Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:23
Static task
static1
Behavioral task
behavioral1
Sample
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
Resource
win10-en-20211208
General
-
Target
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
-
Size
164KB
-
MD5
18a934aaebba9a586d21896ce6112c80
-
SHA1
d375aa57eaf54b9ab78a0b91b4bb0ffc2b4aa606
-
SHA256
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492
-
SHA512
276dfd9f1e2c6e5541794c0a7415d6082bbc6c642d21a24537f159989706f826ab0b525dae37822b2bc59b299d50381fa0b3d80c57e6de7e04cfc828fa1b5035
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exedescription ioc process File opened (read-only) \??\H: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\J: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\L: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\V: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\X: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\A: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\F: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\O: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\R: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\E: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\I: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\M: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\S: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\T: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\W: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\G: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\K: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\N: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\P: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Q: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\U: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Y: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Z: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\B: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Drops file in Windows directory 64 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_6.1.7601.17514_none_90ba4080c9f2e648_sti.dll_d93e8a42 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b_appidapi.dll.mui_b6af37bb 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342_bootvid.dll_c188118d 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-870_31bf3856ad364e35_6.1.7600.16385_none_2adf2efab4e0d9c8.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_950a665bfbe586d5_slc.dll.mui_dc24f809 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-standardvga_31bf3856ad364e35_6.1.7600.16385_none_f881232cf3b0c322.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_80e558338e88b98f_mswsock.dll.mui_d7c2a730 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b2b4319ea764ed4.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9220543b26dc7c09_mofcomp.exe.mui_35badf56 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292_iscsidsc.dll.mui_6acb64a6 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_ac18c667d7c3743b_iprtrmgr.dll.mui_eb023b92 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-tai_le_31bf3856ad364e35_6.1.7600.16385_none_8b27023f8ebb68a4_taileb.ttf_6f7f5685 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_6.1.7601.17514_none_57ffb773bb4e758b_shlwapi.dll_1eec0a2e 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7600.16385_none_782caecbca6c3448.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1258_31bf3856ad364e35_6.1.7600.16385_none_249b502f69e9b3c1.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_974b2289d47ddf29.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_28cc097097c60a1c_wevtsvc.dll.mui_f41bf7b7 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_22b18c66b73f6810.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9_tcpipcfg.dll_e3a99e8a 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds_ps.dll_fed45dfd 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_54d62f663d777131.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_d8abbed91585a944_nsi.dll_e72df756 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_cf512494a37b217c.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5f8cc8189e9fc533_wmiutils.dll.mui_42583eaf 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b4e9412e316844af_mlang.dll.mui_2904864a 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.1.7601.17514_none_1aebe42ed7db518a.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_en-us_3d419a3aa700badf_winhttp.dll.mui_f661192f 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cebde4f86d35b311_psbase.dll.mui_c28690ab 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_357580b015bbeb72_kernelbase.dll.mui_16288a65 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0534f505fcc253aa_cryptui.dll.mui_9728c1dd 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_certprop.dll.mui_602eaab4 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..e-sakkalmajallabold_31bf3856ad364e35_6.1.7600.16385_none_48cbf868d7b65eee_majallab.ttf_89ca3422 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_71891b41ac925104.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_4ac5907e29b67fa6_msimsg.dll.mui_72e8994f 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0afdad360a30e7d0.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3153a0d9a132d2c6.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_291c6c0621fdacf4.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ecfd9826ce3001e7_comdlg32.dll.mui_ac8e62f4 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_47acf6dc044a06fd_umpo.dll.mui_cac12e54 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23acf6d6b8d7010f.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-949_31bf3856ad364e35_6.1.7600.16385_none_ceb1f5a4fc8f1f27.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41ae913e62031c5c.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_38fe497fea9b41b8.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c9d0a808b71e7c0_infdefaultinstall.exe.mui_ea4c5b8c 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4698604aa3f75b73_pshed.dll.mui_d7f9a40f 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1139883afcbe99f_ws2_32.dll.mui_f13ef3a5 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_modemui.dll.mui_a710bc71 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_b3a9a17817cbcd9e_dui70.dll_5f097b0b 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_6.1.7600.16385_none_5b3be3e0926bd543_lucon.ttf_76ed00f1 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_prflbmsg.dll_2e46e937 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sf-capi2_31bf3856ad364e35_6.1.7600.16385_none_0a5c77de98c9331c.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_modemui.dll.mui_a710bc71 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-shell32_31bf3856ad364e35_6.1.7601.17514_none_d4a3da9f5cfc39fb.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_6.1.7601.17514_none_e5a6ee46b2ff6559_bootmgr.efi_da0f14a8 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_f1cc51dc6cfd0cbf_kernel32.dll_ef9eca7e 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_851f98dba34565d5.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ec70662fc15a0fe8.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_4871a5da2b2cebc2_msimsg.dll.mui_72e8994f 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb_puiobj.dll.mui_b9c0c4d6 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-861_31bf3856ad364e35_6.1.7600.16385_none_cebf7c64fc8468dc.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1052 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exepid process 1564 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1100 vssvc.exe Token: SeRestorePrivilege 1100 vssvc.exe Token: SeAuditPrivilege 1100 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.execmd.exedescription pid process target process PID 1564 wrote to memory of 284 1564 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 1564 wrote to memory of 284 1564 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 1564 wrote to memory of 284 1564 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 1564 wrote to memory of 284 1564 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 284 wrote to memory of 1052 284 cmd.exe vssadmin.exe PID 284 wrote to memory of 1052 284 cmd.exe vssadmin.exe PID 284 wrote to memory of 1052 284 cmd.exe vssadmin.exe PID 284 wrote to memory of 1052 284 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe"C:\Users\Admin\AppData\Local\Temp\2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1564-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB