sodinokibi | 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac

General

Target

74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
Sample

191209-5gbby7dm12
SHA256

74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac

Score

10^/10

ransomware sodinokibi evasion trojan

Malware Config

Extracted

Path

C:\odt\ufb125ez-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got ufb125ez extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/63D19F775FDBEFBB Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/63D19F775FDBEFBB Page will ask you for the key, here it is: RB4CDaV1up1wXlrfbEdj+BOPzVBTdqVAoPEkzqol6RUe57e/4Pwn0RkcSlBrOSWI kmobrR4n43tWdfvEtF2ysUz3roaYhyrQkIYU61SIChtKzS/4pbY/wQjoNfrtPErl zf5SZFkRCM6mG4YkG2KI3Bgew0HsMh2cTwe5bsKeZra+tjW0vQWuHYGp1/9x6ecd 2fJERfmwllXlCRJDYpfW5v3dQxv5sAlJWaRCvIbnMsydA2jTCVHI8YB6XxluH4BY Gw6aoYLqULyeQWW+BBbDYrNIHOay9TydHhZbJ2+vBPjSmHHZ7/0BVIZC4aUVe4wu J+XcGb+1FMjoYLvj181tblEyr0RpoHsVe3HGNo5TA9D/nJI3kCXpDu1L9uGseh/L 1XXBsgExTPFHfi3SA1fmIHjBXoWYrEhoTV80tlXKurgPp7ztaiczLbKSvTm4gNoR 9p5uizpNTwMX9Ru1TQCd2Gul+dHIJnlezRnhZND+HQ/xi/mP/yELXOHZVb8xeSUJ B2QS6ADj1y8klt/TRdopAYacaQwr4ZOLNwTRcy3OH7WwmRFG9+sz8pGNi3xnnpEz tlh/7g3hWXSKpLEgpJxe9O6J3+qY57gSzZGLp0XsHiF5+VbkOjBafdSnrcg8dsH7 ahR/Kl5CdhumyL35xKyyzjheTrCwsXDnb+yZOhTFZOCsIKg+wCzcivm2AZ9RJruu HIlGCbrvYRbmK/yKPbM83D362NlAsl6BdEBqv1xSezxD+qyaDQfL1Q367O/aE9X5 n8cKK455B0FRH89KJIn2ei56Roae1VuQRMrohMOKzyqqsKHf7YV1SXNzPMOwuuqx j5lJpWiX0FERtRMBu7Caouu3aAbUKTj0cjqT26RGy2TKyM+1x7lWppS9gbxMTG3B v5tTupR8laagk3KjvF7eFD5ngo7N42cEfBuG0ErBUtEkvJsU4/A3H/UZ4UVtC7IV 4NEHDJsU1AJaVO4UjQrB8IDuaAn/ZbfiyjhGScMfgKWcpSEfEqHLzT42AlcLYM5y 14XSwVFabNT+XPJrhgnH2X8Jyf+IlhMMAb79uF3JATPJPZmwcx0iA0zOYZ2AVrdw pS6EXwjv

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/63D19F775FDBEFBB

http://decryptor.top/63D19F775FDBEFBB

Signatures

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

pid process

4988 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

pid	process
4988	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

Discovering connected drives 3 TTPs 6 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\F:	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened (read-only)	\??\C:	svchost.exe
File opened (read-only)	\??\C:	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened (read-only)	\??\A:	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened (read-only)	\??\B:	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened (read-only)	\??\E:	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3980 vssadmin.exe

pid	process
3980	vssadmin.exe

Drops file in Windows directory 2109 IoCs

Processes:

74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_3ed843cc70f72b59.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7_scardsvr.dll.mui_5f6fb64f	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2e5a9c3cb5ade268_bootmgr.exe.mui_c434701f	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_f48e72a5e408fd69.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_10.0.15063.0_none_df8fa7e794d7be79_ebrima.ttf_8897b9ba	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-es_5801262b97b61409.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_7d3d04174acaa727_oemdefaultassociations.xml_e03ae813	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.15063.0_none_fb51a18514e4621f_tdx.sys_d0cc4fd9	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_e3d2bbfcae0c8c16.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pl-pl_25e1e4287ab67541.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.15063.0_none_64798615ecbbbc0e_xblgamesave.dll_7b3589a7	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_093fec4c18d9a2b9.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_de-de_e6faf81d32dd9c12_bootmgfw.efi.mui_a6e78cfa	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-mx_91ee18a020767d27_bootmgfw.efi.mui_a6e78cfa	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_hvgasys.fon_9f580ce4	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_en-us_e949c010d0e53a10_mswsock.dll.mui_d7c2a730	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_15a35bae90857b0c_listsvc.dll.mui_27f0fc85	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_cs-cz_2af083c33a0dd82e_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_wintypes.dll.mui_36d5f25a	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_ca38bcecc16963b9.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sr-..-rs_e72b3e7e306470b8_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsi.psd1_8e91985d	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.15063.0_none_99c959ce55fae8c2.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-es_8fb72afa21e2997c_bootmgr.efi.mui_be5d0075	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f_msimsg.dll.mui_72e8994f	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-us_59ac98207499c8d3.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.15063.0_none_61263fd1e5bb7a99_wevtapi.dll_df064540	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_e2b9a848b899ba23.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sv-se_5362d14869363a8e_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_20edd7ef9e21d8cb_rasadhlp.dll_7438be63	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_el-gr_263eefe20cc3684f.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.15063.0_none_a69f8cf95bf4534e_dnsrslvr.dll_faf65b7a	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-yugothicmedium_31bf3856ad364e35_10.0.15063.0_none_7577d1da9d88566e_yugothm.ttc_98e07dba	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_d84575ef7f0e3162_rasauto.dll.mui_12fa2c50	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_ce6bccb1aa74baa3.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_en-us_def515be9c847815_mswsock.dll.mui_d7c2a730	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_el-gr_263eefe20cc3684f_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_1e151a8658a5afca_bootmgr.efi.mui_be5d0075	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894_wmiutils.dll.mui_42583eaf	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.15063.0_none_c50e78507de308c7.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.15063.0_none_182a92469c7cc7a0.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_798014d122d0d80d_kmddsp.tsp.mui_80ddeedb	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_en-us_3ca247a449704013.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_be6a5a9c7dbb19ea.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.15063.0_none_5fff332cae3dfdb7_werkernel.sys_bd06c194	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.15063.0_none_bcdc71d81c5b7ee4.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nl-nl_dfa589a69594078d_comctl32.dll.mui_0da4e682	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_48f7bf74aac3a3de.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-offlinefiles-core_31bf3856ad364e35_10.0.15063.0_none_af5c222094b6037e_cscmig.dll_0a75eb56	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_8ee23673870eaa58_provsvc.dll.mui_3a2926ae	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootspaces.dll_5d79a0db	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.15063.0_none_9bcfd43a767ecc30.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.15063.0_none_67eb29450cc6d505_ktmw32.dll_835a43ee	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95_user32.dll_55f4ed20	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05_umpnpmgr.dll.mui_d66aed17	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_c3c95b73e48b1ae8_iscsiexe.dll.mui_7d81b1cc	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.15063.0_none_00c212fed2df9e6b.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nl-nl_12b8897efda1c4da.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_63ab03a64f69205a_winhttp.dll.mui_f661192f	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-etw-ese_31bf3856ad364e35_10.0.15063.0_none_eac35629f38bb48f.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-tw_d1c976e3059aeb0e.manifest	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\575luz36.bmp"

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SppExtComObj.exe74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.execmd.exe

description	pid	process	target process
PID 5072 wrote to memory of 5100	5072	SppExtComObj.exe	SLUI.exe
PID 4988 wrote to memory of 4268	4988	74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe	cmd.exe
PID 4268 wrote to memory of 3980	4268	cmd.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4252 vssvc.exe
Token: SeRestorePrivilege 4252 vssvc.exe
Token: SeAuditPrivilege 4252 vssvc.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

description	pid	process
Token: SeBackupPrivilege	4252	vssvc.exe
Token: SeRestorePrivilege	4252	vssvc.exe
Token: SeAuditPrivilege	4252	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe
"C:\Users\Admin\AppData\Local\Temp\74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:3980

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
2⤵
PID:5100