sodinokibi | 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

General

Target

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
Sample

191209-xr9d11evle
SHA256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score

10^/10

evasion trojan ransomware sodinokibi

Malware Config

Extracted

Path

C:\odt\7hdd05b442-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 7hdd05b442 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56A62750F38ACD5F Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/56A62750F38ACD5F Page will ask you for the key, here it is: td1n57pF9/ZYiATjj9YIRWzEOk8xUQgXy8ZPXaG5Rqu4WsKr3t1LNO7ZaKMzWUB6 s8mZdWS/QAqXSSN9yWg1V8HE8zFXiMxB83qsZ/W/sm+BC+vBrS5ZYwN9GjsokY5B j2PP/Jfm0HD/stPsmiuVWcpedKwG6GeZH5aKg6qrNKdIoY0RyYWQNoq6Kk1+4ifL L5NERXXUl6cpzHa/pYzcK3YPVFabIwi0IWHr5gRbe7DFByaMNGYkfHpDxrWz/X6b SKjhAZvmr0VwYnYM53Bd1QM60qsRzeYUbK9SKWZV7cxAphwV62jgcE71zdy5aGtF Zb19L9JwA5B7xA5EQFPj20fcZJJcDnwq5RT5JmP9J+e9yJELV5lJ9ZgBn3ILWMKU jf8FAGGVorw61ncrZYuclx8XzOOJvBDg/4FKuEEuNbgCP87ZSXGIgSel/G5OwCqA ngrg9T6DkKo3/Ylx/GqlNgghmaYV1A7N1OXtpj2nfJNhgxEAVUhDZ5TMuy3a8A9r 8JFrNldf/JiQl6c76a4fuKtXluDZ4AXqC2QkRQo6dpANq0GISYKhyIdpDWHI09sS 1IRBgVEhAgvRHqwC97R85pAU1DuI1wx7XNStJeLmDRi5mla7cMdTrPCAXIHpk0m7 Qt7O0Fs6l5g5leMwuix80dNGF4VtI0m8xrKENDbURiiu/CMFIWsS4uruIHQWUFqX OKSMW3iyWwIjRjt7GBt3zeRB+42ykg+SlIp5ssqxqVAx5lVDtUvEX2JJJSW91/ZK pzDreeZLhbhvNgitGA8IqtA4+xLSBdxTJiT6I3wrLSNquONNhQBvjLfGxO4/nqeK 7RHxtLG2TQsb7T7umL9OQv52cxYRCrHoALRB3u5D+81V7c1cUz1nVmgbWikTREEx 374w/bQquMnNVvLDAT65OOgke61zSJZn72yyGwjb1xmhLLCB6qSYB9ng7NwF19kI h/OgypMxlJRN9/KiYu5Ys5x9fI3JNG9ACyO/uVFijTOFFIT8pjSWl3g8Li6SWi0+ ubPLHw7FdiF1Ot3JmwCNyalNTezTWXmK8FuIZMnrGyLgJd19VmwkyjvifsZfZsn4 OadcIW2m

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/56A62750F38ACD5F

http://decryptor.top/56A62750F38ACD5F

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid process

4904 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2900 vssvc.exe
Token: SeRestorePrivilege 2900 vssvc.exe
Token: SeAuditPrivilege 2900 vssvc.exe
Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1000 vssadmin.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
4904	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	pid	process
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe

pid	process
1000	vssadmin.exe

Drops file in Windows directory 2109 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_b8c0e267f83754d0.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_el-gr_fbbc855ddf690df7.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-pt_70c4d50f8d2ba207_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_4c9582ba3ac14b79.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.15063.0_none_e90c5eeaeffd537f_fwpkclnt.sys_cbbab82c	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_9269d4068ddf1552_bootmgr.efi.mui_be5d0075	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_1ef4411ab33dfe81_cis.scp_0303a193	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_743f61cd695d2779_ntdll.dll_ae4ef39c	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_en-us_8febce1621bba7d7_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_en-us_1390cc3203d04dcf_sdbinst.exe.mui_258ad624	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_de-de_1f0c5aa0d4fcc3f8_memtest.efi.mui_71e15c22	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpcommu.dll_cc275570	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_e25bed23d101e5a7.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_b1c695092fbfd7f6_wmiaprpl.dll_5d18a476	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sv-se_3ec89a49bcc7ced5.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_fdb364484be5aecd_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgr.efi.mui_be5d0075	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.15063.0_none_6b88878235493b61.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_el-gr_57db20e197c67f2d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_de4c457aa62b389a_user32.dll_55f4ed20	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_44c5f19873fbfdcb.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_2b428241d2829ac6_rasadhlp.dll_7438be63	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-system-user-service_31bf3856ad364e35_10.0.15063.0_none_9c6c22cbabcb6847.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.15063.0_none_8f9673e6605abf5d_clfs.sys_04dfdff9	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.15063.0_none_c32c99d8bd9714e6_winbio.dll_7228629e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.15063.0_none_e90c5eeaeffd537f_tcpip.sys_3339bd51	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_b1c695092fbfd7f6_wmisvc.dll_e91705b5	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_th-th_b0bfbc2445fecec9_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_2956ba0293b4f9a6_wintypes.dll_96e015b1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_h8514fix.fon_9a1c84fa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsiwmi.dll_272dd9e6	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc172dc3df31b12e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_el-gr_5951efba74d1259c.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa_31bf3856ad364e35_10.0.15063.0_none_c1b30e4dc9fab399_offlinelsa.dll_26ff60c5	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_en-us_8137b70e4d9546cf_tcpipcfg.dll.mui_a5479fc1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.15063.0_none_d86def03de301c93.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.15063.0_none_6f036e8ca54f9cc4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_cf0888b838ebf567.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_ea6b6d97f2f4c7b4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_6b4cd629a017904a_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_en-gb_ccee4c53ab398f02.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf_axinstui.exe_eba3b15b	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_dcc6defb6a563ec2_wshtcpip.dll_7ee2ca52	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_4a395d1c23946704_applockercsp.dll_771a831b	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_4c9582ba3ac14b79_bootmgr.efi.mui_be5d0075	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.15063.0_none_e1ba3e11e8d4dde4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ro-ro_e8129b1fdba02ab0_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_tr-tr_2f831b67bffff9cc_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidsvc.dll_b571c01a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga80woa.fon_40965299	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_pad.inf_dbf42768	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ar-sa_67778a441a2f274e_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_1b70ea73251f149e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_et-ee_9ae4f76b8d42c00d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_42291c726ee7f987.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.15063.0_none_790e90d47316785c_ngcsvc.dll_98c6fd3a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SppExtComObj.exe0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.execmd.exe

description	pid	process	target process
PID 4996 wrote to memory of 5028	4996	SppExtComObj.exe	SLUI.exe
PID 4904 wrote to memory of 1544	4904	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe	cmd.exe
PID 1544 wrote to memory of 1000	1544	cmd.exe	vssadmin.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

Discovering connected drives 3 TTPs 6 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened (read-only)	\??\C:	svchost.exe
File opened (read-only)	\??\A:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\B:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\E:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\F:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\C:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p9b9.bmp"

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"

C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
"C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:1000

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
2⤵
PID:5028