Analysis
-
max time kernel
172s -
max time network
184s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
Resource
win10-en-20211208
General
-
Target
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe
-
Size
160KB
-
MD5
c20ceab7c093c47be023c81164b544ce
-
SHA1
de182d48bcc37bcbd1a25f22a0fc6619ce96f69b
-
SHA256
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c
-
SHA512
add2c95045cfc9313d03e5b8cc351e90d0d82f2758208f48800db2ad02a39f8f8c60bcf8dce089d5a25e92e9ae2623cb30fc164de384620ce21276d261b32361
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exedescription ioc process File opened (read-only) \??\J: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\K: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\X: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\G: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\L: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\N: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\O: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\P: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\U: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\W: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\Z: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\E: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\F: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\Q: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\R: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\T: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\Y: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\A: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\H: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\I: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\M: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\S: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\V: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened (read-only) \??\B: 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe -
Drops file in Windows directory 64 IoCs
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_96ef0532fcd119b5.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_c729b8d286af64eb_ucrtbase.dll_a00b9625 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_es-es_a6b4da38ff64cc74.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-br_9188049a8e6fa576.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_1ef4411ab33dfe81_rasctrnm.h_17610c72 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_el-gr_d1f73285f872ee81.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_44c5f19873fbfdcb_cryptsp.dll_ae5341e1 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d4cfe0dc645eff33_memtest.exe.mui_77b8cbcc 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_es-es_8e182ef83abe4823_wiaservc.dll.mui_54051b53 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_e5198e8fc265078f_comctl32.dll.mui_0da4e682 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_b67cdb75da188f3b_winload.exe.mui_3bc5b827 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_cad9b29a2d04df9b_dnsrslvr.dll.mui_1e1a1ed1 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_es-es_8c204a62f53106dd.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_611de588d2557d78.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_6fa7a65a14e4e298_netlogon.dll.mui_ecbeb9bd 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_es-es_3218fa3615366fbd.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_es-es_dec072a29cab69ba.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_es-es_5ea3855ebebcbb83.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302_srpapi.dll.mui_2693a558 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga775.fon_05cd499c 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.15063.0_none_39373b181fd15f6d_gpsvc.dll_970be02b 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_db9cb62863cfdc98_provsvc.dll.mui_3a2926ae 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_863d51a018a47471_msimsg.dll.mui_72e8994f 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_f868f8fe9a37e614.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sl-si_0de7d66153450c3a_comctl32.dll.mui_0da4e682 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_de-de_edb8c1d83a8ccb6e_rtm.dll.mui_55e4e990 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_et-ee_67d1f793253502c0_comctl32.dll.mui_0da4e682 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.15063.0_none_69f7bd111ce467b4_csrss.exe_06529458 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.15063.0_none_edd835534ba7e8ec_wevtsvc.dll_add42ce6 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.15063.0_none_43a8144aec22156f.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_hid-user.resources_31bf3856ad364e35_10.0.15063.0_de-de_71a6f7b87cc5aa6a_hidserv.dll.mui_561adfc8 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_jvgasys.fon_d163c032 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nb-no_e1663e689467fdb8.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_es-es_5784f6984d299f85_nsisvc.dll.mui_237a741f 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0bafa5afe5ef93e0.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_53b2a4877a0a9065.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_en-us_d251daebf83b91b8_memtest.exe.mui_77b8cbcc 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842_scdeviceenum.dll.mui_815e7662 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_en-us_8137b70e4d9546cf.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_e9c1351fd8a28638_appidsvc.dll.mui_6717e231 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc67a3294b02806b.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.15063.0_none_70a7191ccd7e3047_leelawui.ttf_ce0cc416 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.15063.0_none_a4d1be7a8f1a4216_kernel32.dll_ef9eca7e 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_es-es_f998415d89a35607_fidocredprov.dll.mui_4ca89266 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_e2b9a848b899ba23_msimsg.dll.mui_72e8994f 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_53b2a4877a0a9065_wbiosrvc.dll.mui_d5b8b2b8 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7e8f3da72fde33a9_winlogon.exe.mui_3280fc46 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_en-us_4b2c08758bffa533_netlogon.dll.mui_ecbeb9bd 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34_mofcomp.exe.mui_35badf56 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.15063.0_none_dfa51ff763495326_keyiso.dll_897976dc 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_effb6eaa34ff2c34_wmiutils.dll.mui_42583eaf 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_5c26751810f1e40b.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_et-ee_51c0f1bb9bbbf098.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sl-si_3f840760de482318.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.15063.0_es-es_3a948a9407b50ce3_ws2ifsl.sys.mui_b672c7b4 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_050d467cbee8ec66.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_a18c0c1f4d396f4e_bootmgfw.efi.mui_a6e78cfa 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_el-gr_5951efba74d1259c.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d3ee117064ef8f57.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2.manifest 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga865.fon_08a7fd42 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_10.0.15063.0_none_780221c56ec53292_tdi.sys_d1537112 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 368 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exepid process 1348 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe 1348 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3620 vssvc.exe Token: SeRestorePrivilege 3620 vssvc.exe Token: SeAuditPrivilege 3620 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.execmd.exedescription pid process target process PID 1348 wrote to memory of 2884 1348 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 1348 wrote to memory of 2884 1348 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 1348 wrote to memory of 2884 1348 207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe cmd.exe PID 2884 wrote to memory of 368 2884 cmd.exe vssadmin.exe PID 2884 wrote to memory of 368 2884 cmd.exe vssadmin.exe PID 2884 wrote to memory of 368 2884 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe"C:\Users\Admin\AppData\Local\Temp\207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken