Overview
overview
10Static
static
10001e9becdd...93.exe
windows10-2004-x64
71a1cf2a2f6...31.exe
windows10-2004-x64
72eac3720bc...61.exe
windows10-2004-x64
1320e3af17b...4c.exe
windows10-2004-x64
333bcab7033...70.exe
windows10-2004-x64
647a52afd63...2e.exe
windows10-2004-x64
104b24d27301...69.exe
windows10-2004-x64
74c481d251f...5a.exe
windows10-2004-x64
14c9ab76300...dd.exe
windows10-2004-x64
650a04b093c...95.dll
windows10-2004-x64
65266183553...2f.dll
windows10-2004-x64
8547798defb...6e.exe
windows10-2004-x64
105fb2242c04...96.exe
windows10-2004-x64
163a0bf6385...12.exe
windows10-2004-x64
106a08b51e02...68.exe
windows10-2004-x64
5803d827a2c...53.exe
windows10-2004-x64
785523c6377...c3.exe
windows10-2004-x64
38ab3db7349...03.exe
windows10-2004-x64
99b87457fe8...f0.exe
windows10-2004-x64
8a3c7b0df18...cc.exe
windows10-2004-x64
1ab4fa067af...38.exe
windows10-2004-x64
10b1c5c3ca41...7d.exe
windows10-2004-x64
3ca561f9403...c5.exe
windows10-2004-x64
7d278eb3d6c...8f.exe
windows10-2004-x64
6d3e04348f4...91.exe
windows10-2004-x64
10d7e876a714...c9.exe
windows10-2004-x64
7dd8bf2763c...38.exe
windows10-2004-x64
dd9ca1355f...9a.exe
windows10-2004-x64
7dd9d07d1f5...27.exe
windows10-2004-x64
10ef3c260fed...49.exe
windows10-2004-x64
10f40df86d68...df.exe
windows10-2004-x64
10fb861230c0...01.exe
windows10-2004-x64
3Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2023 21:16
Behavioral task
behavioral1
Sample
001e9becdd7d9887c6fbe487073ad3dc068124a5300f4128d9ed32db4f63f793.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
1a1cf2a2f6a49b8d2a84b9b5ec5f783e7d9be30b6a17a28795bc351bb3cdde31.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
2eac3720bcfb4550e3093f053880b373068360bc8583f2aee059905bcad29c61.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
320e3af17bb8787283fe0c4af9d3a778c191d8374f19c0bc6b6ee2f22363094c.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
33bcab70334406fb3331b4b3fffbf8c51df52d93efb5d673d865b7a7496b1570.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
47a52afd63406238b1b5ce59a7cb282685629b14169405015b0cef20fbe4f62e.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
4b24d273019579ba3c1e0ad261954c0941d114aab802fa2d1fcb14dab9f3e869.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
4c481d251f29295af1af599374ea93f9fc24b6139fbb02ec115bec9f4e7bc25a.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
4c9ab763001721e04e9efc44e1e97351557f8a4b1cf5471b141e7358cd1296dd.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
5266183553addd392a0968ea9e835c00e55a27468829ab65832cda37508c8e2f.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
5fb2242c04ce18830b84de73c4f0fc4e9c8a5e6877a14f414fcbfaa5a3948896.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
6a08b51e02a7b510972907c326041222ff4632ba53b89573fca7e80b59c4e168.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
85523c6377c27e22068a2ef347997a295981b91e103b3cf3387ed80aa0b010c3.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
8ab3db7349f38d6463a3c6a7155ab297f18d92262a098064ea2472cecc7e3103.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
a3c7b0df189bdd47c7e113ff3b664f26b0bcd6f4f878186e882ea199e15c28cc.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ab4fa067af1c9a107b879341e255eb9f05779608ce31217c1a2d60d28a2c8838.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
b1c5c3ca41c322b47a5feb62ebb0e5daa3c1c682aa1dedb98fd3b7dff3eca57d.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ca561f9403ab4be76ca66646df1a3da826fa2cc1972dd005ad23861abb317cc5.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
d278eb3d6cc29c6de4b086aaa6214412d62fe2bb850c0ead63a403c3a24b2c8f.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
d3e04348f412615e23ad0aebfee1b4338f5edf99776bdedf08fbb0462868ef91.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
d7e876a714e2632fa42e6636177962516736074c76f486dc34de020ec13af0c9.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
dd8bf2763ce09cbeb21cdbf802b9f7475c7998e459714150fae07ffcd027bb38.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
dd9ca1355ff3ddd883f9d2d0e6df9b7a8ebff650003a616c533b30554cee2a9a.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
dd9d07d1f5bb4facb1b4e412ce9e52a5ca9a689f2f78c34bacf63af19f7ce127.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
ef3c260fed0a71f0e679261aeb242133899f9ff03d68b5f95711a66ef919e549.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
fb861230c088dd68f1a6c782e9ad0b44a1831ccc29c0516635cc4b3de2a91a01.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe
-
Size
161KB
-
MD5
adcf55265a209bad0f166437319396ef
-
SHA1
00e99ecb276e96f54dd99759c72a71aca09b4fa1
-
SHA256
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e
-
SHA512
98876cee418e7ab54f5e120c550c2be1050a4fd79e4102e343a446fd63ef9d4f8b49c7b6a9acccd49c2be1791665e9561c9b7c6e6d76a8168981f8cfde412c39
-
SSDEEP
1536:Lbb832pdNx0q8KStnznExkW+pkK8i7Pbi4eTMluxtXDCntTnICS4AKEqtUJCaoKc:Hp5SexkWi1Lbi4eTMlwDCnu/qWdb0r
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exedescription ioc process File opened (read-only) \??\U: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\V: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\M: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\T: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\P: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\S: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\Y: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\H: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\O: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\E: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\I: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\J: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\K: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\L: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\N: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\A: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\B: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\R: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\W: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\X: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\Z: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\G: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened (read-only) \??\Q: 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe -
Drops file in Windows directory 64 IoCs
Processes:
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.906_none_65e76b262ba5060e.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.19041.1202_none_dcbae484ef7e168f_ngcsvc.dll_98c6fd3a 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80737.fon_604f84b5 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_en-us_3c98e1d535f8dda2_lsasrv.dll.mui_d47f7e1c 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_09cd7363afc7ebfa.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_de-de_b853cd677a5689d3.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1081_none_ae0369bc9fe47e6c.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce3e393d6fec5306.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80737.fon_2e43d167 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_es-es_30fd7ead5bbfd3f0_rtm.dll.mui_55e4e990 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478_netiougc.exe.mui_ad7a9e4d 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_6c22b0c49894068b.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7e2e7925487a8e96_ngcsvc.dll.mui_96312421 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4aa399f7e53ccf9f.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app775.fon_dec57409 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pt-pt_63c2a950d5580313.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.1_none_c5e43dbc8183b99b.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b5efa638ab6e61d.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_9f803ef667071665_deviceregistration.dll.mui_5b79527a 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsicli.exe.mui_64c0a23c 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..egrity-driverpolicy_31bf3856ad364e35_10.0.19041.1_none_6a270ae8836eb4ca.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hr-hr_0e05abbb958aae06_msimsg.dll.mui_72e8994f 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.546_none_9623bac4eb215e13.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_1c787e49a3f85cda.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mprtp.dll_0827df93 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_hr-hr_1d882fc56065eaa5_bootmgr.efi.mui_be5d0075 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.19041.488_none_3cf9fb87005e2f89.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_en-us_313221c95b98e24b_rtm.dll.mui_55e4e990 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e73e48b327a51a42.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_82c8254d1d7289f0_wevtsvc.dll.mui_f41bf7b7 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a349f4a6799ca6da.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_de-de_d7f8c915b495ecf0_winlogon.exe.mui_3280fc46 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptbase_31bf3856ad364e35_10.0.19041.546_none_4db3c6cb412a03a7_cryptbase.dll_83e36053 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_31a464aca9751670_efssvc.dll.mui_03cc4e41 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_85775.fon_f144fe91 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.1_none_171d07e1a7b66413.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-tw_76910b9d6c39ef61_comctl32.dll.mui_0da4e682 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_scdeviceenum.dll.mui_815e7662 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_057ff0e8d689e0d1.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hu-hu_fd01b7045f001002_comctl32.dll.mui_0da4e682 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6b692a0bf33edd02.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_687eafd94efb2680_winsku.dll_6e6c7799 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.1_none_463177f6eaa0601d.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nb-no_862dd322fb07020b.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_fd031af45b0106f2.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_pt-br_26e2b4db2a2335ea_msimsg.dll.mui_72e8994f 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_pt-pt_27c484472992a5c6.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vgaoem.fon_94a3772a 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_dc08fa18555f7cbb.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671_winload.efi_75834aa0 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6acc9b918cd7cb00_clfs.sys.mui_1310ba12 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.19041.546_none_b9a3277332162a1f.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21ce86839bea8f66.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bf2ff44896ca733c.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpapi.dll.mui_ef0a9748 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shacct_31bf3856ad364e35_10.0.19041.1_none_8647eb7ff5339498.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_j8514fix.fon_cc283848 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-ext_31bf3856ad364e35_10.0.19041.1_none_3990ef4a132546c8_winlogonext.dll_fa102d5e 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.19041.1151_none_ce259344dd35ac79.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3.manifest 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-service_31bf3856ad364e35_10.0.19041.1_none_d3e3ad84b24cfdfe_nissrv.exe_f967cd63 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fc045c385de0a407_dnsapi.dll.mui_97465f8a 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exepid process 2980 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe 2980 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exedescription pid process target process PID 2980 wrote to memory of 2080 2980 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe cmd.exe PID 2980 wrote to memory of 2080 2980 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe cmd.exe PID 2980 wrote to memory of 2080 2980 547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe"C:\Users\Admin\AppData\Local\Temp\547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵