Analysis
-
max time kernel
175s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe
Resource
win10-en-20211208
General
-
Target
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe
-
Size
161KB
-
MD5
5d07f1aa1597cf910630e1852d7d0729
-
SHA1
194ac2c2b6949ac37d85f4c8d4f6b8acc7c29b18
-
SHA256
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3
-
SHA512
f443941be3e922c0bbf2c4307a03868c8865194b777600e83f46c2f7a86d9876f8a630e2ef701261cad7b20c197720c81103755556567ab0b797c3c8e3c9e703
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exedescription ioc process File opened (read-only) \??\X: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\A: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\B: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\G: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\P: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\R: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\U: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\V: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\Z: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\E: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\F: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\H: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\I: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\J: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\Q: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\W: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\O: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\S: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\T: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\K: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\L: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\M: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\N: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened (read-only) \??\Y: 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe -
Drops file in Windows directory 64 IoCs
Processes:
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_915abbd08935e3bf_msimsg.dll.mui_72e8994f 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_de-de_d08f3ed833f2cc48_kmddsp.tsp.mui_80ddeedb 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.15063.0_none_c14d1e5f73bf1675_uxtheme.dll_9f6cda06 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nb-no_b6e3d3e4670da360.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.15063.0_none_f45c2ae3bf507218_advapi32.dll_9512793c 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_10.0.15063.0_none_df8fa7e794d7be79.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.15063.0_en-us_e0b140b70658212e.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.15063.0_none_9bcfd43a767ecc30_gdiplus.dll_423f7010 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_4a7c585e4840d4da.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_updaterevokesipolicy.p7b_76fe3620 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sl-si_88a80d10cfcef28d.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05_umpnpmgr.dll.mui_d66aed17 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_de-de_5be8d57b685c3b22_scarddlg.dll.mui_300ae9df 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.15063.0_none_85ed41598f9336e6.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_de-de_4058ea17e2072e4b.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_de-de_0f3fa4a4b52c0aed.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255_winhttp.dll.mui_f661192f 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.15063.0_none_91cc889b9049023b.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-duser_31bf3856ad364e35_10.0.15063.0_none_0f69ebfe7cebca2b.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e_httpprxp.dll_53541354 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..cy-profiles-desktop_31bf3856ad364e35_10.0.15063.0_none_b7e4fa73568cfb48.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_en-us_324d9d52150f7e18_webauthn.dll.mui_acc69b8d 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_scdeviceenum.dll_01ce0fa9 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_en-gb_66be140125df80c7_comctl32.dll.mui_0da4e682 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_de-de_e3641786062c0973.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fd92574f8ebc00c_tcpipcfg.dll.mui_a5479fc1 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_es-es_7ef5fcfde83298af_userdeviceregistration.dll.mui_22ab8f29 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_es-es_532efa7a226aa685.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_de-de_e6faf81d32dd9c12_bootmgfw.efi.mui_a6e78cfa 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.15063.0_none_5fff332cae3dfdb7_werkernel.sys_bd06c194 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.15063.0_none_bd44db559e18ebcf.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_b8dd2546aef29fc8.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.0_none_8b4e86125c6fbfec.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_1f020fb05f5437ab_wincorlib.dll_812daf53 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga80850.fon_2e7bdf2f 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_664c2e56d78422ef_iscsicli.exe.mui_64c0a23c 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..pointmanager-minwin_31bf3856ad364e35_10.0.15063.0_none_e16f69f40610d0ff_mountmgr.sys_77371b26 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7a7b32b1837335e4_wudfhost.exe.mui_1fc689ff 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_cs-cz_e3434cec2591af28_comctl32.dll.mui_0da4e682 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv_31bf3856ad364e35_10.0.15063.0_none_b38673e5fb4dea69.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_f03011c634d83a8f_wmiutils.dll.mui_42583eaf 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_6225f301d1726e4d.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_zh-tw_bd2f3fe4592c7f55_comctl32.dll.mui_0da4e682 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_b4c2e4b843761379.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_es-es_b2f0129025746217_vds.exe.mui_2268d934 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7e8f3da72fde33a9.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_msmpcom.dll_34ead564 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a973c37a723558c8.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_de-de_604b4be6e091800f_apphelp.dll.mui_59096153 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c_appidsvc.dll.mui_6717e231 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_bae6f1b1935516b4_fontsub.dll_367a1189 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_3ed843cc70f72b59_msimsg.dll.mui_72e8994f 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.15063.0_none_fb776818ad2cd657_dwmapi.dll_2f4f8b34 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_cd56dce90e2409c7.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_156eb89290ac6cb1_listsvc.dll.mui_27f0fc85 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_23307a7b0e559e1a.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_6e122c03212f2631_comctl32.dll.mui_0da4e682 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-endpointmapper_31bf3856ad364e35_10.0.15063.0_none_5ba657bf1b65363e_rpcepmap.dll_f3295d6a 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_c6cf32da3e1c774d.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_b0bbc22785bbbd0e.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508_firewallapi.dll.mui_43c7a05b 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.15063.0_none_edd835534ba7e8ec.manifest 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4080 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exepid process 1064 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe 1064 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.execmd.exedescription pid process target process PID 1064 wrote to memory of 860 1064 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe cmd.exe PID 1064 wrote to memory of 860 1064 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe cmd.exe PID 1064 wrote to memory of 860 1064 22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe cmd.exe PID 860 wrote to memory of 4080 860 cmd.exe vssadmin.exe PID 860 wrote to memory of 4080 860 cmd.exe vssadmin.exe PID 860 wrote to memory of 4080 860 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe"C:\Users\Admin\AppData\Local\Temp\22a78f99ac3e0035cc824d8c04678a67e470fa9a42d704fa01c254ec05be2ae3.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4080
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616