EchoTrail

vssadmin.exe

Author: Microsoft

Source: Wild

Summary

Volume Shadow Copy Service or VSS, is a Windows service that allows taking manual or automatic backup copies (snapshots) of computer files or volumes, even when they are in use. It is executed as a Windows service called the Volume Shadow Copy service.

EchoTrail Prevalence Score (EPS)

30.81

Rank Analysis

Host Prevalence

1.5%

Execution Rank

373rd

Behavioral Analysis

Top Hashes

af08da2358d55665fae06ae694129b5f3778989e93f5f369e0b594e1a2bc521e

98.08 %

Top Paths

C:\Windows\System32

99.96 %

Top Network Ports

443

100.00 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

The vssadmin.exe command line tool is often used to delete volume shadow copies of file as part of a ransomware attack. A ransomware attack involves a malicious executable that encrypts all the files on a victim computer so that the user can no longer access them. The user is then instructed to pay a ransom in order to get their files back. These attacks are very common and often very effective in their effort to get their victim’s to pay the ransom. Vssadmin.exe is used by the ransomware malware to delete any backups of the files so that the user can’t restore the files themselves and are forced to pay the ransom if they want their files back. To detect potential ransomware activity, look for vssadmin.exe executing with certain keywords in the command line, such as delete, shadows or shadowcopy. Outside of a ransomware attack, this would be highly unusual activity worth investigating.