sodinokibi | 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

General

Target

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
Sample

191216-8bfljdyw2s
SHA256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score

10^/10

evasion trojan ransomware sodinokibi

Malware Config

Extracted

Path

C:\odt\05z6g30p91-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 05z6g30p91 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/BCFA73F317FB2A2B Page will ask you for the key, here it is: 1luXfGTkEwWQEz6sd/8wsYyITv08IJCgV4n63zFszJ1M+vuZ8En6VnJ6fDSbgmzJ j2GneOwL6/kLRl5YuSjIVygCJEGNy4dE7xKLrf8BCoEb/7X3ODd98JqPAsF5+cRm 7TeQKgDXOBbd+gTjjgG9MWNMfylZJqriAHwKuyEILoY8cnWDWzUBEVRoVEJyzQVf +rJP3+qnZwje6c1P5YaTiw3jBcC1ATJ01rjTPrI1QUXtzfou62qFvtsKTcA4wcDO P0wz7n8VtkG92y8UABFWwqNwtOx0jTyQj3nZ0+aW0HgNVAPXU94FNIOT2JViqXyz QZxvKf+ZAnwhWvGL8823XzFwmm2/LkiHo2pMHFQT0kU8sSjD3Wrk7yds++0nVtsw u3baAlrLOqFrekauX5KKYiF2o6twrIkpRM+PooFSW77Ni8bJrYFf92x4PC4y+3A/ wXbqvXSJitZoKteh3zxDtPE0J0OFevbyhjRypK45VLV+XOTCUiwgSUx4pP6lNGD6 oHJCbDZl8EW2a0jCw4+Y6s51De781/9zIngLMIOGiTa27CoT4KGYBbOFJJI4cJ3h QN9eLPYzdikCflruD6PwA7YMskCsjkVpQBm/pTSxN1aWAMzD3z7G8BE+TvEz+ks6 WCtMU5ELznvexxOwN6H7awZXBw/UlF0Q35Dp4fX0D+coLOKK7f2cWuWzG8KUIwOI +58tnJaY4XTyxfE7Ib7X2CbfzMHCZrH0EYzucoqSf1noVduoqX1iUfKEJlUFwJ36 0MJCTqeiv6lUOJirwh1w/rrgRgVmVkBebUSRO+J0BRepQbGUP7V2Y8iOvy/Jnq2q Wej65g2UgggOQGOwlSF1iQY90JoUiwJq808yA33juiEHoMqPmSwC20doAbmlsUsG 972Y/Qu0Uybn1NmwFdPshJEEeosNLVkyANxhwJCn019kBDgZdDbqt/fY2hdAuL/M jL8XN4lrJLkWC73VhVsPVuUDDfcNhkv7RuZC4gMZ7nsqI0HB1VUCXUn+Z+0+Hk4j ORZ/cSBwg+zw+GJh9DqBIOpucHL1bMuaxzUocZe0+H2sGEzjQur3MewsIJH6gZy2 UPj94fsn

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCFA73F317FB2A2B

http://decryptor.top/BCFA73F317FB2A2B

Signatures

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"

Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

68 vssadmin.exe

pid	process
68	vssadmin.exe

Drops file in Windows directory 2109 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_0ea4cb22c39b2f3e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.15063.0_none_105acb72b1898804_lucon.ttf_76ed00f1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_85s874.fon_2b1f10ca	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_thirdpartynotices.txt_086f3c50	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.15063.0_none_af2668ccc37b0411_kernel32.dll_ef9eca7e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_5b9d9831c6538b40_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ja-jp_d02a172e465bf139_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_en-us_093c21dfcf6f8bd4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf_axinstsv.dll_ebc2b91e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_c7457c7a32053978_memtest.efi.mui_71e15c22	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sk-sk_4071e5a8ddae1035.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fi-fi_f892f9b169daaca2.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_5682eb806727225d_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_6ee1eb5adc000190.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_et-ee_8976f68a25e8760b_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_326ea0f914b4afde_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95_user32.dll_55f4ed20	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_03474fa863a84227.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_el-gr_c7a28833c4122c86_memtest.efi.mui_71e15c22	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db_windows.ui.xaml.resources.dll_3a1e5f1c	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.15063.0_none_044c69fa901981b6.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.15063.0_none_74e72d87b68106ce.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_8c54ed7ef50a1538_iprtrmgr.dll.mui_eb023b92	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_ucrtbase.dll_a00b9625	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.15063.0_none_80d6da500dc0355d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.15063.0_none_7bf15777315a0972_dggpext.dll_0c91d307	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_20edd7ef9e21d8cb_rasadhlp.dll_7438be63	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.15063.0_none_aba8edfeb8725505_userenv.dll_1a3a70b6	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_9afd8f54d47294fd_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pl-pl_a0a21ad7f7405b94.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_e5198e8fc265078f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_d802f55807fa1ec7.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_en-gb_886312f82692f412_bootmgr.efi.mui_be5d0075	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winresume.exe.mui_ff8b5358	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_045020d08f3a6d43_wldap32.dll_09c99dc1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.15063.0_none_28336e6150ea4933.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_8a407a34161bb921.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_727c27262b7ec707.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_uk-ua_26205cdb0d4cdf6d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_uk-ua_cb62fe0eb7312018.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_it-it_5efca415c2667f3d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.15063.0_none_314522d34b560919.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_he-il_87fc497c627dface.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.15063.0_none_e5fbbfb47ce3ad1f_clipsvc.dll_0a2c978a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05_umpnpmgr.dll.mui_d66aed17	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsidsc.dll_20ed5065	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_d84575ef7f0e3162_rasauto.dll.mui_12fa2c50	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ru-ru_6fbaaffc5d91072d.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_d6a49a3e7445e0ae_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_s8514fix.fon_2d5cdf27	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.15063.0_none_ba6dcc4f263ef22f_sxsoaps.tlb_7db2712b	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_9e9a00a6d22ab935_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_2b7ff2d3c288b51c_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_78aafb7af9d71d92_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_de-de_7da8c24f1dadffc1_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_th-th_b0bfbc2445fecec9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-es_6e122c03212f2631_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_02178f11778cf984.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_10.0.15063.0_none_7199b2a6f00baf63.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.15063.0_none_b42d779a35a718d9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_14793e40fc75bb05.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3x33q2615.bmp"

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid process

4992 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid	process
4992	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.execmd.exeSppExtComObj.exe

description	pid	process	target process
PID 4992 wrote to memory of 324	4992	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe	cmd.exe
PID 324 wrote to memory of 68	324	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 4424	2636	SppExtComObj.exe	SLUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4328 vssvc.exe
Token: SeRestorePrivilege 4328 vssvc.exe
Token: SeAuditPrivilege 4328 vssvc.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

description	pid	process
Token: SeBackupPrivilege	4328	vssvc.exe
Token: SeRestorePrivilege	4328	vssvc.exe
Token: SeAuditPrivilege	4328	vssvc.exe

Discovering connected drives 3 TTPs 6 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\C:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\C:	svchost.exe
File opened (read-only)	\??\F:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\A:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\B:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\E:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
"C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Discovering connected drives
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:68

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
2⤵
PID:4424