sodinokibi | afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02

General

Target

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
Size

157KB
MD5

3c343d72b1400d84d203063f8c4597e3
SHA1

8ce10c6ca73a4e2279f9aecc19892df2c215bc6c
SHA256

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02
SHA512

16a9eb417f17c362a8440450cceac5d34cc7d19704c4988ea19f3cb51f601f7486e94fee4efd3d0edfe00a5d32ef0b68536a2b771dbce52621c26d80b16a6ad1

Score

10^/10

ransomware sodinokibi persistence spyware

Malware Config

Extracted

Path

C:\Recovery\ssq83-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ssq83. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/370FDE11F2739669 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/370FDE11F2739669 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rcBs6NR4KZWwMUL5f1b9mydghNVpWMPwIVcqzlM4A7mSYxWB1QYIqGXaf6sjFIcm 01EGEM+Q2BrjLVR+I4ZVrTdPwnEX7OqFV5MMVnBRv//8x7DGa4h7KLJSWfCrQG7u B8cmHelhYhQS0gHAOGBNiNqOxGcplP9MOpNKjJLJ0ycvN881lvfRWKx2R7dnpALn s+rihm6BHmJNvffnUi6qt8n3ULHIhgz3xfCLnSFwLJvTJuL+zBpMnQia5vPEBU/e 8krD9T80gmJQr3GEHmWAemeu+YH2GpAbIeIpgpplipBy/7fE2x0Ttcb9ZSRPn41Z rFB8m/qE1kEMa2MUYGzFqAlUvWkbr9Q3TKl01plmhWjfZrOWF68OpGDKLotFD7ro 6C8RMAEKdTQ+7hRTdBOlFKPHPJs7RNJWnDtezkCEnSHg4ciA0zsJfxf+q40UJXBZ St9Ib7ndOhEosUCvP4jr6lpNMF8UMIGVTuKsT2Ki3LtmrVwZbGUfCV1VufZvmdDR +Zz2MEaCRKf6N4ERRoyBRmvYdZsruixvFSupKDvUg6FdZkhbPMIy0Q59UY22m/0N 7sfCHnV9FduDdVHSLkAkbHQ7g+uiGUEHT2nz9u9rLEc3TMT/NEswzJXRdqCMN5rr GD+dfup5WavYkhsTe4qlFls9cWODttKobxsvDWvJSY/rZGYjYgYLsuVJvHTMbZ4c cIB2gt+SIPEWWE4aT0D2CRrz7+TlTlfYpch+SaEBcsmhE187cGALROGxXS1C6I26 IQ0BWj0H6F4FwlWDoBEQBapjejAnujIFcARHFaGtUQOfGUB9Tki88iuCM4JyfjTY hmRW3Oe7O8s6NbD1k17a+kDf3vFZ/efWpLxsMJrKNn53/Y/F5ZHR7drvJlK25iQV lBzplLBCePWPtSG1OoQUkCnPpOUOySAGLkt2uTou3Urh0QTOoe7vCzMx41WsTd5e NIKbQ5ignfUXScu8ZVbhnXd86J9BrE0qAWQH9Z//oWYwXbDbuypmhwpLQnpdef7y ogwI7Gp2kOJndgeK0xu1scHq1wsqXbr+z98WYzqeWHTD6YzoE7ne5Rc3SUjizjpd MtJues0Jo+MOasPAuTzMJy7zhVTv2edtD3E= Extension name: ssq83 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/370FDE11F2739669

http://decryptor.top/370FDE11F2739669

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbp.bmp"	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

pid process

800 afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

pid	process
800	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.execmd.exe

description	pid	process	target process
PID 800 wrote to memory of 1060	800	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe	cmd.exe
PID 800 wrote to memory of 1060	800	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe	cmd.exe
PID 800 wrote to memory of 1060	800	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe	cmd.exe
PID 800 wrote to memory of 1060	800	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe	cmd.exe
PID 1060 wrote to memory of 1508	1060	cmd.exe	vssadmin.exe
PID 1060 wrote to memory of 1508	1060	cmd.exe	vssadmin.exe
PID 1060 wrote to memory of 1508	1060	cmd.exe	vssadmin.exe
PID 1060 wrote to memory of 1508	1060	cmd.exe	vssadmin.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1508 vssadmin.exe

pid	process
1508	vssadmin.exe

Drops file in Windows directory 3276 IoCs

Processes:

afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_6.1.7600.16385_none_252f55f1cea824ce.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_wfp.mof_c9297d9b	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_4dd43f34b0b06f44_wintrust.dll_abec426a	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_ba5ac0f18b8dd799_mswsock.dll_e2ad0f2d	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-basesrv_31bf3856ad364e35_6.1.7600.16385_none_68bfdc7cfd6bd477_basesrv.dll_8c1ad808	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_8514oemg.fon_dbdce127	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuiz.ttf_ea46f861	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_047062a1736af5b9_consent.exe_9075a1c2	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b2d5db50d653001.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_web.xml_c9566883	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_c226845cde5874a9_comctl32.dll.mui_0da4e682	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_330f86d55de64a40.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_2addd390b4e226f5.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_caf6c1e0049b2c40.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-videoport_31bf3856ad364e35_6.1.7600.16385_none_180f3dba1e158073_videoprt.sys_3ed5b0a0	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsidsc.dll_20ed5065	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890_keyiso.dll.mui_4bbf12ff	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sechost_31bf3856ad364e35_6.1.7600.16385_none_879933012e49cc30.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_dbc2bcef30ac84b9.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b7cfcc08ef7b2e35.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasctrnm.h_17610c72	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smae1257.fon_bf9a78ea	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-laoui_31bf3856ad364e35_6.1.7600.16385_none_d02cc17733960c0e_laouib.ttf_9bbcb09e	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_8048648522902070.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_766749e698668441.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_bc83aeba06823a38.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidcertstorecheck.exe_03352f5f	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_ssee1257.fon_9d31b9ac	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallfg.fon_f49c104b	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7113e0d248e375bc.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63_msobjs.dll_052c8a60	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7b0ad52b3bcfdb6_wsock32.dll.mui_18b23987	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e16e6ac995e69f7b.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_05699821fc9b6205_cryptui.dll.mui_9728c1dd	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2507f83c52d906be_iscsiprf.mfl_24c6459c	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg_31bf3856ad364e35_6.1.7600.16385_none_13644a6db4b698b9_mprmsg.dll_6fff912a	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sf-capi2_31bf3856ad364e35_6.1.7600.16385_none_0a5c77de98c9331c.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsied.dll_e933fb0e	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-gishabold_31bf3856ad364e35_6.1.7600.16385_none_f50009547b049b77.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-homegroup-provsvc_31bf3856ad364e35_6.1.7601.17514_none_efe3724a04606825_provsvc.dll_a438d02f	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-861_31bf3856ad364e35_6.1.7600.16385_none_2ade17e8b4e1da12.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cbdad699e9d079ee_storsvc.dll.mui_2fc7b1d3	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25_udfs.sys_cf08a343	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749_nsiproxy.sys_ebb6a83d	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_8ca949062551c8d6_comctl32.dll.mui_0da4e682	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_iprtrmgr.dll.mui_eb023b92	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_be0701531dbe7588_comctl32.dll.mui_0da4e682	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_6.1.7600.16385_none_0825f3c37efb390e_wevtapi.dll_df064540	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_b6e83386a0ddbab4_msimsg.dll.mui_72e8994f	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-qos_31bf3856ad364e35_6.1.7601.17514_none_0c716dff6e442c24_pacer.sys_c93de3d8	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a4a29137774b81b0.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_a9a74ccae735a589_comdlg32.dll.mui_ac8e62f4	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_619e13eec4db6369.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.1.7601.17514_none_bb2c4d9ee6dcc35c_scesrv.dll_07b1e224	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shacct_31bf3856ad364e35_6.1.7601.17514_none_c8099d957fb7652d.manifest	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuii.ttf_ea35f432	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_b6de6c0835b43484_sendmail.dll_a8a54aff	afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1352 vssvc.exe
Token: SeRestorePrivilege 1352 vssvc.exe
Token: SeAuditPrivilege 1352 vssvc.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

description	pid	process
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe
"C:\Users\Admin\AppData\Local\Temp\afbb37a3ff2187905a09403d8d42f11b64b06f2a8918ad520b202abfb5559d02.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1060