sodinokibi | 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160

General

Target

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
Size

292KB
MD5

ccfde149220e87e97198c23fb8115d5a
SHA1

d514d08571ecd8cece8d704adc8d0c4fa87665ca
SHA256

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
SHA512

392a14c9a0c3a98c46e15b873919bdae13f5306a937fd8c869b2a2b435d236433a1eb78d6a953a1722d5b43cb69b4028459d6ea2387a904b4c0f2ec5bc36992e

Score

10^/10

sodinokibi 7 3 ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

7

Campaign

3

C2

sochi-okna23.ru

www.blavait.fr

kamin-somnium.de

geoweb.software

www.drbrianhweeks.com

kombi-dress.com

johnkoen.com

prodentalblue.com

transifer.fr

matteoruzzaofficial.com

jax-interim-and-projectmanagement.com

hawaiisteelbuilding.com

www.kausette.com

www.galaniuklaw.com

www.atma.nl

www.piestar.com

www.kerstliedjeszingen.nl

biodentify.ai

endlessrealms.net

condormobile.fr

Attributes

net
false
pid
7
prc
mysql.exe
ransom_oneliner
Image text
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
3

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

description	ioc	process
File opened (read-only)	\??\F:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\J:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\K:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\P:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\R:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\S:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\Y:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\Z:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\L:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\T:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\V:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\X:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\A:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\E:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\H:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\M:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\U:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\W:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\B:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\G:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\I:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\N:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\O:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened (read-only)	\??\Q:	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

Drops file in Windows directory 64 IoCs

Processes:

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_el-gr_cb06849c73626ca2.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_115701fa8eb2a3ae_wuaueng.dll.mui_297f975d	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ru-ru_d8586bb0a1f01b9a_comctl32.dll.mui_0da4e682	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1202_en-us_2d3fe908f2def5d1_combase.dll.mui_6db10b33	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_kmddsp.tsp.mui_80ddeedb	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_b61589958367a2f5.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ko-kr_f780a3426d25fec1.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_it-it_8206cb3c3a26ca88_webclnt.dll.mui_e8f04040	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.546_none_6bdfd34f2fed1b54.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.546_none_e397cce70c94bb9c.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2a26e680672acb82.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-yugothicmedium_31bf3856ad364e35_10.0.19041.1_none_1a55062504172381.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pdc-mw_31bf3856ad364e35_10.0.19041.1052_none_97ace0ce224e6958.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_th-th_eb6ac73ca2a758db_comctl32.dll.mui_0da4e682	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_10.0.19041.1288_none_33d42a5f37165008_msrpc.sys_2e252236	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8099ce7794a5ae0d.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hr-hr_0e05abbb958aae06.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81_ntoskrnl.exe_0fb0ab79	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9ac3a4c37bcb89fa.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_en-us_89e92105cd6d77fe_credprov2fahelper.dll.mui_71e4ecb5	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_wmiapsrv.exe.mui_b1567840	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4fc41e05a1187ab0_listsvc.dll.mui_27f0fc85	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_hr-hr_1d882fc56065eaa5_bootmgr.efi.mui_be5d0075	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_432d585a19d46624_windows.ui.xaml.inkcontrols.dll_523c865d	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1023_en-us_fc406ac0439c97a8_firewallapi.dll.mui_43c7a05b	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsiexe.dll.mui_7d81b1cc	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_60026a0018dee1ab_rtm.dll.mui_55e4e990	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_2c44d0507f4744ae_polstore.mof_6cd3e826	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sv-se_f82a6602cfd53ee1.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sv-se_f82a6602cfd53ee1_comctl32.dll.mui_0da4e682	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.1_none_43d799d2707b5758.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_6c22b0c49894068b.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_46694069b3c83c61_bootmgr.efi.mui_be5d0075	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_c5508380a2e74b53.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1_none_836f6a5986eecb80.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_ca30543f4003c80c.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_ab9bc1d129a747ed_bootmgfw.efi.mui_a6e78cfa	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-br_78cb45bacb7e5c6a_memtest.exe.mui_77b8cbcc	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_049f5dd81797f4f9.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ro-ro_6bff4a7f0ff97122_msimsg.dll.mui_72e8994f	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.19041.488_none_77ac529b46dc3a08_rasl2tp.sys_d69e0fa7	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_432d585a19d46624.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_8079ea72ca5ea9ab.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_en-us_c07c0ec5136e399a_keyiso.dll.mui_4bbf12ff	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9dd9712c9cddd429.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.19041.546_none_63d472fa22d1aac4_ntmarta.dll_cd048e61	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_eb43a8b5fb8e05e3.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7ce61c7d809eedfd.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d_wininit.exe_7a527f28	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_zh-tw_c4c74b244dc74c1a.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a05534499914e28b_rpcepmap.dll.mui_349798e1	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_35fdf06025f6b37c.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_th-th_558750deac9dd31c.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.19041.906_none_93d59fea045662f4_comdlg32.dll_b1ffde97	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1202_none_9bc2a53d69ca6835.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ja-jp_41deac1044ed383f.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_en-us_858e75016ce6ee41.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35fcf50d32ba29_userdeviceregistration.dll.mui_22ab8f29	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_certprop.dll.mui_602eaab4	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_es-es_8f13fec659aa866c_sti.dll.mui_00a4f15b	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_bg-bg_24aea1e2b3250056.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_6f586ad4968d0a4b.manifest	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

pid	process
900	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
900	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe

description	pid	process	target process
PID 900 wrote to memory of 744	900	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe	cmd.exe
PID 900 wrote to memory of 744	900	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe	cmd.exe
PID 900 wrote to memory of 744	900	34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe
"C:\Users\Admin\AppData\Local\Temp\34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-134-0x0000000000000000-mapping.dmp

Download
memory/900-130-0x000000000071B000-0x0000000000731000-memory.dmp

Filesize
88KB

Download
memory/900-131-0x000000000071B000-0x0000000000731000-memory.dmp

Filesize
88KB

Download
memory/900-132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/900-133-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads