Analysis
-
max time kernel
169s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe
Resource
win10-en-20211208
General
-
Target
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe
-
Size
161KB
-
MD5
e567f8df80e369ce2428f970096cc7f6
-
SHA1
acb92d997a9da58e94cac701267465a9129673c7
-
SHA256
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c
-
SHA512
3ca0c06a3c4154e1b3ce7d57d76499f5687f1546c3ba041ae01ad6a467f0cf526064ab04c8ddeb74382cfb8a149f6a8d31bcec9431677d07a538b92403fad933
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exedescription ioc process File opened (read-only) \??\E: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\L: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\O: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\U: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\T: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\X: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\Y: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\Z: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\M: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\N: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\P: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\R: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\I: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\K: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\V: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\W: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\B: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\F: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\G: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\H: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\A: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\J: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\Q: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened (read-only) \??\S: 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe -
Drops file in Windows directory 64 IoCs
Processes:
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8706117e54d521c4.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_es-es_3218fa3615366fbd_webauthn.dll.mui_acc69b8d 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_33a9f3ab14804647_scdeviceenum.dll.mui_815e7662 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.15063.0_none_d7160ce35a44058a_shacct.dll_f953c950 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.15063.0_none_42e3ac5a0cd7f838_windows.ui.immersive.dll_549e9b42 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.15063.0_none_420692083d1f600a.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_aaf722a283f6bf8c.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hr-hr_8a18fc5c61316794_comctl32.dll.mui_0da4e682 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_b7bc33b57eb0fc76.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.energysaver.ppkg_0229d9fb 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_58ea79f1dbc52af4_umpo.dll.mui_cac12e54 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_en-us_4b2c08758bffa533_netlogon.dll.mui_ecbeb9bd 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_de-de_f9e061c50cc99b3e_mpssvc.dll.mui_4b194b5f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_721c7eb081104341_msimsg.dll.mui_72e8994f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d5b9c58bbc83da2f_drvcfg.exe.mui_ff2bc967 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_e60a80eeb68a8851_msimsg.dll.mui_72e8994f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_de-de_0cb68f8bd1dc0cd2_volmgrx.sys.mui_b0c205d7 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_ce3b1a34396db477_msimsg.dll.mui_72e8994f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..lecore-ras-base-vpn_31bf3856ad364e35_10.0.15063.0_none_a1af4bb1e5163dc9_rasapi32.dll_5418d87b 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.15063.0_none_fe1c808cb068e532_pacer.sys_c93de3d8 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_460932e9ff0c93bd_wowreg32.exe_94fc2d06 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_el-gr_d1f73285f872ee81_memtest.exe.mui_77b8cbcc 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_dcc6defb6a563ec2.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_74c14604b5d544fd_srpapi.dll.mui_2693a558 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_050d467cbee8ec66.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.15063.0_none_61263fd1e5bb7a99.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.15063.0_none_a4a4021e107e099a_xmllite.dll_ce078c31 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_5705fc83f923aa47_comctl32.dll.mui_0da4e682 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.15063.0_none_9894c210d52e9480_bootspaces.dll_5d79a0db 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.15063.0_none_498d54b2bf031603.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.15063.0_none_7adeb53576aeb7a4_rpcss.dll_fd3e269b 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fd92574f8ebc00c_tcpipcfg.dll.mui_a5479fc1 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_19203acea52963ba.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_shell32.dll_0d29dca9 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_b4c2e4b843761379_comctl32.dll.mui_0da4e682 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.15063.0_none_68849b6d0ebd999f.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_5ffc32e14ca73a74_vds.exe.mui_2268d934 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_de-de_f9e061c50cc99b3e.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_380c6a168cb58b34_apphelp.dll.mui_59096153 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_14fefa091e77cf0e.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894_mofd.dll.mui_793ef98d 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_d3bf5352148cac82_bootmgr.exe.mui_c434701f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_bcb323d2ec813098_bootmgr.exe.mui_c434701f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_67761cd42c549b57_iscsicli.exe.mui_64c0a23c 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_es-es_8777f0231cf98180_winresume.exe.mui_ff8b5358 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f299a3aaa1d11a48_iscsidsc.dll.mui_6acb64a6 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_es-es_04a508585761388c_scardsvr.dll.mui_5f6fb64f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_10.0.15063.0_none_7199b2a6f00baf63_sxssrv.dll_4cd0c747 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_2af769b1bbfa0dd4_combase.dll.mui_6db10b33 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_es-es_a29c94a1fbce98a8.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_da-dk_fb3d63c29861917a.manifest 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.15063.0_es-es_aee605aff9c4af22_wevtsvc.dll.mui_f41bf7b7 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0715be263c5430c2_rasautou.exe.mui_55686a97 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_da-dk_b3902ceb83e56874_comctl32.dll.mui_0da4e682 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_0ea4cb22c39b2f3e_wldap32.dll_09c99dc1 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootvhd.dll_c136fd9e 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga40869.fon_2c83a12b 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9e2f75fe25582bda_rpcepmap.dll.mui_349798e1 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_4921bb9511ea287a_scecli.dll_149e0f7b 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_switch.inf_4b9b5a3f 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_es-es_68f82fb0f31d7d7e_mpsdrv.sys.mui_b2aea3b6 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2972 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exepid process 2364 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe 2364 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 632 vssvc.exe Token: SeRestorePrivilege 632 vssvc.exe Token: SeAuditPrivilege 632 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.execmd.exedescription pid process target process PID 2364 wrote to memory of 932 2364 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe cmd.exe PID 2364 wrote to memory of 932 2364 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe cmd.exe PID 2364 wrote to memory of 932 2364 35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe cmd.exe PID 932 wrote to memory of 2972 932 cmd.exe vssadmin.exe PID 932 wrote to memory of 2972 932 cmd.exe vssadmin.exe PID 932 wrote to memory of 2972 932 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe"C:\Users\Admin\AppData\Local\Temp\35d5091e47160f6aeaf382aa063e9b4b8ff75b0d724a965c4dfccb00dd43cd0c.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken