sodinokibi | 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

General

Target

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
Sample

200122-dcjzw4d3w6
SHA256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Path

C:\Recovery\q5f10-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got q5f10 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D10ECAC096968E16 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/D10ECAC096968E16 Page will ask you for the key, here it is: Nf0eiuvX0OYlxB6+3APvS7NabvRHCjVJ+Dgku9bWeEo8rJia5JMGq9rFbJRahXuL Rf+eEDTvtPItMdtY0Zie5183mD29JQJkxYZSIhbDWb+ByfBor4f2yZqQe1xr5Ofc oQ47nmPUjiYYjHtQyRegzJd0rrder78H0jO0XW9zkbz0LQpxxl5sWuQ7+XvpHVy3 2iVKI1nLbvcb06FKYQ2ugWjd90/5nSbHuuwE8jgvEgvIyjR0CZdS96tRhqKDA/Gg 3m/QHHBOT2s03ghNMnUVVVXeVC6Srb2G6jCVQrOP9zNYEt+pI5+ipXzqz6Cdz3cm N1J1KACF/h/sRdIdZfTrxQXhyvbix9/oiyRCpC+XbWr8nak5wZEunz1QVw+SLFbn +3sGXk4oaenLDGHOHNEMvkrSWtfcpRzvEBqWZvQpekHRU1oCHP12pPzKaOhGbMeN +fAquE0YRS/GBkFpPqq0GCirLOLTtAlQs1t3Ixq7JmYTQVGQP3hhqHHMpFx8aqMh LEAH99QYsFI1xZPEBnUKZRNAGKi3nH9oXqevBCazHPLsvcHd7lR6APAsCKH3KrBf RMJTu3/QRSwlHyAvXQnibGLBjidsC/cd54q1p2QO84ZI1KpBfLbFmqsELkQhj2hS ESUZI+fFn1Zyg4z5SRDXhQ+jB+r3/3U6Ivnjd5VOxzZBqac0PAW/pH/YK13zGAIb 6kDGgnx1ih0UFEsXdA/QFiamFPGBDBIdVV5tYC90LhsRvT5J4ogMp5P1FWWEnctB f/3nZhpYRwFEkkZAWs6GNhDk3EAdTtb2fQopvqZwYPYGGEY7177x27bsjzDNkkjh VqbuHUUBGLPs+mYeSw1LM0VCA3ogjrZBGaD1PYDX7dIVBADpW2oJIDz5bwhk9+Et tCnJdnapOZBMbw1zNfD5J5nFHo1FR0Ze7gBD/LoOU7XRXI1/xB4DSjlDjJ/Thdv/ ZCkPoNALHyMzTAtH24OQbyFs1KoSH0tJsq6YL4caJFPXZKqm+hvLxsjcaAoU1Q4e dnX+l+2mQsTWolmB7CUbkzrs7P+2AHg627e0nnCaf1C5HfrMa0TLRPTh//BJ2Rq8 UgCEmA5UCyJOukbbbJWKKNdhkDup1w==

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D10ECAC096968E16

http://decryptor.top/D10ECAC096968E16

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1344	2016	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe	cmd.exe
PID 1344 wrote to memory of 1476	1344	cmd.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1564 vssvc.exe
Token: SeRestorePrivilege 1564 vssvc.exe
Token: SeAuditPrivilege 1564 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Windows directory 3276 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7601.17514_none_c4d0cdd7c56b493e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_ebac2cdcaffb8a0e_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70_appidapi.dll.mui_b6af37bb	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498_axinstui.exe_eba3b15b	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_a74d96a66e8abfbf_comdlg32.dll.mui_ac8e62f4	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1_dnsapi.dll.mui_97465f8a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d_lpk.dll_ebdc1de9	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-720_31bf3856ad364e35_6.1.7600.16385_none_2ae4fd74b4dd3f24_c_720.nls_c0c94414	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_3077981303bb82bb.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aac12e1c9878d430_certcredprovider.dll.mui_b5ad161e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6bafe41ed67f87e5_esent.dll.mui_e30e3b90	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_07f44fb7712a68da_cmiv2.dll_be06aa9f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kartika_31bf3856ad364e35_6.1.7600.16385_none_66211148328492ad.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.1.7601.17514_none_770a7fb29038c2c0.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_b18e5ca4be201fbf_hbaapi.mof_4e35fdd7	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-pcw_31bf3856ad364e35_6.1.7600.16385_none_165b3257a4922fbe.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasbase-repl.man_aeefd659	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80_gdiplus.dll_423f7010	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_0f6c30b96de81257_objsel.dll_9d6ddd89	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_365b53d91b3ce4ff_memtest.efi_01d7fdbb	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-shruti_31bf3856ad364e35_6.1.7600.16385_none_295c980d6b8c1975_shrutib.ttf_cc31ccfb	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_6.1.7601.17932_none_8510e4eecb4594ab.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_e4b59a6b98a32400_mlang.dll.mui_2904864a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_a8afc467a4245c19.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app775.fon_dec57409	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_d6f0eb51a588d90a_comdlg32.dll.mui_ac8e62f4	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_a8afc467a4245c19_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-875_31bf3856ad364e35_6.1.7600.16385_none_cec0218efc83e8b7_c_875.nls_b284c215	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_e99ba0bb58b4fbd1.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e5eadf52d4094a8_efscore.dll.mui_5a74c206	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ype-microsoftuighur_31bf3856ad364e35_6.1.7600.16385_none_1312b5e22558207e.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntfs_31bf3856ad364e35_6.1.7601.17514_none_04972f2c338b23d4_ntfs.sys_e80dca04	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-client_31bf3856ad364e35_6.1.7600.16385_none_5d37a06dd6d242cc_sensapi.dll_9e623aad	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_38b2b0e8fba01a4b_certenrollui.dll.mui_e86ca64f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_microsoft-windows-networkbridge-ppdlic.xrm-ms_1a466ea5	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7601.17514_none_330ce3bf9861358f_eventcls.dll_09ce86ba	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_7.2.7601.23317_en-us_ed19479b211572f9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0522ecd1ea2fa29e_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga860.fon_07129997	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-utsaah_31bf3856ad364e35_6.1.7601.17514_none_8a6cbec4ba3b0202.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_da3cb85562df73c9_memtest.exe_01d80391	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_bg-bg_97b937009fa00cc6_mlang.dll.mui_2904864a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c_malgun.ttf_166813d8	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7113e0d248e375bc_htui.dll.mui_038c60dd	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_16795c7543eb48cf.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5d9f9e554f49baba_webio.dll.mui_e805c4b7	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_257ada4f467a7f64_oleaut32.dll_730e3d41	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b28bd85e0d0ff6f1.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_umpnpmgr.mof_112f9e6c	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_618833a5b4f8d33b.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_rtm.dll.mui_55e4e990	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smae1256.fon_bf9978ab	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-arial_31bf3856ad364e35_6.1.7601.17514_none_d0a9759ec3fa9e2d_arial.ttf_e828c109	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsicli.exe_20e14d4f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_printui.exe_bb673fff	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7601.17932_en-us_e07fd19d019a74a1_kernelbase.dll.mui_16288a65	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv_31bf3856ad364e35_6.1.7601.17514_none_9247d45ea984f2ad.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..rics-storageadapter_31bf3856ad364e35_6.1.7600.16385_none_329b3f476f0cd674_winbiostorageadapter.dll_5fb8b23e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shfolder_31bf3856ad364e35_6.1.7600.16385_none_4b125fb438c5a314.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.s..rt_driver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_acf42a5e0a4e888e_scsiport.sys.mui_ef25385f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_d972d95f98936d9a.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres_31bf3856ad364e35_6.1.7600.16385_none_dc93f95659399ba8_imageres.dll_44f44625	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e07.bmp"	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid process

2016 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

pid	process
2016	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened (read-only)	\??\A:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\B:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\E:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\F:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\C:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1476 vssadmin.exe

pid	process
1476	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
"C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Discovering connected drives
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1344