Analysis
-
max time kernel
178s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:23
Static task
static1
Behavioral task
behavioral1
Sample
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
Resource
win10-en-20211208
General
-
Target
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe
-
Size
164KB
-
MD5
18a934aaebba9a586d21896ce6112c80
-
SHA1
d375aa57eaf54b9ab78a0b91b4bb0ffc2b4aa606
-
SHA256
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492
-
SHA512
276dfd9f1e2c6e5541794c0a7415d6082bbc6c642d21a24537f159989706f826ab0b525dae37822b2bc59b299d50381fa0b3d80c57e6de7e04cfc828fa1b5035
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exedescription ioc process File opened (read-only) \??\B: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\I: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\K: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\W: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Z: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\A: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\F: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\G: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\H: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\J: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\L: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\P: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Y: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\E: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\O: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\Q: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\X: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\M: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\N: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\R: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\S: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\T: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\U: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened (read-only) \??\V: 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Drops file in Windows directory 64 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.disk.ppkg_2c825c35 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_2b7ff2d3c288b51c_comctl32.dll.mui_0da4e682 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_79df2140f9147efa.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_ef72388408dd81e9_bootmgfw.efi.mui_a6e78cfa 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2b6c8e7c08218e26.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_bc452e16cf9468db.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_5eb90a3169ecf1b0.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_60ce145177b6c10a_wininit.exe.mui_997435f5 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.15063.0_none_fe1c808cb068e532_wshqos.dll_f1749d15 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_es-es_04a508585761388c_certprop.dll.mui_602eaab4 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.15063.0_en-us_a9002bc219171b71_shsvcs.dll.mui_b69fccab 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_cs-cz_2af083c33a0dd82e_comctl32.dll.mui_0da4e682 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1164be3dcef90997.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.15063.0_none_67af460eee1c40c7_netio.sys_a06e75d0 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_cedf17224e64925d_profsvc.dll.mui_32482e9e 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.15063.0_none_9a11856b637894e6.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_en-us_7b1120505ec3e729_services.exe.mui_86ea5e71 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f5e67079153cbce7_clipsvc.dll.mui_18823613 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_en-us_3095a2f55ebfb3fd.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_7827ea7767da95a8_bootmgr.efi.mui_be5d0075 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.15063.0_none_bd3180952b2019ec.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_10.0.15063.0_none_1663b7b0fef8745d.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77_iprtrmgr.dll_50f5fe79 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_473f3bcd45fa2eca_mofd.dll.mui_793ef98d 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_e5f1607a98309e93.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a8505d07e016d76d_rasdiag.dll.mui_15cb4ec4 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.15063.0_none_45de7edd11c7c1ce.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgasyst.fon_aefdfa30 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-es_5801262b97b61409.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.button.ppkg_288dc5fa 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_a8a236962b2c3467.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_f39dd1f571ccd621_memtest.exe_01d80391 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.15063.0_none_5f3934b34f0c64f8.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_uk-ua_cb62fe0eb7312018.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_6aa64f572618dbd7.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_8b4d2222606ec8fc.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_de-de_e6faf81d32dd9c12.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_h8514oem.fon_9d0f3e88 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_f71c2ad88cd00633_msimsg.dll.mui_72e8994f 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_d8565387b13c2e24_msobjs.dll_052c8a60 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0c269ac8c338b765_tcpipcfg.dll.mui_a5479fc1 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-gb_1f10dd2a116357c1.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_es-es_09077ec3cf967d79.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntosext_31bf3856ad364e35_10.0.15063.0_none_e5070f42682b7231_ntosext.sys_e9e096c6 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_msmplics.dll_50e185fa 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgfw.efi.mui_a6e78cfa 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga80737.fon_2e43d167 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_updaterevokesipolicy.p7b_76fe3620 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_582a3867b3b3209e_volmgrx.sys.mui_b0c205d7 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_10.0.15063.0_none_d0205d0ebab54d57.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_f30c8be8f4be0687_kerbclientshared.dll_1fa7b356 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_2956ba0293b4f9a6_wincorlib.dll_812daf53 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_de-de_d08f3ed833f2cc48_kmddsp.tsp.mui_80ddeedb 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_es-es_7ef5fcfde83298af_userdeviceregistration.dll.mui_22ab8f29 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsisession.cdxml_9cd8900b 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_de-de_7da8c24f1dadffc1.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.15063.0_none_e9be2557d1df757f.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2ae775fa9c77b08e.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_23307a7b0e559e1a.manifest 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_c5f11561ed21f5cb_axinstui.exe.mui_aea34130 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7a7b32b1837335e4_wudfplatform.dll.mui_d815d31a 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3880 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exepid process 3484 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe 3484 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4480 vssvc.exe Token: SeRestorePrivilege 4480 vssvc.exe Token: SeAuditPrivilege 4480 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.execmd.exedescription pid process target process PID 3484 wrote to memory of 4280 3484 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 3484 wrote to memory of 4280 3484 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 3484 wrote to memory of 4280 3484 2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe cmd.exe PID 4280 wrote to memory of 3880 4280 cmd.exe vssadmin.exe PID 4280 wrote to memory of 3880 4280 cmd.exe vssadmin.exe PID 4280 wrote to memory of 3880 4280 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe"C:\Users\Admin\AppData\Local\Temp\2795841a21b15f156f30cb2196b403dcb802e6971cc28dc83b037a13d8963492.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken