sodinokibi | 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

General

Target

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
Sample

191209-xr9d11evle
SHA256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score

10^/10

ransomware sodinokibi

Malware Config

Extracted

Path

C:\Recovery\46u34-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 46u34 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E27DC6532B1C89E1 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/E27DC6532B1C89E1 Page will ask you for the key, here it is: QtdiV+EJ0Q8pCjtoc8GisPTVHE6RYjTvjaTy5HL5y5WseywTauMcra7C6ziHrdJ5 9gR+x6eoLSEaqpJ2zANRV9HctCknlabw4hQs+xi6YkMLvbL1+7PtO/MPEOIynRJD WX1xJ57KbB02Algy+KoTV1UnAL5nKJ9aTMIwHoSW9BMLWn1YsNty8ntbkBXOpIZd DZS60IoGBSK30/QM7uNydRgCINqEbdoJwItwNpaeAmq69RERUX5juiARrMGuaiur F+SqPb83p1HqGR7/5DP5j3Moj0xTLbV+CP7wIGPEl3v88H+clKuInW4ZGhO1iTF+ PPXIvrNnGwTMfWViIn1fKrHOfquLUUso17sGS9q0S4FhmqdB4oNb1pHr4YZFJpoy A8YicfKiFST0u1QBn0lh7htwG9FJSIkDDJM9/cRRDoyI3GpbTbcvdozW+r2qeGma 25zVhjpXe6/+HG0MXH/UMs2CmkIdvoTwRCUfalLgeUE2GMBJm6voRiUZGmalNrta fJpJGiEnvwmch0XwwjnI49+ZBedH8AsUD+5k+nuTaONhqFGFidkuP1XbBif/KHYQ caYHsmXZOMBhP14QIb7xCx6GuBiJWYxBssRYE3kxke5wnip5QmbZxun4sAh2ozte n1r/gbK4dUBuXQgiEhixM1NyEXefJ+nFkWBjZEc+lCvL6leT4zz0OBFDscAEPQ3A 7QjFyYB+xdg19AOx8IWC41vcWaaGvNbsNPqlt/YVXj5R72UUOIEDq+RwhqopUiaJ eKeVVMLWieS0amqpcdltJJqxNFUxKqZpnEuWmLtMy3yJwZ6En89pMdb87NGH/JJp b0Wk8lsE4ymXI2GIDInmu8ofiJlEP0x69ywAf8VdUtgJePWhDDlVOSfuANWPZNCY oQdf4mgRD/pjorFv34HhSKRk3/A2Oxlot0t+8xTS3lqCZfrPlZdrBM51b6TxVJM5 /pCQn+aBS+xouYyod1xYWvBvl9Dn/n8GpWmEfc3WfQQr7oUAIoC7OUw0rCHK+kJt s+GOQ6iH8Jo7yeTs/FhoU5ypikW28C4r/fmD0E8EVoQyB5t9ywCgGiBi50s2QNrc shKKJeXNiT8N0neO+WslCSLSnr0+ZQ==

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E27DC6532B1C89E1

http://decryptor.top/E27DC6532B1C89E1

Signatures

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened (read-only)	\??\A:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\B:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\E:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\F:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\C:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

748 vssadmin.exe

pid	process
748	vssadmin.exe

Drops file in Windows directory 3276 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a97b93f9db5cdfdd_certenroll.dll.mui_a77d5a29	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_loadperf.dll_3a569bab	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb_dhcpcmonitor.dll_aa545cc8	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..type-mongolianbaiti_31bf3856ad364e35_6.1.7600.16385_none_5f92b85e203b255f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-laoui_31bf3856ad364e35_6.1.7600.16385_none_d02cc17733960c0e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_811df60c21c09a54_mlang.dll.mui_2904864a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rmcast_31bf3856ad364e35_6.1.7601.17514_none_b2a3d1a09e8a89b1_wshrm.dll_0c3acbc3	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17514_none_a505d556c9de886a_srclient.dll_f0619fc4	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2_aclui.dll.mui_adadbfb7	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_643c507363ea9836_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_02354b58460a7e0e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_cee73286fc6746d9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b97e2a0cf19a74b.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-qos_31bf3856ad364e35_6.1.7600.16385_none_14950489a5b66a85.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_6.1.7600.16385_none_6193778dc77677cc_cryptdll.dll_e0da7eac	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_e5c0334cfcbb6f1f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e5eadf52d4094a8.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_2b05ce0ab4c4b80f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_7.2.7601.23317_none_b9047530505dd25b_wmisvc.dll_e91705b5	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_51bcbc61a5466a58_certenroll.dll_d6e4c532	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06eae3639ce15ec1_basecsp.dll.mui_04bea7ac	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825_spp.dll.mui_42138158	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_6.1.7601.17514_none_8878ff5a9e1a8a48.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga80869.fon_2e7bdf2f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4_cmiv2.dll_be06aa9f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.1.7601.17514_none_1aebe42ed7db518a_winscard.dll_cfd3258d	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-version_31bf3856ad364e35_6.1.7600.16385_none_14d4a552b2395165_version.dll_406ddf44	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_6.1.7600.16385_none_b2cc41b2eda92244_ktmw32.dll_835a43ee	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a30ceec4cc4e21a8_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_337141edac49fb30.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3760db0440b81fb3_wldap32.dll.mui_065dbd9c	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_3c1b29463bcb5626_mlang.dll.mui_2904864a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_zh-dayi.xml_680fca8d	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66a957f5f121da3c.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1240127174e32372_efscore.dll.mui_5a74c206	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31e8875e951df7c2_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_el-gr_48c18b4486c4cfe6.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-timesnewroman_31bf3856ad364e35_6.1.7601.17514_none_3b958c66aff6cdb7.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a547f57d755ff33d_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_953f0977fbbe9530_slc.dll.mui_dc24f809	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_firewallapi.mof_b78002ca	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eb5ec32f73606acf_drvinst.exe.mui_e88f4c73	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-949_31bf3856ad364e35_6.1.7600.16385_none_ceb1f5a4fc8f1f27.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4d5cf87622ff6ea7_certenrollctrl.exe.mui_3b48c5a6	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_en-us_148363a5142c89cd.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31db610f5ea8e8d8_comdlg32.dll.mui_ac8e62f4	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_a6e42c01e213f0dc_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsass.exe_682060de	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_6ca25da84551ca13_webservices.dll_58f50a80	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1c754ed890149b9b_rpcrt4.dll_5aa847dd	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_9ee1491f45855a27.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd_winload.efi.mui_35ee487d	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_48647f8af4b7dcd8.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-iskoolapota_31bf3856ad364e35_6.1.7600.16385_none_2a668cf479ef0388_iskpota.ttf_b97d7073	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-marlett_31bf3856ad364e35_6.1.7600.16385_none_aa49e9141901cae9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1252_31bf3856ad364e35_6.1.7600.16385_none_7e10c09f23fd09cd_c_1252.nls_71b281ed	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_4dd43f34b0b06f44_wintrust.dll_abec426a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_6.1.7600.16385_none_ae92b0937e708d46.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-util-library_31bf3856ad364e35_6.1.7600.16385_none_a30e530ebc7f9b22.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_jsmalle.fon_4f77c739	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7m109yf6.bmp"

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid process

1908 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid	process
1908	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.execmd.exe

description	pid	process	target process
PID 1908 wrote to memory of 532	1908	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe	cmd.exe
PID 532 wrote to memory of 748	532	cmd.exe	vssadmin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

476 conhost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1980 vssvc.exe
Token: SeRestorePrivilege 1980 vssvc.exe
Token: SeAuditPrivilege 1980 vssvc.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
476	conhost.exe

description	pid	process
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
"C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
1⤵
- Discovering connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-753189588-1433744804-486626420-1397814957-218450254-446217199561556025-1941111257"
1⤵
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-0-0x00000000002CD000-0x00000000002EB000-memory.dmp

Filesize
120KB

Download
memory/1908-1-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads