Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
Resource
win10-en-20211208
General
-
Target
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
-
Size
220KB
-
MD5
ccc55314f1c62c59b4e1a2db32c97dea
-
SHA1
03b11d0f82eec9fa2f5e583ba55e6e28972123e7
-
SHA256
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4
-
SHA512
2564be90a63d8edc935620b12541f15dae64da6bda54c60e7e3c567c4f43ad3193784ffb545982cb97deff92cba29b8ca970ed3d85c23e73e6d9ab098ce4456c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exedescription ioc process File opened (read-only) \??\G: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\K: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\L: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\M: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\O: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\P: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\U: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\X: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Y: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Z: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\E: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\H: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\I: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\N: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Q: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\S: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\A: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\B: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\F: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\J: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\R: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\T: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\W: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\V: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Drops file in Windows directory 64 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70_appidsvc.dll.mui_6717e231 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winload.efi.mui_35ee487d 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c8f55cfc24b6b58_rasdiag.dll.mui_15cb4ec4 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571_rtm.dll.mui_55e4e990 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_426cfc30c37c5a4e.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03baba203715d388.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6e4b9e65edb2ca8.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05872eadf35937c7_wship6.dll.mui_1cca9bd8 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_732562c1b4a8a15c_comdlg32.dll.mui_ac8e62f4 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_es-es_61539089b51fc4e0_cryptui.dll.mui_9728c1dd 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_perfh.dat_e67d1236 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bfac60257d903e60.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_a6821d2940c2bcdc_dbghelp.dll_417263a2 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-netbios_31bf3856ad364e35_6.1.7600.16385_none_b5d6a9d184d05567_netnb.inf_c581b89a 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b0ea14b1ebdba53.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cabinet_31bf3856ad364e35_6.1.7601.17514_none_3946bb08402dcd51_cabinet.dll_7ab07912 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f8f65c9d5ef440b6.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_drvinst.mof_6593cf80 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_h8514sys.fon_9da56372 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_8a63f7a6bd8df93f_msimsg.dll.mui_72e8994f 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9038f177d74f2f88_serialui.dll.mui_7d29d2a3 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0311930b84ec63f1.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_643c507363ea9836.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_975c169ee90ab1ac.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c451f5f33ad7516.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiapi.dll.mui_e94aeb19 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cc970e0c87e2bb88_aclui.dll.mui_adadbfb7 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9_netmsg.dll.mui_ab0f7c73 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c92bbd3b7c238f30_conhost.exe.mui_eaf216eb 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-euphemia_31bf3856ad364e35_6.1.7600.16385_none_14191eff72a98c54_euphemia.ttf_dc2c9458 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_9bef5a1d41e3b5f3_user32.dll.mui_14652dbb 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53712ba885839443.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-userpowermanagement_31bf3856ad364e35_6.1.7600.16385_none_a2eff4845e2bf4e2_powrprof.dll_480be757 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..gertransport-serial_31bf3856ad364e35_6.1.7600.16385_none_6daa7ec5c65bf5bc_kdcom.dll_db5e7744 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bb763253eb8e2ed8_dnsrslvr.dll.mui_1e1a1ed1 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ed028e8c78f92183_consent.exe.mui_2eb3b9db 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b12fe15175794c34.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_ja-jp.xml_3ab9bd47 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb2a201373875c74.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_2e455c2305308809_msimsg.dll.mui_72e8994f 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e09b9fd9b440ae96.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_f4d7f7b17ffe522a_modemmigplugin.dll_6b9e1a82 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b478cfdf5bb71e8.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-sakkalmajalla_31bf3856ad364e35_6.1.7600.16385_none_fb8092e2c0173c39_majalla.ttf_5a048cf2 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_04ce5feb5c81cd4f_msimsg.dll.mui_72e8994f 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_116d0e2f6d925d2e.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf22f74eb8bda0f6_wship6.dll.mui_1cca9bd8 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_a7ca3e47560bf419.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef5bd8db7860b785_sxproxy.dll.mui_f9d8f818 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced_acledit.dll_89da72d2 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_de-de_283494514da2fa34_duser.dll.mui_3c369ac4 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_cee73286fc6746d9_c_437.nls_acf16327 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a1e732964dd24c7b_vds.exe.mui_2268d934 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_51a9c0732ea27a7c_wudfsvc.dll.mui_e907fe77 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3b84f5534bf11839_mountmgr.sys.mui_71b54a25 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c75890c739f1b00_spp.dll.mui_42138158 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9241b147178dc55.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f3834f040c0e81a6_appidapi.dll.mui_b6af37bb 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d1256a4a3c8105f9.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bd5d3f940c611446.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_886e569d9951dc2a.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 768 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exepid process 1572 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1272 vssvc.exe Token: SeRestorePrivilege 1272 vssvc.exe Token: SeAuditPrivilege 1272 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.execmd.exedescription pid process target process PID 1572 wrote to memory of 576 1572 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 1572 wrote to memory of 576 1572 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 1572 wrote to memory of 576 1572 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 1572 wrote to memory of 576 1572 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 576 wrote to memory of 768 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 768 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 768 576 cmd.exe vssadmin.exe PID 576 wrote to memory of 768 576 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe"C:\Users\Admin\AppData\Local\Temp\30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1572-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB