Analysis
-
max time kernel
168s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:57
Static task
static1
Behavioral task
behavioral1
Sample
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe
Resource
win10-en-20211208
General
-
Target
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe
-
Size
157KB
-
MD5
d8c7d853d3af593805d5be7a06aa44eb
-
SHA1
2fb9eb11bb466142a0d3a0985495dfe1194339cc
-
SHA256
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5
-
SHA512
2e8dfec998de140b670e6342df6d630c9208a529664674323fd538545b1649fbb4aacabe654e3f007e6974b1e1b7dcfe90fd1c8bfa2e7f7473c19ef60d8cc321
Malware Config
Extracted
C:\odt\ta3u64-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FFF21A5B1AC5778E
http://decryptor.top/FFF21A5B1AC5778E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CopyUndo.tiff 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\CheckpointPublish.tif => C:\Users\Admin\Pictures\CheckpointPublish.tif.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\ConfirmSwitch.raw => C:\Users\Admin\Pictures\ConfirmSwitch.raw.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\ConfirmDebug.raw => C:\Users\Admin\Pictures\ConfirmDebug.raw.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\UnregisterRestore.tiff => C:\Users\Admin\Pictures\UnregisterRestore.tiff.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\DebugTrace.tiff => C:\Users\Admin\Pictures\DebugTrace.tiff.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Pictures\DebugTrace.tiff 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Pictures\UnregisterRestore.tiff 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\CopyUndo.tiff => C:\Users\Admin\Pictures\CopyUndo.tiff.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\PingDismount.raw => C:\Users\Admin\Pictures\PingDismount.raw.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File renamed C:\Users\Admin\Pictures\ResumeSet.crw => C:\Users\Admin\Pictures\ResumeSet.crw.ta3u64 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Music\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files (x86)\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Public\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exedescription ioc process File opened (read-only) \??\U: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\V: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\X: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\A: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\B: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\G: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\K: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\W: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\Y: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\M: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\O: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\Q: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\T: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\Z: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\E: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\F: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\N: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\S: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\P: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\R: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\H: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\I: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\J: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened (read-only) \??\L: 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.454.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-us\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxSignature.p7x 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Microsoft Office\root\Office16\STARTUP\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files (x86)\Common Files\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\manifests\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxMetadata\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.ini 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Windows Defender\Offline\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Helper.winmd 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\Microsoft Office\root\fre\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ta3u64-readme.txt 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\resources.pri 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3608 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exepid process 3104 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe 3104 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 8 vssvc.exe Token: SeRestorePrivilege 8 vssvc.exe Token: SeAuditPrivilege 8 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.execmd.exedescription pid process target process PID 3104 wrote to memory of 2956 3104 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe cmd.exe PID 3104 wrote to memory of 2956 3104 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe cmd.exe PID 3104 wrote to memory of 2956 3104 2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe cmd.exe PID 2956 wrote to memory of 3608 2956 cmd.exe vssadmin.exe PID 2956 wrote to memory of 3608 2956 cmd.exe vssadmin.exe PID 2956 wrote to memory of 3608 2956 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe"C:\Users\Admin\AppData\Local\Temp\2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3608
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8