sodinokibi | 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467

General

Target

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Size

164KB
MD5

ca337c7130eef4f4ff8e8a4a8ec28647
SHA1

28558e35d3f9af01fe438eba7fba1c38201c86de
SHA256

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
SHA512

60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
SSDEEP

3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

description	ioc	process
File opened (read-only)	\??\S:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\W:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\X:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Z:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\A:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\K:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\J:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\R:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Y:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\B:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\H:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\O:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Q:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\U:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\L:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\M:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\I:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\N:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\P:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\T:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\V:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\E:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\G:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Drops file in Windows directory 64 IoCs

Processes:

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_ce47d201c53c798b.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40852.fon_5e9154f7	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_en-us_a089d76598edf0e6_rpcepmap.dll.mui_349798e1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.19041.488_none_77bf24d746c4ccde.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsitarget.cdxml_1fec77bc	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..update-genuineintel_31bf3856ad364e35_10.0.19041.1_none_72b119e551aad4bf.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.546_none_76347da1644ddd4f.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a35d6ad33b0c3e19_bootmgr.exe.mui_c434701f	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_uk-ua_e877902ae1363f99_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_10f39c85cfff2cb8_wintypes.dll.mui_36d5f25a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_en-us_9f803ef667071665.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_zh-cn_84cce8c4a491125d.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_dfdc949920ceba22.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nl-nl_cc1a553810af34e6.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.19041.1_none_7f2b71ce5454a4a2.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_93b4a0a1641d085c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.1_none_6e446489cca94509.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_rasdiag.dll.mui_15cb4ec4	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1_none_030656e323303a3e.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.546_none_48d6c53e575a9a81_deviceguard.admx_24b886b7	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_wfplwfs.sys_df3e0120	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.19041.84_none_63432f7bea1b39bb.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nb-no_63be8058058cb0d0_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_6809ce232425e1f9.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d_wininit.exe_7a527f28	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.1288_none_f34a4136dcbbc20e.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_4a0d6853efc68441_mountmgr.sys.mui_71b54a25	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1_none_bb73607adebb74f8.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cf5a1f9c5633f046_rpcepmap.dll.mui_349798e1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_880ae1a68c30b37b_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_fb1b92cca7311236.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsidsc.dll.mui_6acb64a6	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sk-sk_b39d4963b949fdaa.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.1_none_635f5636d096a7e7.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c3dd8e4758ad0702_wmiutils.dll.mui_42583eaf	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_24433e08b1bc98e2_dnsrslvr.dll.mui_1e1a1ed1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5b4926dbe2db04b_netlogon.dll.mui_ecbeb9bd	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde_fontsub.dll_367a1189	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a82483f2ca370f3a.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a05534499914e28b_rpcepmap.dll.mui_349798e1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.19041.546_none_f2f7962fafb5066b.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_mofcomp.exe.mui_35badf56	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shacct_31bf3856ad364e35_10.0.19041.1_none_8647eb7ff5339498.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_hr-hr_1d882fc56065eaa5_bootmgr.efi.mui_be5d0075	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1_none_9f5ae62104c19365.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_mprdim.dll.mui_11b5ef08	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-drivers_31bf3856ad364e35_10.0.19041.1_none_ff0a99f650b99a3e_wdnisdrv.sys_d6e2118a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9b77d25cc7b8e67d_vpntoasticon.png_e607ca23	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_85s1256.fon_3e26940d	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_pad.inf_dbf42768	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_b281bba039a7e747_storagesense.adml_0fc60f43	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_dsregtask.dll.mui_5e1b9353	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_s8514fix.fon_2d5cdf27	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_rasmigplugin.dll_7ee2aa40	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_es-es_fe0f0c83ff027428.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_21b80f3a6591f527.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_en-us_83d24a0903134528.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_qps..ocm_d24d6122b61a7522_bootmgr.exe.mui_c434701f	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.19041.1_none_eabbb32778568ee1_acpiex.sys_6a8b9aed	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_b41cd326ea03d7cd.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_es-es_1fb9b17ec579a5e1.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_en-us_2d74d8104df16972_appinfo.dll.mui_cfd93456	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d07248da6ea3b2.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

pid	process
2180	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
2180	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

description	pid	process	target process
PID 2180 wrote to memory of 2440	2180	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	cmd.exe
PID 2180 wrote to memory of 2440	2180	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	cmd.exe
PID 2180 wrote to memory of 2440	2180	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
"C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads