sodinokibi | 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

General

Target

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Size

157KB
MD5

b488bdeeaeda94a273e4746db0082841
SHA1

5dac89d5ecc2794b3fc084416a78c965c2be0d2a
SHA256

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
SHA512

2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score

10^/10

evasion spyware trojan ransomware sodinokibi persistence

Malware Config

Extracted

Path

C:\odt\gfi5j.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got gfi5j extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/6AFCB047A8F2D039 Page will ask you for the key, here it is: 8U56g0g8IYmS+SGHJfX0yn7BD+Sh/bHVX13KUljmpzoFkyPqZW3sk4TisZ7ZIP7M y4VL6geQihdrttX4Zhn+m9rO9iPZwT6j58RmPxjW87D+MJ7y4jGqJzWcm1MaQFoy kbRWqbT+8IXXiUR0lR6jU2zUFHhH4Lbx/BRXtDA7khioR38LZ8lmDkJt9QihPUPt 8beUodTzc/FBh0bYYRS15CRKaPvF7m1Y8OlYpVpzB9leN/YxF3wP75j9DlEuq+ZE H4sYP/hFt0QOsHrdB6yWnfSBiBDDDnOS9yZ40tYVJwiJjIs+kt6hwdrG0YDPa82g vBKCDhQfloplzKJzwivdF3AhrtUnNprw0zIZya4sMBTk28UJ5gdZrv0F5nO+xmt5 nI2ZW0Ri0VfNRl4nKBhhHO8CI9QTvu5BB3sNrtnSGLVXhCmndrdrtzCB3WA2qb1Y oBlTbGy30dWE+09VYHqDECDpMyp/AwmsJhfocFzEEdJ9xq5HFaqTGjCN6uN5hHqS thr7myFsZApzQmkSmjN0ja2FyxItFX0foTRDv43KSZwnRzrrQYuVesjvV3KAuZCQ lsKl3eYlG3LU90r02GS/Ms1AEoCqa0Y72gN4l17vF2H6CiQBq1Xpmte4iLpRtzg0 dU+UN/4KjTlc7EJFo+JGRXstHugbn6m+Vvny9vOoouEelX+tqqUevioNyChjSq82 XXTCkgsdnwp+4SJBXBbJTHlssHM7oMxlYvbrw80CLv/Lcnhkk+nja3x+MX9bwjdp klsFLtJx5HYy36ZTWIrmJT3Ik3XQPip764qx9Gsug8RKcKLHB/YY0V8muJrSSH+v rUDcK2XB08n3ZIrj4ipP+r7oVI8JKxZOV0YXMth73T+Q1u3fIAgjVQwmpl7IbqxK SqgxxxvH0dEwZDvfclwKJ8t7BY0m3eg6HeBvJj++GstVZmko6uk19/tPczckDPrL g7CPKMUozrAXB019yfOONjmDwsLcUMZ+/86Q3/1b/8iRyckAG9OT3Nv3X5LlGkdf HD8QdAeGriVR2HbcCA/BWP3uiaiLbCIf+TAma8rCrXZmMhdHMLed9CHd9tZa2760 G47hbiS/HzA=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039

http://decryptor.top/6AFCB047A8F2D039

Signatures

Drops file in Windows directory 2108 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.15063.0_none_67af460eee1c40c7_netio.sys_a06e75d0	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f_bridgeunattend.exe_60b7e340	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ko-kr_f8d3bd33bc42d1fc.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794_dnsapi.dll.mui_97465f8a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_f71c2ad88cd00633_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_en-us_04218ecbbddd265d_fidocredprov.dll.mui_4ca89266	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_it-it_6121d09b708d304c.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_7393f3e338ccb84f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_f03011c634d83a8f_mofcomp.exe.mui_35badf56	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_a861864702eca1e1_windows.ui.xaml.maps.dll_b092594a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.15063.0_none_b1c695092fbfd7f6_wmiaprpl.dll_5d18a476	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_3a7147463f9b3bd0_cryptsp.dll_ae5341e1	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.15063.0_none_b8dd2546aef29fc8_dcomp.dll_a2e93a7d	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lt-lt_cfb1e90d16785ae6_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.15063.0_none_558a46bee183e781.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc_samlib.dll_caeebf04	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_8514oem.fon_c20e1190	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf_netlogon.dll_90e0458e	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_c6cf32da3e1c774d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_da-dk_c82a63ea3053d42d_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_2b7fd85da86d863f_memtest.efi.mui_71e15c22	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_bd795ffe59ae326d_vds.exe.mui_2268d934	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_9055be80f37df5c1.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_fdb364484be5aecd_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_583b8639f462029f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_84a6e53ddce0735f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171_ikeext.dll_3ac4406c	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvcext_31bf3856ad364e35_10.0.15063.0_none_353d9277acca1f20.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_1ef4411ab33dfe81_rasdiag.dll_341d4299	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hu-hu_108ceb72e3e4e2a9_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.15063.0_none_61263fd1e5bb7a99_wevtapi.dll_df064540	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_it-it_faf19848eb332211_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ar-sa_c39625c7d28c9884.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.15063.0_none_5e292298bca16d2b.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-nis-drivers_31bf3856ad364e35_10.0.15063.0_none_5a2d65abea2acd2b_wdnisdrv.sys_d6e2118a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_fontsub.dll_367a1189	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_b2b63099374d63dc_windows.ui.xaml.maps.dll_b092594a	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.15063.0_none_7ed69818195848c4.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_10.0.15063.0_none_aaf025d620bd03ae.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_3fe4b2c9ef33a509_applockerfltr.sys_6a9d2cba	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_dcc6defb6a563ec2_wshtcpip.dll_7ee2ca52	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..migration.resources_31bf3856ad364e35_10.0.15063.0_en-us_618d7a7bf8cefa67.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_63ab03a64f69205a_winhttp.dll.mui_f661192f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.15063.0_none_b18bca773d8e9dae_driver.stl_8a4e6441	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_cga40woa.fon_3e9e1495	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nb-no_13026f681f6b1496_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_10.0.15063.0_none_e8fc1bcb973bd8b8.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.15063.0_none_64798615ecbbbc0e_xblgamesavetask.exe_e6e69c44	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsiwmiv2.dll_daf801c2	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_2b428241d2829ac6_rasautou.exe_477abe34	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d6f50d621285b042.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.15063.0_none_498d54b2bf031603.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.15063.0_none_39373b181fd15f6d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_727c27262b7ec707_themeservice.dll.mui_9e71f1ab	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.15063.0_none_43a8144aec22156f_sti.dll_d93e8a42	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d3ee117064ef8f57_memtest.exe.mui_77b8cbcc	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_a18c0c1f4d396f4e_bootmgr.efi.mui_be5d0075	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2c356fb707873159_memtest.exe.mui_77b8cbcc	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.15063.0_none_ecbdb9ac0c159910_msvcrt.dll_ee71f3d5	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3296 vssvc.exe
Token: SeRestorePrivilege 3296 vssvc.exe
Token: SeAuditPrivilege 3296 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3296	vssvc.exe
Token: SeRestorePrivilege	3296	vssvc.exe
Token: SeAuditPrivilege	3296	vssvc.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 19000000010000001000000082218ffb91733e64136be5719f57c3a10f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb40400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c0000000100000004000000001000000400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b4023453000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f0020004300410029000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df119000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b4023453000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f0020004300410029000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened (read-only)	\??\F:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\C:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\A:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\B:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\E:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3920 vssadmin.exe

pid	process
3920	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\605f607.bmp"	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

pid	process
4052	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
4052	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.execmd.exe

description	pid	process	target process
PID 4052 wrote to memory of 3676	4052	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 4052 wrote to memory of 3676	4052	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 4052 wrote to memory of 3676	4052	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 3676 wrote to memory of 3920	3676	cmd.exe	vssadmin.exe
PID 3676 wrote to memory of 3920	3676	cmd.exe	vssadmin.exe
PID 3676 wrote to memory of 3920	3676	cmd.exe	vssadmin.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
"C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Discovering connected drives
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3676