Analysis
-
max time kernel
170s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
Resource
win10-en-20211208
General
-
Target
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe
-
Size
160KB
-
MD5
0c2f9a02415c38d1cb1d5c558af971b8
-
SHA1
6b53b24a4dd24db73e6ccf46e58f6d61a482047a
-
SHA256
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14
-
SHA512
a96790155281cf60b06de68ef2dd873bee1293d17df42b186318e29a274a78762b7184179fc41924c67b6f53aa8d7b6872f9f5ce086040e9dcbf6f064f79e6b2
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exedescription ioc process File opened (read-only) \??\V: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\A: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\E: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\H: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\I: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\L: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\M: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\U: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Y: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\B: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\F: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\J: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\R: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\W: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Z: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\G: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\O: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\X: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\K: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\N: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\P: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\Q: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\S: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened (read-only) \??\T: 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Drops file in Windows directory 64 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.15063.0_none_8f9673e6605abf5d_clfs.sys_04dfdff9 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.15063.0_none_6b88878235493b61_duser.dll_a2bd2fa9 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ar-sa_c39625c7d28c9884_msimsg.dll.mui_72e8994f 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_015afb5db18ed1e5.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_c5f11561ed21f5cb_axinstui.exe.mui_aea34130 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_combase.dll.mui_6db10b33 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_3839d6513809d2fd_comctl32.dll.mui_0da4e682 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-npfs_31bf3856ad364e35_10.0.15063.0_none_b7855e1655b9ec77.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fd92574f8ebc00c_netiougc.exe.mui_ad7a9e4d 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1758c8aaa6a3ed16_dsreg.dll.mui_5d9efc7e 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.15063.0_none_64798615ecbbbc0e.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_2956ba0293b4f9a6.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f6cd78d08120cf1d_memtest.efi.mui_71e15c22 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_da-dk_e9cf62e131074778.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_1ef4411ab33dfe81_pad.inf_dbf42768 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_es-es_8c204a62f53106dd_rtm.dll.mui_55e4e990 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lt-lt_175f1fe42af483ec.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_d802f55807fa1ec7.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_en-us_d7f85fce907a2ddd.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_j8514fix.fon_cc283848 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f8fc3ce2364f0716.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_10.0.15063.0_none_77bea1a1e79a7865.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_735d69029ba32696.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1ea9ad4eb9a9c833_rasautou.exe.mui_55686a97 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_d802f55807fa1ec7_gdiplus.dll_423f7010 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_c7c88d7dc401c162_memtest.efi.mui_71e15c22 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.15063.0_none_ffa06ca6283461f7.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc67a3294b02806b.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_5a1742dfc8bd4040_umpnpmgr.dll.mui_d66aed17 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_de-de_2f0789d5a19c2218_wudfsvc.dll.mui_e907fe77 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_a156e0fbe8941e0b.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_de-de_1ad8857af5ad0f23_iscsiexe.dll.mui_7d81b1cc 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.15063.0_none_4e7f7ad6cb1d2087_lsass.exe_682060de 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.15063.0_en-us_3ac92db0078e1b3e.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_699975e6c4d41a9e_ws2ifsl.sys.mui_b672c7b4 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.15063.0_none_be8221ec6a07dad4.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1ea9ad4eb9a9c833_rasauto.dll.mui_12fa2c50 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.15063.0_none_8375fc1900429a0a_nsi.dll_e72df756 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_e657614a3ec4b658_comctl32.dll.mui_0da4e682 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_71383c7ced7c7587.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948_svchost.exe_4dd0f0bc 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_4b49c6e247bf15ca_bootmgr.exe.mui_c434701f 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_0d2d30b01649185b.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winload.exe.mui_3bc5b827 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_es-es_c95ef23c769e4943.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_zh-tw_bd2f3fe4592c7f55.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.15063.0_none_10f67b1bc734d81b_sxsoa.dll_cb87188c 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_msmpeng.exe_2f1c6923 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_de-de_cbd0700bc6f73938.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_10.0.15063.0_none_926a2ec19a1b7468.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_es-es_794b71b522f7c9b2_kmddsp.tsp.mui_80ddeedb 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga80737.fon_2e43d167 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpcommu.dll_cc275570 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a3918e3b731b445d_applockercsp.dll.mui_d2a0df70 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_a6e97d54ff3ddacf.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_de-de_beb9e9f73d4f9ded_iscsidsc.dll.mui_6acb64a6 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sk-sk_8995eb58cf34dfaa_comctl32.dll.mui_0da4e682 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_de-de_debbbd462df48416_winresume.efi.mui_f412814e 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794_dnsrslvr.dll.mui_1e1a1ed1 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.15063.0_none_5fff332cae3dfdb7.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_a861864702eca1e1_windows.ui.xaml.maps.dll_b092594a 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_ff7f6c77aa2e5c56.manifest 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_de-de_2af769b1bbfa0dd4_combase.dll.mui_6db10b33 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2316 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exepid process 2660 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe 2660 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 496 vssvc.exe Token: SeRestorePrivilege 496 vssvc.exe Token: SeAuditPrivilege 496 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.execmd.exedescription pid process target process PID 2660 wrote to memory of 368 2660 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 2660 wrote to memory of 368 2660 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 2660 wrote to memory of 368 2660 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe cmd.exe PID 368 wrote to memory of 2316 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 2316 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 2316 368 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe"C:\Users\Admin\AppData\Local\Temp\103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken