sodinokibi | 0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee

General

Target

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
Size

139KB
MD5

f89c4e63b3ad5dcc550ca20afb4e8be3
SHA1

63379dd5a69d289df9f52affcf9c0dfe100800fa
SHA256

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee
SHA512

438c307f53e14c75c43b998f066367ec7ccec3511422bb11c2695941c1aee89cc0fc5a46a975fd96b62d082e8547f04df0e6222c450b7cedea9633cabce8523f

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

description	ioc	process
File opened (read-only)	\??\Q:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\U:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\X:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\A:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\E:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\J:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\L:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\N:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\Y:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\Z:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\F:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\G:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\R:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\T:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\B:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\M:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\O:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\V:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\W:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\H:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\I:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\K:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\P:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened (read-only)	\??\S:	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

Drops file in Windows directory 64 IoCs

Processes:

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17514_none_09ee9e0dfa2c4fbd_dxgkrnl.sys_8aad3dfb	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_041941e0648fcc17_hdwwiz.cpl.mui_cdafedff	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3a394bdd55075554.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_d972d95f98936d9a.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_030746ff6460d052_listsvc.dll.mui_27f0fc85	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47c3a7a7b5db2631_dnsapi.dll.mui_97465f8a	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_8f3b48a84cb8ca60.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-866_31bf3856ad364e35_6.1.7600.16385_none_2adda600b4e25a37.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_35ed6da2cd70fe09_pshed.dll.mui_d7f9a40f	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e531c8a834aefdb9_vsstrace.dll.mui_3a1fe238	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_lv-lv_bfeef31b27ea4620.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_8fd4ffd2d917abf4_comdlg32.dll.mui_ac8e62f4	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_305b8c9d36da5a85.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c5bb00ce4f9092e_sti.dll.mui_00a4f15b	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b97e2a0cf19a74b.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_c3d671ef7642fced.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4344f5fd149fa43d.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0d64ea2d260b6c8_gpsvc.dll.mui_0c160ac2	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_019943d7782289a6_puiapi.dll.mui_e94aeb19	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311_credui.dll.mui_34721171	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_d12b8c440039b31e.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d057f90b91b6b1f.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80_gdiplus.dll_423f7010	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aff6dbf6c87c7754_iscsiprf.mfl_24c6459c	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_wanarp.sys_19b9c668	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasser.dll_4231e658	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a74232920720505d_winresume.exe.mui_ff8b5358	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b_cngaudit.dll_86fb1bb1	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..rics-storageadapter_31bf3856ad364e35_6.1.7600.16385_none_329b3f476f0cd674_winbiostorageadapter.dll_5fb8b23e	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b3ae596aac502e91.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31ba297055661ca3_erofflps.txt_649e76ed	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itircl.dll_dafa7917	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e196194a0e8e07b.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16f7dbd4736deb32_pautoenr.dll.mui_9667d15f	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_msdasc.chm_e6d620a3	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_be8acdd10de3b1a6_netbt.sys_9226f314	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2601b21b7e30b5a7_psbase.dll.mui_c28690ab	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c00c27bdb90841b1.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-simsun_31bf3856ad364e35_6.1.7600.16385_none_56fe10b1895fd80b_simsun.ttc_eba56c14	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d40b16d89404e928.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-874_31bf3856ad364e35_6.1.7600.16385_none_2aded3dab4e1404c_c_874.nls_b55e757c	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_16795c7543eb48cf_mswsock.dll_e2ad0f2d	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8f54bc532eadc7ab_listsvc.dll.mui_27f0fc85	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6e3ba8f78468edc8_pautoenr.dll.mui_9667d15f	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallft.fon_f426f380	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsass.exe_682060de	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_940adae60f7352f1.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_a07f9fa9687232e6_serwvdrv.dll_874b1f23	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10d07fb5072b4b2c.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-filtermanager-core_31bf3856ad364e35_6.1.7601.17514_none_6f2f7861416b9bc6.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0eaa73e1c56d6827_iscsidsc.dll.mui_6acb64a6	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2_umpo.dll.mui_cac12e54	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d6dabc6182566680_wevtapi.dll.mui_27c9f5dd	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_lodctr.exe.mui_4ac7d1a1	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_00e51c7022323f45.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9_expand.exe.mui_3f54e013	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d9783c715c7b1c_wudfplatform.dll.mui_d815d31a	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b91f4c11edec673.manifest	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1496 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

pid process

1876 0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 816 vssvc.exe
Token: SeRestorePrivilege 816 vssvc.exe
Token: SeAuditPrivilege 816 vssvc.exe

pid	process
1496	vssadmin.exe

pid	process
1876	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe

description	pid	process
Token: SeBackupPrivilege	816	vssvc.exe
Token: SeRestorePrivilege	816	vssvc.exe
Token: SeAuditPrivilege	816	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 652	1876	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe	cmd.exe
PID 1876 wrote to memory of 652	1876	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe	cmd.exe
PID 1876 wrote to memory of 652	1876	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe	cmd.exe
PID 1876 wrote to memory of 652	1876	0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe	cmd.exe
PID 652 wrote to memory of 1496	652	cmd.exe	vssadmin.exe
PID 652 wrote to memory of 1496	652	cmd.exe	vssadmin.exe
PID 652 wrote to memory of 1496	652	cmd.exe	vssadmin.exe
PID 652 wrote to memory of 1496	652	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe
"C:\Users\Admin\AppData\Local\Temp\0f58625addd69f66282924298d843f12f7c2dc2e4d6571952830b880c08cdfee.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:652