sodinokibi | 3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4

General

Target

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
Size

161KB
MD5

422f5cdf619404563b0c3e249bd121d4
SHA1

1a364144342602074a8140ec4da5eb4f0be26274
SHA256

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4
SHA512

b63d22bb9556ed2d2aeefb94d9ef2245e76f433d897d5fba402d686682af3b3df14c20b7dc64694436245473a7bab8d6de8aafc6633e7e91f535f8c9ecbd3aa6
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q/IF+l4xjwKX9H:JvGWwbnWJ/gIF+lmL

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened (read-only)	\??\U:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\E:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\K:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\P:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\S:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Z:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\H:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\O:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Q:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\T:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\B:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\I:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\J:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\N:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\R:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\V:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\W:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\X:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\A:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\G:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\L:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\M:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Y:	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Drops file in Windows directory 64 IoCs

Processes:

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_a957ea8f6dfc58ba.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.19041.1_none_4fe02c5c87346397.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1202_none_41f8992b2292d6cd.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_310330998a8ba7fa.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_02d41c75ec2f1710.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1_none_0b4eeb140948562c.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1266_none_fc46bc5d51913141_bootmgfw.efi_139dd311	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_15f508d8d9b8a291.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.546_none_eaba62c4b31f4bbe.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_da-dk_8eac972b9796148b_bootmgfw.efi.mui_a6e78cfa	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad_appinfo.dll.mui_cfd93456	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-homegroup-provsvc_31bf3856ad364e35_10.0.19041.1_none_47ae7a5e8d1e645f.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_80b4fbf2a39aea5a.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_40c79c50b42ec552.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.264_none_4298d4188a939fa9.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.19041.488_none_77bf24d746c4ccde.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_880ae1a68c30b37b.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_vgafixe.fon_dea8b251	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_zh-cn_eebdbe6a380cfa05_comctl32.dll.mui_0da4e682	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_mprdim.dll_8e5e0893	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_dab1b6fa435d154d_memtest.exe.mui_77b8cbcc	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.19041.1_none_c2bbf8598318544b.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_10.0.19041.1_none_b8115bbc4932577a.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc_winmgmt.exe_8f8eb7b1	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsisession.cdxml_9cd8900b	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.mbb.ppkg_d678e4cb	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_certprop.dll.mui_602eaab4	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_es-es_ca3ca8d6defbef0d.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_mofd.dll.mui_793ef98d	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiutils.dll.mui_42583eaf	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_7bd241ac79147d55.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_20ddd445a787b81f_ole32.dll_e9dcc2e3	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ce50872d244d15c5.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsiexe.dll.mui_7d81b1cc	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_wiaservc.dll_08fa1e78	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.1_none_78990edc010a0704.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_02d56f028cfc5e3f.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_appidtel.exe_b664fbc5	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.wifi.ppkg_d5ac1d6f	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tunnel_31bf3856ad364e35_10.0.19041.1_none_595b16922411e0f5_tunnel.sys_90392579	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-ca_2a30712948bc8e20.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_en-us_8f48a1e2598394c7_wiarpc.dll.mui_0c913b87	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_s8514oem.fon_304f98b5	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.1_none_e7d7871a6376ff0e.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b45ebd382a2ceda1.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_f67040d980990d3f.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cf0c9a6c765a64f5.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1288_none_7a49f980f48daa96_dwmcore.dll_523baf47	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lv-lv_9c193dc75ecc0b4e_msimsg.dll.mui_72e8994f	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pdc-mw_31bf3856ad364e35_10.0.19041.1052_none_97ace0ce224e6958_pdc.sys_dcf04bf8	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f_tcpipcfg.dll.mui_a5479fc1	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_tr-tr_650dd7439c5150ec.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_hvgafix.fon_bf27df1c	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81_ntoskrnl.exe_0fb0ab79	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_es-es_df71bede6e43d9f6.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_be18ea1916c99427_wiarpc.dll.mui_0c913b87	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_mofcomp.exe.mui_35badf56	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_uk-ua_e877902ae1363f99.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fc045c385de0a407.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opinstallcomponents_31bf3856ad364e35_10.0.19041.662_none_d0ad3eafc6e540ad.manifest	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_es-es_2511db3abd9629f0_msimsg.dll.mui_72e8994f	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1288_none_28c245a0fa440b78_rpcrt4.dll_5aa847dd	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

pid	process
3204	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
3204	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	pid	process	target process
PID 3204 wrote to memory of 1324	3204	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 3204 wrote to memory of 1324	3204	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 3204 wrote to memory of 1324	3204	NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads