sodinokibi | aa55623b2b9beb2db0e5a36a8d6d6b802a143b28d98a78289cfc6c6c7bf4375f

General

Target

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
Size

161KB
MD5

422f5cdf619404563b0c3e249bd121d4
SHA1

1a364144342602074a8140ec4da5eb4f0be26274
SHA256

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4
SHA512

b63d22bb9556ed2d2aeefb94d9ef2245e76f433d897d5fba402d686682af3b3df14c20b7dc64694436245473a7bab8d6de8aafc6633e7e91f535f8c9ecbd3aa6
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q/IF+l4xjwKX9H:JvGWwbnWJ/gIF+lmL

Score

10^/10

sodinokibi ransomware

Malware Config

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened (read-only)	\??\E:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\H:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\M:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\W:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\X:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Y:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\B:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\R:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\S:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\T:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\A:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\I:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\J:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\K:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\L:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\N:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\O:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\U:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\G:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\P:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Q:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\V:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened (read-only)	\??\Z:	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Drops file in Windows directory 64 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_en-us_d572d73fc54e8110.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_fwpuclnt.dll_d0a74ee5	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ru-ru_5c2f7b8dd8ac3486.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pt-br_366538e4f4fe7289_bootmgr.efi.mui_be5d0075	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1081_en-us_c0c6a63533856bb7.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc_winmgmt.exe_8f8eb7b1	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mprtp.dll_0827df93	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a0c68282f1d48a8a_user32.dll.mui_14652dbb	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4aa399f7e53ccf9f.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ca0f0fcf72fec95_wudfpf.sys.mui_f61e9e86	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68_gpsvc.dll.mui_0c160ac2	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cd7a60faad5130d5_fidocredprov.dll.mui_4ca89266	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_setupapi.dll_8d9de2e7	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_59dedd2b6ac5922c_dnsapi.dll.mui_97465f8a	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvcext_31bf3856ad364e35_10.0.19041.1081_none_99079f18291a3688_profsvcext.dll_5740fcb8	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-homegroup-listsvc_31bf3856ad364e35_10.0.19041.1_none_2eed0e5c4e448d11.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-sysntfy_31bf3856ad364e35_10.0.19041.1_none_0b6400a5af10cbc9.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nl-nl_cc1a553810af34e6.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_sti.dll.mui_00a4f15b	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_c00a97981fcf0ef9.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_aba5dc4fb44efa50_wudfpf.sys.mui_f61e9e86	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.546_none_48d6c53e575a9a81.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_9acd392c5a6ac8a8.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1202_none_41f8992b2292d6cd_user32.dll_55f4ed20	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.19041.1165_none_3e0b1e846a203ebe_efslsaext.dll_fdd731ab	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_msaudite.dll_9eacd00a	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_85f1256.fon_77c3aa02	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_lt-lt_ef598ca8aecfa1ed.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_f026fb2cae4de2dd_bootmgr.exe.mui_c434701f	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_el-gr_346e59fa8881d1b3.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da_rasadhlp.dll_7438be63	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_20bf32b2e3f96cf5_listsvc.dll.mui_27f0fc85	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_10.0.19041.1_none_83216aadbc4b1d5d_shsvcs.dll.mun_b69fce40	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiutils.dll.mui_42583eaf	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore_31bf3856ad364e35_10.0.19041.1266_none_7c78c66cb767e03b_appinfo.dll_6162d887	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_en-us_52b90495d63821ca.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97ded4f562f4e50a.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_lt-lt_d749f44d0b1327ab.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.1_none_19299badb7d3f6c2.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454_memtest.exe_01d80391	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5aca84205a90fe5e_nsi.dll_e72df756	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_bg-bg_dd016b0b9ea8d750.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_6b65f79c2d70b55d.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4aa399f7e53ccf9f_umpnpmgr.dll.mui_d66aed17	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_b5fb7c987b6e9877.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_029f7959ec5608b5.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fi-fi_002b04f15e757967_comctl32.dll.mui_0da4e682	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sk-sk_4980bfc1af538369.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_en-us_823386dc6c818518_tcpipcfg.dll.mui_a5479fc1	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_es-es_f20d80907f57aa9d_nsisvc.dll.mui_237a741f	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_115701fa8eb2a3ae.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_c05026eaafcf5a72.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_ec1b96874c384b44.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_jvgasys.fon_d163c032	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsiexe.dll.mui_7d81b1cc	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_a0b367f31f29d0aa.manifest	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cff7aaf340ea7179_appinfo.dll.mui_cfd93456	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_687eafd94efb2680_winsku.dll_6e6c7799	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

pid	process
4236	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
4236	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe

description	pid	process	target process
PID 4236 wrote to memory of 1700	4236	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 4236 wrote to memory of 1700	4236	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe
PID 4236 wrote to memory of 1700	4236	3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe
"C:\Users\Admin\AppData\Local\Temp\3fdad99a17a6766fe396081f82394f5e2da0142651427da64a5b6e28c9df2fd4.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads