Overview

overview

10

Static

static

10

26e114462b40c5...6a.exe

windows7_x64

10

26e114462b40c5...6a.exe

windows10_x64

10
General
Target

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

Filesize

238KB

Completed

24-01-2022 03:02

Task

behavioral2

Score
10/10
MD5

f3b3bb093d9f95fa405947c9be02594d

SHA1

102ea13148647c13ecc20c75cd62f3c17a7bebf2

SHA256

26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a

SHA256

8f749837fe4300378d87b398486f15a7cf0bb9753832161c82cf31919b781a496cf29077acd11b4c302e53c49674ca259105a0ec7af93a9b5dd8aab12437286b

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Impact
  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Enumerates connected drives
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\W:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\E:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\N:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\M:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\S:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\X:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Z:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\A:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\J:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\K:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\L:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\O:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\P:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Q:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\Y:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\B:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\F:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\I:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\R:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\T:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\U:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\V:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\G:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened (read-only)\??\H:26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
  • Drops file in Windows directory
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_ce6bccb1aa74baa3_ntlmshared.dll_d7ed706e26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.15063.0_none_558a46bee183e781_authz.dll_c0d8060226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_e700c2d461501612.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_el-gr_6dec26b9213f9155.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_c5f11561ed21f5cb.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_c8d121395a04e07d_listsvc.dll.mui_27f0fc8526e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f_msimsg.dll.mui_72e8994f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsiwmi.dll_272dd9e626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b1b128a97e9410e9_certprop.dll.mui_602eaab426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8_setupapi.dll_8d9de2e726e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_78aafb7af9d71d92_bootmgr.efi.mui_be5d007526e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_29579edbbad6dd55.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_bae6f1b1935516b4_dciman32.dll_a41dd51526e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_de-de_52bbcd224381180e.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_9afd8f54d47294fd_msimsg.dll.mui_72e8994f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.15063.0_none_3a587d36329a2cf4_winbioext.dll_b698c00f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_8b4d2222606ec8fc.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_de-de_1f0c5aa0d4fcc3f8_memtest.efi.mui_71e15c2226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_nb-no_4ab87436a9979a09_bootmgfw.efi.mui_a6e78cfa26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.15063.0_none_b75e366b959a24e0_consent.exe_9075a1c226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.15063.0_none_03cb89fc0724bf2c_ws2_32.dll_89b90cb626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8706117e54d521c4_msimsg.dll.mui_72e8994f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.15063.0_none_7c9d6f514ca3de44_ngcksp.dll_a56a189a26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_el-gr_5951efba74d1259c.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_c7457c7a32053978.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_wintypes.dll.mui_36d5f25a26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_8514oem.fon_c20e119026e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.15063.0_none_d7160ce35a44058a.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_he-il_404f12a54e01d1c8.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_72b493d71f56c769_appidapi.dll_affa681026e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.15063.0_none_4dfcbe9d2082d76a_wiatrace.dll_dfb4e97226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_ce5152af8ee877a4_msimsg.dll.mui_72e8994f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_79df2140f9147efa_bootmgfw.efi.mui_a6e78cfa26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.15063.0_none_69f7bd111ce467b4_csrss.exe_0652945826e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_71c1f73248e2ec42_listsvc.dll.mui_27f0fc8526e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_c57ff9d901ccef55_comctl32.dll.mui_0da4e68226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_d25e77385bc57ad6_windows.ui.xaml.resources.dll_3a1e5f1c26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_de-de_edb8c1d83a8ccb6e_rtm.dll.mui_55e4e99026e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_es-es_3c6da488499731b8.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_92b2e4a927d14296_wmiutils.dll.mui_42583eaf26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_10.0.15063.0_none_97310f403e3bb3f4_tcpipreg.sys_e872d01326e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_de-de_cbe51fcec4ccd94a_userdeviceregistration.dll.mui_22ab8f2926e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.15063.0_none_b75e366b959a24e0_appinfoext.dll_c7e33d7626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_de-de_52bbcd224381180e_rpcepmap.dll.mui_349798e126e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_rasdiag.dll_341d429926e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_f868f8fe9a37e614_comctl32.dll.mui_0da4e68226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_7393f3e338ccb84f_comctl32.dll.mui_0da4e68226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_es-es_d7c3bcb290a11f82_wudfpf.sys.mui_f61e9e8626e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_d8565387b13c2e24_msaudite.dll_9eacd00a26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_3cea917b11996ccf_wmiapres.dll.mui_c1b8803f26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_85f1256.fon_77c3aa0226e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app866.fon_e1f13b9e26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.15063.0_none_7d443ad9ecf1cbd0.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1a52bffe303ba629.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_62a053e1dd4c4aba.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_7827ea7767da95a8.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.15063.0_none_16962c30782ca7e5_dwmcore.dll_523baf4726e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc_samlib.dll_caeebf0426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_aaf722a283f6bf8c.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    File opened for modificationC:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.15063.0_de-de_000f55c92a390fac.manifest26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    2536vssadmin.exe
  • Suspicious behavior: EnumeratesProcesses
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe

    Reported IOCs

    pidprocess
    130426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    130426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1796vssvc.exe
    Token: SeRestorePrivilege1796vssvc.exe
    Token: SeAuditPrivilege1796vssvc.exe
  • Suspicious use of WriteProcessMemory
    26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 1016130426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1304 wrote to memory of 1016130426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1304 wrote to memory of 1016130426e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.execmd.exe
    PID 1016 wrote to memory of 25361016cmd.exevssadmin.exe
    PID 1016 wrote to memory of 25361016cmd.exevssadmin.exe
    PID 1016 wrote to memory of 25361016cmd.exevssadmin.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe
    "C:\Users\Admin\AppData\Local\Temp\26e114462b40c5a6ff4c28309e53f8bedeee43753fea6b5d4715b3910b07696a.exe"
    Enumerates connected drives
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:2536
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1796
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads