sodinokibi | 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

General

Target

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
Sample

200122-dcjzw4d3w6
SHA256

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score

10^/10

ransomware sodinokibi persistence

Malware Config

Extracted

Path

C:\odt\5c4y31391w-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 5c4y31391w extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B03990EDA5488E8D Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/B03990EDA5488E8D Page will ask you for the key, here it is: KxrzNMNEpc3UFOC9RXd7HkZTpI0SlL2NhuP3/otbitxGNcpREvU7/aiVrsqMjl9G 55QSbWcH/5MIEH9eUJq/oBV06Lt2qs0aOwuKLvVp4lRGVYoNJ+hJT9BaaPyUx+/z a7HjAPo371VcNnmdfLiCtgf9O030HqZKEipJZtDFGSluvcNUZZb5qWBNwQp26/lH vkQsYYdgA7FzPd+yVdMKgfa5GICoO3rcOiY7+pCsq1VvdjlE7ruKQ3G4KUYcAyxm rM0g+fkkTYNl5gosGPy0ApA+rD9wVgOBtPT/FODfCcOCdH3iuuzbqUrd+IMPs2e6 mVaJw1iLHlHVffcs8xbwJ4Cve52Ncm11XrS9vkSTFH5Le2K6IxBu6Uq9RaYR0LRj ATuPuUHpvvKp5q30kwaqaTSwKlyll4HRT+aLjvG/pDaiom/lr9L5dsVeBQAx4MpS YkxbaFTYP+MdbvJHs/HFRQqBlAzHmXqNhMTNyJO0pAFrA+R4pWzSKiDJ7Fqj+c5W MNtVgsYM4BdfFsSL7b8WyKxdnhjqgz+mRc2mDAaQ2wLqY+9mROtHWN458RQB2nqv fWN6Ex/MhjQzvcCLoVW7j44P51t2kWiVMHDnThH+hQTz5da9JZ8b/b9gzFAAAO4Y TRL7o/FdONdJQG5+ncsVNq31klRlsEjrPIHRajRSXZ4RbAvYolJ1ms0ouQY4m520 f8x7KJoxRnjZCgBarJwQYNY2Q4v5oiE/choRZ7uIOfIhTejBXThCxqixhvj1vDsQ 1r57T9wCOqJPCo4SLU1/tLpLxqXLRDBXI4CgFbjtcDap9YCzzuZ/1CbYc1p+3PMK 2XLbFNJ2ofcZQx9hk2wOzErrkV1aUooLdFXSrdDkIZuem2kmLi+g0uq05N3bMGZp pGRK7dv3WDzI9D01waIPgbUORVtqpvyRoqrjBwuBgNs5ujCLVRKqFPXHUIfWQfWb lAxnSmpso22Lq6kyqkXdXw2dvMann8lRYqiSv31iaN+MllqEGBmSSAujT7iZLryz oa98Tw0tqezf55DF++O3KzmworLoOWCvF/jauGRmTP/TQ8CypaJZhjha6Hb86HnG kYW/zZKg

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B03990EDA5488E8D

http://decryptor.top/B03990EDA5488E8D

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9365u1v32307.bmp"	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened (read-only)	\??\F:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\A:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\C:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\B:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened (read-only)	\??\E:	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4612 vssadmin.exe

pid	process
4612	vssadmin.exe

Drops file in Windows directory 2108 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_8b4d2222606ec8fc.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.15063.0_none_ba6dcc4f263ef22f_sxsoaps.dll_7db29e61	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_bc1b3f5b642099f1_winmgmt.exe_8f8eb7b1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_810921f84ce2cbc4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.15063.0_none_bd3180952b2019ec.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e_httpprxm.dll_53511297	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_4921bb9511ea287a.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-ca_3c52ec2480e76006.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_e5198e8fc265078f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_848d8c2152ade85d_provsvc.dll.mui_3a2926ae	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.dll_7136601a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lv-lv_d07f579115f69bd6.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_4a395d1c23946704_applockercsp.dll_771a831b	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.15063.0_none_8fc5f5694d615068.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_en-us_04218ecbbddd265d_fidocredprov.dll.mui_4ca89266	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_7c26da6bc6b0c02c.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_en-us_1b9eda7aacdf6c87_keyiso.dll.mui_4bbf12ff	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_20edd7ef9e21d8cb_rasadhlp.dll_7438be63	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_b1c695092fbfd7f6_winmgmt.exe_8f8eb7b1	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_6b4cd629a017904a_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_winipsec.mof_abfff45a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_10.0.15063.0_none_3b66d324c049b96f.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f_bridge.sys_4e5f368e	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..rservice-extensions_31bf3856ad364e35_10.0.15063.0_none_dda2d70f5ef170e7_umpoext.dll_fd62cdf4	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2c356fb707873159.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_en-us_e949c010d0e53a10.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_48f7bf74aac3a3de_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_bae6f1b1935516b4.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_0ed5b4a952aaf957_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_0d2d30b01649185b_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_6fe305a38dbc322b_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_et-ee_8976f68a25e8760b_bootmgfw.efi.mui_a6e78cfa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40850.fon_5e8f5479	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sl-si_3f840760de482318_msimsg.dll.mui_72e8994f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbt-minwin_31bf3856ad364e35_10.0.15063.0_none_fcc05a7b10ae7f46.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_4b49c6e247bf15ca_bootmgr.exe.mui_c434701f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_fab89c2a8a882a6b.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.15063.0_none_8dcaa66b34a35c05_nsi.dll_e72df756	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.15063.0_none_a69f8cf95bf4534e_dnsrslvr.dll_faf65b7a	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_862002b5f3ade598.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pt-br_a2f6057bf5c9ef78_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-npfs_31bf3856ad364e35_10.0.15063.0_none_b7855e1655b9ec77.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ar-sa_0cba2b77c41367f9.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_sl-si_88a80d10cfcef28d_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_6b4cd629a017904a.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_e3d2bbfcae0c8c16_comctl32.dll.mui_0da4e682	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.15063.0_none_6dc3296afdb08731_sbservicetrigger.dll_b5ff30d2	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.button.ppkg_288dc5fa	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.15063.0_none_04ced512d82feb94_naturalauth.dll_90858e23	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.15063.0_none_d844c496ff23f583_wtsapi32.dll_470d4d41	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_5df6e82b85a049fd_efssvc.dll.mui_03cc4e41	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app775.fon_dec57409	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.15063.0_none_6dc3296afdb08731_keepaliveprovider.dll_fe84ab07	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pt-br_5b48cea4e14dc672.manifest	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f2e55c68b9b08e2_scardsvr.dll.mui_5f6fb64f	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_qps-ploc_8699284b0725bbbc_memtest.efi.mui_71e15c22	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid process

5044 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

pid	process
5044	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 3976	5044	0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe	cmd.exe
PID 3976 wrote to memory of 4612	3976	cmd.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3652 vssvc.exe
Token: SeRestorePrivilege 3652 vssvc.exe
Token: SeAuditPrivilege 3652 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3652	vssvc.exe
Token: SeRestorePrivilege	3652	vssvc.exe
Token: SeAuditPrivilege	3652	vssvc.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
"C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
1⤵
- Sets desktop wallpaper using registry
- Discovering connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3976