Analysis
-
max time kernel
130s -
max time network
29s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Resource
win10-en-20211208
General
-
Target
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
-
Size
164KB
-
MD5
ca337c7130eef4f4ff8e8a4a8ec28647
-
SHA1
28558e35d3f9af01fe438eba7fba1c38201c86de
-
SHA256
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
-
SHA512
60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription ioc process File opened (read-only) \??\R: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Z: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\N: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Q: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\S: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\U: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\F: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\H: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\J: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\L: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\O: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\B: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\E: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\I: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\M: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\T: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\V: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\W: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\X: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\A: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\G: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\K: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\P: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Y: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Drops file in Windows directory 64 IoCs
Processes:
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e2a0ad92d67864d_efscore.dll.mui_5a74c206 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsied.dll_e933fb0e 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_mdminst.dll.mui_19a87063 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7506cec6842394c3_duser.dll.mui_3c369ac4 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a83d2d2f7a0e00_duser.dll.mui_3c369ac4 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7601.17514_none_3b28c7719cc8612d.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7faa65cac325ae1_hdwwiz.cpl.mui_cdafedff 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0ca7963218dd9e_webclnt.dll.mui_e8f04040 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sseriffg.fon_12e7f086 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d680f5897102fd16_wsock32.dll.mui_18b23987 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dbc47294c79487ee.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1251_31bf3856ad364e35_6.1.7600.16385_none_21809ded6be89410.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0765d13cc3f170.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e202f15f2ca6a82a_mlang.dll.mui_2904864a 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vdsldr.exe_20c491b3 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_9c026780b00728b6.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3cfaadc1b77ac85e.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1c754ed890149b9b_rpcrt4.dll_5aa847dd 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_de-de_79e8a243827e6f57_wudfx.mfl_ed9a43c5 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a93cd3a078fdd9e5_imageres.dll.mui_3e41dee6 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_e17fe05b9aaa2040_mlang.dll.mui_2904864a 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0fa510c7a4b9037a_mprmsg.dll.mui_210d8c31 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496_setupapi.dll_8d9de2e7 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_50f69335385bc360_uicom.dll_d72e5b75 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_61418855a28d13d4.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178_system.ini_96e9118b 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b379b64eac772036_win32k.sys.mui_c0d34fe8 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c1daf2c27a3d980d_bootmgr.exe.mui_c434701f 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6fc3507a3638641a_msimtf.dll.mui_e40b8b25 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef3f3b3b9e7e8bff_umpo.dll.mui_cac12e54 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e09b9fd9b440ae96.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3158500bccac60ee_comdlg32.dll.mui_ac8e62f4 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d_dciman32.dll_a41dd515 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fc87dadf824f537e.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6631233afdfe1f13.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7600.16385_none_aa5813cb3a17070e_ipsecsvc.mof_713662d2 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasservermigplugin-dl.man_babd2d8e 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37_fwpkclnt.sys_cbbab82c 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c819c7732c3c0c77_activeds.dll.mui_67414db4 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_fcebb868157f1852.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_a5612ff788fc14c2.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d73605ecd5ec6277_rtm.dll.mui_55e4e990 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4cd5acb2c49b651_ntmarta.dll.mui_027ef4fc 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8d800996682973c_efssvc.dll.mui_03cc4e41 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_en-us_577a0ea6c6dbb377.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29_htui.dll.mui_038c60dd 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_15183a238358cc41.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_853b0789da5b1e2a.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_coureg.fon_75b3eb24 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bc6f0b29008b14a0_mssign32.dll.mui_d663578f 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_654ac65c9c785379_objsel.dll.mui_9b915792 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9038f177d74f2f88_serialui.dll.mui_7d29d2a3 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-870_31bf3856ad364e35_6.1.7600.16385_none_cec09376fc836892_c_870.nls_c0c54318 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_it-it_12c3c2213e4d32d4_mlang.dll.mui_2904864a 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6c27642a947ac07c_sens.dll.mui_64739194 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga80woa.fon_40965299 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-utsaah_31bf3856ad364e35_6.1.7601.17514_none_8a6cbec4ba3b0202_utsaah.ttf_0b44910a 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8a6ad183d1aaa86_serialui.dll.mui_7d29d2a3 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f2c0440c5db68635_winbio.dll.mui_7a8d17bd 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-arial_31bf3856ad364e35_6.1.7601.17514_none_d0a9759ec3fa9e2d_arial.ttf_e828c109 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-shruti_31bf3856ad364e35_6.1.7600.16385_none_295c980d6b8c1975.manifest 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_lv-lv_1c1ab4ee16bcc640_msimsg.dll.mui_72e8994f 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5ac99802e880497e_msimsg.dll.mui_72e8994f 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 268 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exepid process 928 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.execmd.exedescription pid process target process PID 928 wrote to memory of 1556 928 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 928 wrote to memory of 1556 928 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 928 wrote to memory of 1556 928 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 928 wrote to memory of 1556 928 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 1556 wrote to memory of 268 1556 cmd.exe vssadmin.exe PID 1556 wrote to memory of 268 1556 cmd.exe vssadmin.exe PID 1556 wrote to memory of 268 1556 cmd.exe vssadmin.exe PID 1556 wrote to memory of 268 1556 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB