Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
Resource
win10-en-20211208
General
-
Target
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
-
Size
164KB
-
MD5
52a84fdf5f66b1f32c6f5fa43bb49c6a
-
SHA1
26d7cacaa60d016c60f506658946e5a0a14d7d63
-
SHA256
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de
-
SHA512
0c844960e44b25d7601f991d63572b8a390d31f003364036a9f4110ab719828ab772f871a5da75856d149164881efa2105ca3eb615fadf3f716c28516024ff4d
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exedescription ioc process File opened (read-only) \??\B: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\E: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\F: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\K: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\U: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\W: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\M: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\N: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\S: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\T: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\O: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\P: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Q: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Z: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\A: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\H: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\J: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\L: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\X: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Y: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\G: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\I: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\R: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\V: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Drops file in Windows directory 64 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749_winnsi.dll_53ccebf2 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_643c507363ea9836.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpcore.dll_8036fe08 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9051caac08fc9eb2.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add_acproxy.dll_5d65b262 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf6ea48f3390359c_provsvc.dll.mui_3a2926ae 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_ca73b0dc729ea456.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68d891dc840c463a.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_keypad.xml_b95337c9 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_f19244cb36fb567c.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_1f49ce93103c3e39_comctl32.dll.mui_0da4e682 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1af4bd3e3cd35904_winresume.exe.mui_ff8b5358 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461_cngaudit.dll_86fb1bb1 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4bf9d57947dd35b9_gpapi.dll.mui_ef0a9748 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8af9daaf6cb0394_scecli.dll.mui_225fa220 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bdb1871a55be00c8.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_unlodctr.exe.mui_53acc4d0 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..pe-estrangeloedessa_31bf3856ad364e35_6.1.7600.16385_none_58a3b21a93a6012d_estre.ttf_60330f37 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335_angsa.ttf_06632f96 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef3f3b3b9e7e8bff.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_664de2048e0b97ed_wiaservc.dll.mui_54051b53 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_521851f9ea3be82c_dnsapi.dll.mui_97465f8a 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cdfd33b21b9a0a10_crypt32.dll.mui_4268f86a 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_6.1.7600.16385_none_68bfdc7cfd6bd477_basesrv.dll_8c1ad808 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4bf9d57947dd35b9_gpsvc.dll.mui_0c160ac2 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c37e840df1158.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemindexer_31bf3856ad364e35_6.1.7600.16385_none_319108f33cd99029.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_f19244cb36fb567c_bootmgr.exe.mui_c434701f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_2429c9016a32af3a.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0a1287b745a0addd_wldap32.dll.mui_065dbd9c 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_116b0e26a675a2ee_mpr.dll.mui_a313505c 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_6.1.7600.16385_none_b3eaf84f983a33ee_activeds.dll_662643d7 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.1.7600.16385_none_2ad2380d0ae7577e_w32topl.dll_1a0f388b 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496_setupapi.mof_8d9de59f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf22f74eb8bda0f6_wship6.dll.mui_1cca9bd8 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_03e8d9cb0e69654f.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae8938add7fda7b2.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b2b4319ea764ed4_webclnt.dll.mui_e8f04040 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_fr-fr_172b5419eddfc893.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44_dhcpcsvc.dll.mui_186571e1 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12_sqlsoldb.chm_9573a554 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_3bd2e487d8e769d3.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasddm-repl.man_f70b2fe7 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1f28f17a3d5e00b2_activeds.dll.mui_67414db4 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-leelawadee_31bf3856ad364e35_6.1.7600.16385_none_6485fe8bf7ee4be9.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vrinda_31bf3856ad364e35_6.1.7600.16385_none_d2195f0f72f474c8_vrindab.ttf_790ee52a 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad0a17d9536dd7dc.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_32ea4b9e4497e627_browseui.dll_7a6f3790 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_e688c09ad25cd01b_comdlg32.dll.mui_ac8e62f4 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_uicom.dll.mui_4fdc61f8 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptnet-dll_31bf3856ad364e35_6.1.7600.16385_none_730e32c11586bfeb_cryptnet.dll_e44c577b 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7b09044d73c37a9.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0071dddf8fc3cd7_sens.dll.mui_64739194 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_6.1.7600.16385_none_c79503ead5aed6b0_wbiosrvc.dll_a4715dd3 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_aab4f8cb967e96d9.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53a5cec4855ca29e.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_b47c902ac18ae93d_comdlg32.dll.mui_ac8e62f4 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a2ffc87595d912be.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7e524572c62fe1c_activeds.dll.mui_67414db4 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exepid process 1756 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.execmd.exedescription pid process target process PID 1756 wrote to memory of 708 1756 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 1756 wrote to memory of 708 1756 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 1756 wrote to memory of 708 1756 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 1756 wrote to memory of 708 1756 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 708 wrote to memory of 2004 708 cmd.exe vssadmin.exe PID 708 wrote to memory of 2004 708 cmd.exe vssadmin.exe PID 708 wrote to memory of 2004 708 cmd.exe vssadmin.exe PID 708 wrote to memory of 2004 708 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe"C:\Users\Admin\AppData\Local\Temp\128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1756-54-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB