dbaeed95c67b9b5a690acf4045c05114231dc4350e60219dea00a7e2be4cedc81a9e8655de59831ac09f53100

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies ⋅ 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

TTPs:

File Deletion Inhibit System Recovery

Enumerates connected drives ⋅ 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

description	ioc	process
File opened (read-only)	\??\N:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\Q:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\I:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\J:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\K:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\L:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\M:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\O:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\S:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\T:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\Y:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\F:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\V:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\W:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\Z:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\P:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\R:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\U:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\A:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\B:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\E:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\G:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\H:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened (read-only)	\??\X:	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

Drops file in Windows directory ⋅ 64 IoCs

Processes:

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_545ec4e0c6ba7521.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_60fa9493d9b24564_ddrawex.dll_2aa2f829	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335_angsab.ttf_2615c880	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smaf1255.fon_c01687ed	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_7b686a16c899af6f.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_a5612ff788fc14c2.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3158500bccac60ee.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_udwm.dll.mui_43c5183a	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga949.fon_0fa0b40b	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app775.fon_dec57409	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074_axinstsv.dll.mui_be092a2d	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_23edfe3853a2f0bd_bootmgr.efi.mui_be5d0075	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921_efscore.dll_2a98ded7	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8fa512baf88959a1.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d4fb966f596fd1d.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10e180d820399caf.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42a75c1e8aba4151.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_174ff4e0ca034447_credui.dll.mui_34721171	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga737.fon_11d63f16	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bebeb572af940bcd.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgr.efi.mui_be5d0075	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winload.exe.mui_3bc5b827	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06ab268450fd370b.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_0a43accb08f0eac5.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_e5c0334cfcbb6f1f.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_6.1.7600.16385_none_5b3be3e0926bd543.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid.sys_fe1d01e3	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_90f8da5e5f4ad243_comctl32.dll.mui_0da4e682	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_500a4c5042ab494a_esent.dll_35f49bdd	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgfw.efi.mui_a6e78cfa	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0b44891b985bfda_certcli.dll.mui_1b6822cf	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sr-..-cs_cff3ee56469ed719.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_040b0688a7f1db42.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_8514syse.fon_d693946f	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80852.fon_608992fb	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winresume.efi_85cd069f	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_caaa36f086983095_ddraw.dll.mui_95b8c3ab	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_s8514fix.fon_2d5cdf27	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgafixe.fon_dea8b251	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_da98436802c4e6bb_bootmgfw.efi.mui_a6e78cfa	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexcompat_31bf3856ad364e35_8.0.7601.17514_none_6f29eb5391300db2.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7_psapi.dll_e8b5b4d1	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_61418855a28d13d4_comctl32.dll.mui_0da4e682	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7600.16385_none_7c6ba3bd1f954290_werdiagcontroller.dll_208f2db3	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53e89731b078cab8_sdbinst.exe.mui_258ad624	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_6.1.7601.17514_none_3e34e9fc569ce535_dwmapi.dll_2f4f8b34	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_87377835d7709369.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_4a8185140916af36.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_drvinst.mof_6593cf80	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_de-de_79e8a243827e6f57_wudfplatform.dll.mui_d815d31a	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_es-es_22a4d52071836cc1_wudfplatform.dll.mui_d815d31a	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7601.17514_none_20a30ed28a70711b.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1_bootmgr.efi.mui_be5d0075	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d9783c715c7b1c.manifest	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70408cfa594f6f39_samsrv.dll.mui_32250491	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Interacts with shadow copies ⋅ 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

TTPs:

File Deletion Inhibit System Recovery

Processes:

vssadmin.exe

pid process

276 vssadmin.exe

pid	process
276	vssadmin.exe

Modifies data under HKEY_USERS ⋅ 3 IoCs

Processes:

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs

Processes:

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

pid process

864 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe
Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1092 vssvc.exe
Token: SeRestorePrivilege 1092 vssvc.exe
Token: SeAuditPrivilege 1092 vssvc.exe

pid	process
864	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

description	pid	process
Token: SeBackupPrivilege	1092	vssvc.exe
Token: SeRestorePrivilege	1092	vssvc.exe
Token: SeAuditPrivilege	1092	vssvc.exe

Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes:

3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.execmd.exe

description	pid	process	target process
PID 864 wrote to memory of 1392	864	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe	cmd.exe
PID 864 wrote to memory of 1392	864	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe	cmd.exe
PID 864 wrote to memory of 1392	864	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe	cmd.exe
PID 864 wrote to memory of 1392	864	3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe	cmd.exe
PID 1392 wrote to memory of 276	1392	cmd.exe	vssadmin.exe
PID 1392 wrote to memory of 276	1392	cmd.exe	vssadmin.exe
PID 1392 wrote to memory of 276	1392	cmd.exe	vssadmin.exe
PID 1392 wrote to memory of 276	1392	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe

"C:\Users\Admin\AppData\Local\Temp\3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45.exe"

Enumerates connected drives
Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:864

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Suspicious use of WriteProcessMemory

PID:1392

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

Interacts with shadow copies

PID:276

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Suspicious use of AdjustPrivilegeToken

PID:1092

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

File Deletion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/864-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/864-57-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/864-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/864-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/864-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/864-61-0x0000000002260000-0x00000000022FF000-memory.dmp

Filesize
636KB

Download
memory/864-62-0x0000000002300000-0x000000000242D000-memory.dmp

Filesize
1MB

Download
memory/864-63-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/864-65-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/864-64-0x0000000002700000-0x0000000002809000-memory.dmp

Filesize
1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads