sodinokibi | 3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4

General

Target

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
Size

161KB
MD5

422f5cdf619404563b0c3e249bd121d4
SHA1

1a364144342602074a8140ec4da5eb4f0be26274
SHA256

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4
SHA512

b63d22bb9556ed2d2aeefb94d9ef2245e76f433d897d5fba402d686682af3b3df14c20b7dc64694436245473a7bab8d6de8aafc6633e7e91f535f8c9ecbd3aa6
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q/IF+l4xjwKX9H:JvGWwbnWJ/gIF+lmL

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened (read-only)	\??\T:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\W:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\X:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Y:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\B:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\K:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\M:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\P:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\R:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\U:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Z:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\H:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\I:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\L:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\O:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\S:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\V:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\A:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\E:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\G:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\J:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\N:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Q:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Drops file in Windows directory 64 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5_rasautou.exe_477abe34	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_de-de_d3e4be20082aef2b_wudfhost.exe.mui_1fc689ff	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nl-nl_cc1a553810af34e6.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_he-il_5d63a4c17806f149_comctl32.dll.mui_0da4e682	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd_windows.ui.xaml.resources.win8rtm.dll_9480ac21	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.19041.546_none_226fb48607847890.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030_msimsg.dll.mui_72e8994f	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsicli.exe.mui_64c0a23c	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_fb03b1546153a4c3.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_7fa90776a8cf7d8b_mountmgr.sys.mui_71b54a25	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_afb9e74560b9f815_winlogon.exe.mui_3280fc46	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5ff576d1c105e2b.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_14a631980cb7b20a_dnsapi.dll_c81f5791	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_077d882c43db17cd_bootmgr.exe.mui_c434701f	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_appidtel.exe_b664fbc5	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_11e3f0d3cc72158f.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a35d6ad33b0c3e19.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_b59136bc7aa040e6.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.207_none_36fc5f8a5adba8ab.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_e57fef51be54a1f0.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_f62e5d000d9f4bd9_rasdiag.dll_341d4299	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_fb03b1546153a4c3_memtest.efi.mui_71e15c22	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr_31bf3856ad364e35_10.0.19041.1_none_d2e1ddf9ec9ef42c.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_mprdim.dll.mui_11b5ef08	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.19041.546_none_75820c6594bfeaa4.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9baaad1ae7af9c30_memtest.efi.mui_71e15c22	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-mx_36cb4cea87054a3a_bootmgfw.efi.mui_a6e78cfa	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.1_none_878832244c2bbd32.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.546_none_462c46e484cc1b15_ncrypt.dll_0f36c580	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48_sspisrv.dll_90c23c68	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msobjs.dll_052c8a60	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fa0339ba7ea8bcab.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_493b5718242b0bd3_umpo.dll.mui_cac12e54	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_236c71f1966d00bc.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.19041.546_none_db05a21561861236.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3e1a1833a5494f75_applockercsp.dll.mui_d2a0df70	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_es-es_ade4b30e36254a8c_sdbinst.exe.mui_258ad624	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scdeviceenum.dll.mui_815e7662	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3285a4fbe26a9651.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_sv-se_5c4b115fa6f864cd.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9_bootmgr.efi.mui_be5d0075	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_6f586ad4968d0a4b_memtest.efi.mui_71e15c22	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_de-de_bfb5b9c55c3bdc36_iscsiexe.dll.mui_7d81b1cc	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.264_none_cf10e1b9894f9e2f.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sl-si_90401850c469bf52_comctl32.dll.mui_0da4e682	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_c3e98eeb3b8b910b.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_169f2b7caf71b955_listsvc.dll.mui_27f0fc85	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_725e78755886a3f4.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.19041.264_none_aeaa2838b477ba57.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_lt-lt_8913b4c62985caf2.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63994a974590744a.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_10.0.19041.1_none_5c614dbebc49ed16.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f5e30ee8b348f36_ngcsvc.dll.mui_96312421	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba1334d77db7a118.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_en-gb_59bbe8426e0be1d3_comctl32.dll.mui_0da4e682	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_de-de_bcf3fbc5c4f3edaa.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1_none_744056ed18d297d5.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_de-de_93a80bdc471ad1dd.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc-config_31bf3856ad364e35_10.0.19041.1_none_31ab6511787e9317.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf0c9a6c765a64f5_winresume.exe.mui_ff8b5358	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_6ca5c1c82a908e75.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

pid	process
1668	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
1668	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	pid	process	target process
PID 1668 wrote to memory of 2740	1668	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 1668 wrote to memory of 2740	1668	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 1668 wrote to memory of 2740	1668	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
"C:\Users\Admin\AppData\Local\Temp\3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads