Analysis
-
max time kernel
218s -
max time network
201s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
Resource
win10-en-20211208
General
-
Target
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe
-
Size
164KB
-
MD5
52a84fdf5f66b1f32c6f5fa43bb49c6a
-
SHA1
26d7cacaa60d016c60f506658946e5a0a14d7d63
-
SHA256
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de
-
SHA512
0c844960e44b25d7601f991d63572b8a390d31f003364036a9f4110ab719828ab772f871a5da75856d149164881efa2105ca3eb615fadf3f716c28516024ff4d
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exedescription ioc process File opened (read-only) \??\B: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Q: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\V: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Y: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\Z: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\S: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\A: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\F: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\G: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\I: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\K: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\O: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\R: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\U: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\W: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\N: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\P: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\E: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\H: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\J: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\L: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\M: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\T: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened (read-only) \??\X: 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Drops file in Windows directory 64 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_b007ff450adb462f_tcpipcfg.dll.mui_a5479fc1 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.cpu.ppkg_d2e30320 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service_31bf3856ad364e35_10.0.15063.0_none_cccd063af7c61d71.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_en-us_dd56529205f2b805.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-csrsrv_31bf3856ad364e35_10.0.15063.0_none_e4efba91128d1d2c.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1c02e7b415c9e014.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_537665e7464aea75_scecli.dll_149e0f7b 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_en-us_9504eb788afd0242_wmpdui.dll.mui_92411657 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e_wiarpc.dll.mui_0c913b87 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f863dd8f33bd56fe_combase.dll.mui_6db10b33 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_c8514fix.fon_9cff44b7 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_afca0662c6342c0f.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_4921bb9511ea287a.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_shell32.dll_0d29dca9 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_de-de_ef8bb772d868d943_firewallapi.dll.mui_43c7a05b 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_be6a5a9c7dbb19ea_bootmgr.exe.mui_c434701f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_uk-ua_fe803688d47d7106_bootmgr.exe.mui_c434701f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_en-gb_886312f82692f412_bootmgr.efi.mui_be5d0075 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptbase_31bf3856ad364e35_10.0.15063.0_none_7679aeb1e6c8b09d_cryptbase.dll_83e36053 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_8458e90552d4da02_provsvc.dll.mui_3a2926ae 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmilib_31bf3856ad364e35_10.0.15063.0_none_6a68d3903cfb6ab2_wmilib.sys_0dcce989 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_winipsec.mof_abfff45a 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_c729b8d286af64eb_msvcp_win.dll_48149df4 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_9e5f1652e5d5551c.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_c5ef67472648fded.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_de-de_0cb68f8bd1dc0cd2.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_766b128d9dd121a0.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_0c6c3963abedbb7f.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.15063.0_none_ea45c9f15e65cc3a_ntdsapi.dll_23e20303 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_8995d4219afc5913_msimsg.dll.mui_72e8994f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_de-de_beb9e9f73d4f9ded_iscsicli.exe.mui_64c0a23c 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_cad9b29a2d04df9b_dnsrslvr.dll.mui_1e1a1ed1 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_582a3867b3b3209e_volmgrx.sys.mui_b0c205d7 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40woa.fon_70a9c7e3 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_59d1ffcc04432003.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sl-si_3f840760de482318.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_de-de_34657c991714ac40_tcpipcfg.dll.mui_a5479fc1 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bd1d1a4af7dd55de_wiaservc.dll.mui_54051b53 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_c7457c7a32053978.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_27105f0445a6f064_provsvc.dll.mui_3a2926ae 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.15063.0_es-es_a8cb88a6193e0d16_shsvcs.dll.mui_b69fccab 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_10.0.15063.0_none_7199b2a6f00baf63.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f194a3e656e4fb7c_user32.dll.mui_14652dbb 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842_scarddlg.dll.mui_300ae9df 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.15063.0_none_16b25f1fe6942a8d.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894_wmiapres.dll.mui_c1b8803f 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sk-sk_41e8b481bab8b6a4_comctl32.dll.mui_0da4e682 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_fr-fr_062dd68942622861.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_e2aafdd9e59cf01f.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.15063.0_none_558a46bee183e781.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_7c26da6bc6b0c02c_rasauto.dll.mui_12fa2c50 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_7fe70d284c85fc03_comctl32.dll.mui_0da4e682 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.15063.0_none_16962c30782ca7e5.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga852.fon_0a8e74dc 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_aa80fca424a5c223.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_d3e83faaaad81999.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_es-es_67761cd42c549b57_iscsiexe.dll.mui_7d81b1cc 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_e4534a2525509eff.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_78aafb7af9d71d92_bootmgr.efi.mui_be5d0075 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_11ae3d61e1691e19.manifest 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2536 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exepid process 3500 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe 3500 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3968 vssvc.exe Token: SeRestorePrivilege 3968 vssvc.exe Token: SeAuditPrivilege 3968 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.execmd.exedescription pid process target process PID 3500 wrote to memory of 700 3500 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 3500 wrote to memory of 700 3500 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 3500 wrote to memory of 700 3500 128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe cmd.exe PID 700 wrote to memory of 2536 700 cmd.exe vssadmin.exe PID 700 wrote to memory of 2536 700 cmd.exe vssadmin.exe PID 700 wrote to memory of 2536 700 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe"C:\Users\Admin\AppData\Local\Temp\128a0bfad65790d7db90f82f2ede6969e834549a48f3712130288d2cd455b2de.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken