Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
Resource
win10-en-20211208
General
-
Target
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
-
Size
160KB
-
MD5
0c2f9a02415c38d1cb1d5c558af971b8
-
SHA1
6b53b24a4dd24db73e6ccf46e58f6d61a482047a
-
SHA256
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14
-
SHA512
a96790155281cf60b06de68ef2dd873bee1293d17df42b186318e29a274a78762b7184179fc41924c67b6f53aa8d7b6872f9f5ce086040e9dcbf6f064f79e6b2
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exedescription ioc process File opened (read-only) \??\X: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\I: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\K: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\N: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\P: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\T: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\W: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\B: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\G: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\M: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\S: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\V: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Y: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\A: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\F: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\H: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\J: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\L: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\U: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\E: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\O: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Q: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\R: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Z: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Drops file in Windows directory 64 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_35b011d70e1c44c6_certcredprovider.dll.mui_b5ad161e 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_c8514oem.fon_9ff1fe45 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssmbios.resources_31bf3856ad364e35_6.1.7600.16385_es-es_03c2f38ed2e88728.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498_axinstui.exe_eba3b15b 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748_bootmgfw.efi.mui_a6e78cfa 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3d7abc1882b36787_iscsicli.exe.mui_64c0a23c 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_1b262ffd1219bd69.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c040cad9b8e1500c.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_b995c74af473511b.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f_cryptsp.dll_ae5341e1 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c7d26aa7163e0f92.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_953f0977fbbe9530_slc.dll.mui_dc24f809 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03baba203715d388_powrprof.dll.mui_a2448a34 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_mdminst.dll.mui_19a87063 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_08eb1c04e4e36155_dhcpcsvc.dll.mui_186571e1 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1256_31bf3856ad364e35_6.1.7600.16385_none_7fd6dd5722d91be9.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c26a086b301c0205_userenv.dll.mui_e516a7e7 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42a75c1e8aba4151_comdlg32.dll.mui_ac8e62f4 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_6.1.7601.17514_none_51624d066d0b3e1c.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_sqlsodbc.chm_92fe0a89 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_perfd.dat_f1e3dfd2 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_812693c00b3677f4_iscsidsc.mfl_20ed5374 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38_authui.dll_05ff9fd2 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-cabinet_31bf3856ad364e35_6.1.7601.17514_none_9565568bf88b3e87_cabinet.dll_7ab07912 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80857.fon_608e9436 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ng-spooler-splwow64_31bf3856ad364e35_6.1.7601.17514_none_25d05769a8973724_splwow64.exe_74753166 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_8fd4ffd2d917abf4.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0071dddf8fc3cd7_sens.dll.mui_64739194 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12_ncprov.dll.mui_40240de1 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c00c27bdb90841b1_credui.dll.mui_34721171 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_2ae98cfeb4d93dfc.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a15a826d24384c4e_wininit.exe.mui_997435f5 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.1.7600.16385_none_2ad2380d0ae7577e_ntdsapi.dll_23e20303 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-daunpenh_31bf3856ad364e35_6.1.7601.17514_none_65eab3ba3a64f6af.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1bb3b50a112e8e7_webservices.dll.mui_eecc809d 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c_loadperf.dll.mui_f6faeae0 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f79b126d0518f4d5_winbio.dll.mui_7a8d17bd 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17514_none_09ee9e0dfa2c4fbd_dxgkrnl.sys_8aad3dfb 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_prflbmsg.dll.mui_4caa0054 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37e3f297f894f855_mprmsg.dll.mui_210d8c31 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bc6f0b29008b14a0_mssign32.dll.mui_d663578f 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29a18b107d8db6f9.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_387d94d0a70893b6_winbiostorageadapter.dll.mui_40b1790d 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_474fefd249f1db0e.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_79b34814f7ded8e5_bootmgfw.efi.mui_a6e78cfa 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a30b50d594956ddd.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_587d687d6686757b.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_058c51ca4837d7fe_scksp.dll.mui_05f14191 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ac8dab2ec7d412b_nsisvc.dll.mui_237a741f 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_wfapigp.mof_4a1027ba 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57_advapi32.dll_9512793c 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3153a0d9a132d2c6_msxml6r.dll.mui_4516d602 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..gertransport-serial_31bf3856ad364e35_6.1.7600.16385_none_6daa7ec5c65bf5bc.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_el-gr_a4ed4d1775975006.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-installer-handler_31bf3856ad364e35_6.1.7600.16385_none_3acf7ac36580942c_msihnd.dll_f541a087 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd_muiunattend.exe_1e11bb40 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29a18b107d8db6f9_mswsock.dll.mui_d7c2a730 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e_wmiutils.dll.mui_42583eaf 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 668 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exepid process 1700 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1476 vssvc.exe Token: SeRestorePrivilege 1476 vssvc.exe Token: SeAuditPrivilege 1476 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.execmd.exedescription pid process target process PID 1700 wrote to memory of 1464 1700 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 1700 wrote to memory of 1464 1700 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 1700 wrote to memory of 1464 1700 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 1700 wrote to memory of 1464 1700 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 1464 wrote to memory of 668 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 668 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 668 1464 cmd.exe vssadmin.exe PID 1464 wrote to memory of 668 1464 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe"C:\Users\Admin\AppData\Local\Temp\103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1700-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB