sodinokibi | 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467

Analysis

max time kernel
152s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Size

164KB
MD5

ca337c7130eef4f4ff8e8a4a8ec28647
SHA1

28558e35d3f9af01fe438eba7fba1c38201c86de
SHA256

17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
SHA512

60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
SSDEEP

3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\H:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\I:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\N:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\O:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\S:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\V:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\W:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\B:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\J:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\G:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\K:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\L:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\P:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\R:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\U:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\X:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\A:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\E:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\M:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Q:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\T:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened (read-only)	\??\Y:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_a65df33be4649fa7_dsreg.dll.mui_5d9efc7e	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_es-es_65b02ea2b3f8eb14.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_es-es_d6f62e807bc53cd0_webauthn.dll.mui_acc69b8d	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1_none_5668fec1a41d6ac1.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ru-ru_6e67960b0e7433f2.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.1_none_13cf631590f9951e.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_it-it_88016773740fb9a7_wininit.exe.mui_997435f5	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_6ca5c1c82a908e75_memtest.efi.mui_71e15c22	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_de-de_848402175f135dad_appinfo.dll.mui_cfd93456	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-sysntfy_31bf3856ad364e35_10.0.19041.1_none_0b6400a5af10cbc9_sysntfy.dll_6c0b60ae	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a_ole32.dll_e9dcc2e3	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_de-de_f5b942cb012d25b0_fidocredprov.dll.mui_4ca89266	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sl-si_b2af6b1bb9e4108d.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1288_qps-ploc_f6c6cc73660e3177.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_hr-hr_4a03d0c541500b53_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.388_en-us_3b9e163a021f3ac3_axinstui.exe.mui_aea34130	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_4f5e30ee8b348f36_ngcsvc.dll.mui_96312421	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_de-de_d942b0e37da37953_tcpipcfg.dll.mui_a5479fc1	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1202_none_41f8992b2292d6cd.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_c3d871e478025c14.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_de-de_72a2c7869bb1e8b3_hidserv.dll.mui_561adfc8	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_es-es_ade4b30e36254a8c_apphelp.dll.mui_59096153	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.1_none_7d4b234e44bee9a6.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8e9e696a3f31534b_appidsvc.dll.mui_6717e231	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999_memtest.efi.mui_71e15c22	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_14089ec954fee325.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.19041.1_none_217aa39bb332ab57_ngcksp.dll_a56a189a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_it-it_1bf36b0c23ae824c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.153_none_204dfb4c6c5656d4.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.450_none_15f655ce37f84049_scecli.dll_149e0f7b	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9776d7f5085fe75b.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.1_none_2075cb51c1c141fe.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_2c44d0507f4744ae_winipsec.mof_abfff45a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_94d8a2f49b8df947_mofcomp.exe.mui_35badf56	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2c6bf3e8c0668005_credprov2fahelper.dll.mui_71e4ecb5	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.19041.1288_none_20903f2898bc8195.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.control.ppkg_64b77e6b	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_ec1c7017ac88fbdd.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.19041.844_none_659179fc44ecf41c.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oem.fon_c20e1190	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winresume.exe.mui_ff8b5358	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_pt-br_90d38a80bd9f1d92.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_da-dk_2544c1cd8276af7a_comctl32.dll.mui_0da4e682	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_lt-lt_9b4bcf435f4dca5e_msimsg.dll.mui_72e8994f	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_tr-tr_ef6defd0a01e9d8b.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46_user32.dll_55f4ed20	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsisession.cdxml_9cd8900b	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_de-de_4d7f6ae091bb017a.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_6e1b81482baf9a17.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_it-it_b93490b34d8c4a73_winresume.exe.mui_ff8b5358	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.19041.1_none_a1c3d9420e6939cc_bootdebuggerfiles.ini_96f52a4a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8bddf71ec7dee325.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0e76aa312b62e7b1_ws2ifsl.sys.mui_b672c7b4	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_30aa1615db0a20c2_afd.sys.mui_ff192075	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_19b1e21951c366d2_memtest.exe.mui_77b8cbcc	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_420311d95a001e6c_deviceregistration.dll.mui_5b79527a	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hr-hr_0e05abbb958aae06.manifest	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3436	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
3436	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 376	3436	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	85
PID 3436 wrote to memory of 376	3436	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	85
PID 3436 wrote to memory of 376	3436	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe	85

C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
"C:\Users\Admin\AppData\Local\Temp\17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads