Analysis
-
max time kernel
169s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
Resource
win10-en-20211208
General
-
Target
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe
-
Size
220KB
-
MD5
ccc55314f1c62c59b4e1a2db32c97dea
-
SHA1
03b11d0f82eec9fa2f5e583ba55e6e28972123e7
-
SHA256
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4
-
SHA512
2564be90a63d8edc935620b12541f15dae64da6bda54c60e7e3c567c4f43ad3193784ffb545982cb97deff92cba29b8ca970ed3d85c23e73e6d9ab098ce4456c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exedescription ioc process File opened (read-only) \??\A: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\B: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\H: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\N: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\P: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\S: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\T: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\E: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\F: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\I: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\L: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\R: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\U: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\W: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\G: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\K: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\M: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Q: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\V: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\X: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\J: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\O: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Y: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened (read-only) \??\Z: 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Drops file in Windows directory 64 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9f1f19283dd496cd.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.15063.0_none_70a7191ccd7e3047_leelawui.ttf_ce0cc416 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-microsoftyahei_31bf3856ad364e35_10.0.15063.0_none_4be71b6968e80401.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_d84575ef7f0e3162_rasautou.exe.mui_55686a97 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_704919a91fc309dc.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_es-es_4af765598c2696d8_netlogon.dll.mui_ecbeb9bd 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9d25dd8ef3715159.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga80woa.fon_40965299 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega80869.fon_6087927d 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.display.ppkg_44353cf6 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.15063.0_none_c50e78507de308c7.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a75c7e574a334eee_scarddlg.dll.mui_300ae9df 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_de-de_a78df7cf1a8f042b.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_1b70ea73251f149e_umpnpmgr.dll_112f9bb4 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_fab89c2a8a882a6b.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.15063.0_none_8fc5f5694d615068_kbdus.dll_c99f1a3f 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntfs_31bf3856ad364e35_10.0.15063.0_none_b78502f655ba52fb.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pt-br_5b48cea4e14dc672.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d3ee117064ef8f57_memtest.exe.mui_77b8cbcc 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pl-pl_a0a21ad7f7405b94.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.15063.0_none_7bfeabd9337d55a1_vdsldr.exe_20c491b3 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_es-es_6a37f896819b74a7.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_es-es_6a37f896819b74a7_srpapi.dll.mui_2693a558 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.15063.0_none_498d54b2bf031603_bootvid.dll_c188118d 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_wintypes.dll.mui_36d5f25a 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_c394b857e4b20c8d_iscsiexe.dll.mui_7d81b1cc 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f_bridgeres.dll_55e40455 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a3a63dfe70f0e46f_dsreg.dll.mui_5d9efc7e 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_b8dd2546aef29fc8_dcomp.dll_a2e93a7d 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f299a3aaa1d11a48.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.15063.0_none_28336e6150ea4933.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.15063.0_none_210709721af4ec88.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_79df2140f9147efa.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_e94927a33d6c1426.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_92e9ee428a325ae8.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_uk-ua_50a2c75f3aa739c5.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2c356fb707873159.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.15063.0_none_775b66db9a440a77.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_fb5f79a44d5c1ae9.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7a7b32b1837335e4_wudfsvc.dll.mui_e907fe77 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.15063.498_none_008383882272dab0.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-pt_29179e3878af7901.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_es-es_9847ea4fc76dd6ad.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.15063.0_none_2f06793a4bbe30eb.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d4cfe0dc645eff33.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.15063.0_none_287e179c57aa0b00.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_a1252bdb893ce37e_comctl32.dll.mui_0da4e682 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-br_9188049a8e6fa576.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_3a7147463f9b3bd0.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_ja-jp_927b4bdd0caf1fba.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8_wowreg32.exe_94fc2d06 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.15063.0_none_d6c5b2afd3cdeb43.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.storage.ppkg_960e5b21 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2ed7c061e8031d3f_rtm.dll.mui_55e4e990 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_de-de_34657c991714ac40.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_en-us_def515be9c847815.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_ea6b6d97f2f4c7b4_sti.dll.mui_00a4f15b 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_es-es_dc687c0ade3c9cba.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_6ee1eb5adc000190.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.15063.0_en-us_4f11d10363ebf375.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_766b128d9dd121a0.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_de-de_ec14157f9c1ef67d_wmpdui.dll.mui_92411657 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d1a17ff4b8eda663.manifest 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1532 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exepid process 3964 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe 3964 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3064 vssvc.exe Token: SeRestorePrivilege 3064 vssvc.exe Token: SeAuditPrivilege 3064 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.execmd.exedescription pid process target process PID 3964 wrote to memory of 656 3964 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 3964 wrote to memory of 656 3964 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 3964 wrote to memory of 656 3964 30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe cmd.exe PID 656 wrote to memory of 1532 656 cmd.exe vssadmin.exe PID 656 wrote to memory of 1532 656 cmd.exe vssadmin.exe PID 656 wrote to memory of 1532 656 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe"C:\Users\Admin\AppData\Local\Temp\30a91bd706362993f4af6cf951f856c120474693370163e36909625b8f4ea9e4.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken