sodinokibi | 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

General

Target

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Size

157KB
MD5

b488bdeeaeda94a273e4746db0082841
SHA1

5dac89d5ecc2794b3fc084416a78c965c2be0d2a
SHA256

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
SHA512

2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score

10^/10

ransomware spyware evasion trojan sodinokibi persistence

Malware Config

Extracted

Path

C:\odt\ft1f70ek6.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got ft1f70ek6 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B27EB9CE81FBDF32 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/B27EB9CE81FBDF32 Page will ask you for the key, here it is: TXk0I4eYGzGSKHXX7ohor7JegrwVMODrCYk8olaqaSdFFBsbe7j5z2UNYzZm6mXH 5Btp/Fnwj4Ula2xkaSUPUgDq8YieXtmlP7WwM42HP7HN2T3Re1oI7qGnLogXsYpn BG3SEbxRIZPE8FbVSjyLaBE/QsgPAfEGaGpefKqeDjH314FKx9TC+OQv6nhGMobw crSJCS2uQtudq8OAtmX5A1JmWZaquAUPtCTfN2ekqyeg4EWbL0l3mZrj3VAtm3XX MHcyQdfee1ETnigu/GHkSwWJbEn36Hqx31K4I6sGZF7db6zNGWvz6+gtrSh6jjWS iWasG401XqQwVxMSMcj4ppnf63QdgnDdqeQvlqtI+6crmopRf7Br20vbvXDzJzmd yiwb3HDk/2ci6W8hj7c/x9kgTjV7N4srfwqC0Dn7pk7AKglad1NWEj4Ld576swCe 61Fy2kI6OGNl/XVPd5RTgBnrOhrLh6Ireg39BPmS1BEPP1bcuKrjbP7Vuz1OP3nd GNu/jrEp9tAsEf5JpL7dVE2n+ho2XTZ65lYuqr5qhyClSeCdeTVnCLRBpxpmqZKa AK0ZVBXD/nKzdF5yvThMGBaUYJ6+Ulr+w6cA80hG3eqpRoVuyy/HAreiQ2b8kLLo 0HLxws9dZ8w2SqSEoQw7qPPtn64+Md3cI5R1IFNraUxmGmrSE5wLdSrujUWQlCpT JLi7HDI/zvIlPCYaywDoIDiTd8hxBKuK87r3gQTKJP5cZWYgVHsJ/CmJiUf5xUyq nsOeAlKEmQiF/HkXWuBAI4mKNsxa4AvYJgXCsXrNJglUJP0th4X1oZ5mA50+wvTW bO/WJND2Clm5A0P9/9q6ua7V4Tq4jxBEC+u9b4r89LE+8u8EC/33ALa1iImX14Cw xaPmv0+pTSNnQ0U1uTvXIj30XdKsv1KR+q6EXFMCaewU9meM6edXQ5hA7wFoNxXn IPsaZiIdubCqcpBf7K745mUdPdN/JdauzuK3m2POlx3h7SI6ZYJ/TcQko0wT/IBx PxFF7N+X1GO+9Ad8SKJLnQUIHgsUkaZRDwqXz+3PdfrdrLAjzAggG5QN59KsE049 WlzMhtBAKGY=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B27EB9CE81FBDF32

http://decryptor.top/B27EB9CE81FBDF32

Signatures

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1648 vssadmin.exe

pid	process
1648	vssadmin.exe

Drops file in Windows directory 2108 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga949.fon_0fa0b40b	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpasdesc.dll_24caab92	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootnxt_07e7ea74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_8a407a34161bb921_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.15063.0_none_42fa52cffce831fb.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.15063.0_none_25531ff4d974faf9_bamsettingsclient.dll_db7ec840	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_cd56dce90e2409c7_samlib.dll_caeebf04	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_798014d122d0d80d_rasdiag.dll.mui_15cb4ec4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.15063.0_en-us_04218ecbbddd265d_fidocredprov.dll.mui_4ca89266	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_b0bbc22785bbbd0e_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hu-hu_583a2249f8610baf.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgaf874.fon_577765e0	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_567969ff4355ff0f_wininit.exe.mui_997435f5	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_3d7ece99c2725224_schannel.dll_7364eaa8	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_0db76bcd0aaf78a5.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_nb-no_e1663e689467fdb8_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.15063.0_none_7adeb53576aeb7a4_rpcss.dll_fd3e269b	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_s8514oem.fon_304f98b5	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-irdaircomm_31bf3856ad364e35_10.0.15063.0_none_39a555445d7821f1_irenum.sys_58570547	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.15063.0_none_9a11856b637894e6_fvecerts.dll_cca35228	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_8e4cd2143a97567e.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-es_5801262b97b61409_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.15063.0_none_f2afecc4f33e49fb_partmgr.sys_fcac898c	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.15063.0_none_967718b9eaf79e2a.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.15063.0_none_0e20344e3b858127_ws2_32.dll_89b90cb6	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_d8c07703ded57c9e.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shell32_31bf3856ad364e35_10.0.15063.0_none_8791ae697f2b6922_shell32.dll_0d29dca9	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_j8514fix.fon_cc283848	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.15063.0_none_18fdca143ee4528f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f_volsnap.sys_d7206f48	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.15063.0_none_e2aafdd9e59cf01f_adtschema.dll_4cae41ac	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga857.fon_0c23d887	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga863.fon_0805d564	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_cs-cz_5e03839ba21b957b_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_48f7bf74aac3a3de_bootmgfw.efi.mui_a6e78cfa	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.15063.0_none_765491bc18e3ab9b.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_093fec4c18d9a2b9_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_he-il_0d3c12cce5f4147b_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.15063.0_none_aba8edfeb8725505_userenv.dll_1a3a70b6	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app775.fon_dec57409	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_10.0.15063.0_none_6d06bc8965e3487c.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_en-us_fbaca31b325f23d3.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_bd795ffe59ae326d_vdsutil.dll.mui_0caf9b0e	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_03474fa863a84227.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_de-de_e6faf81d32dd9c12_bootmgr.efi.mui_be5d0075	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_en-us_ff9ea33ba51dcc3d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_cs-cz_e3434cec2591af28.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_01222322b5819118_memtest.exe.mui_77b8cbcc	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d2d_31bf3856ad364e35_10.0.15063.0_none_c3056a4fc9207495.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app932.fon_e93b0656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.15063.0_none_2aad78202bd046dc_power.settings.disk.ppkg_2c825c35	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d3ee117064ef8f57.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_de-de_2b863178b7843702.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_da-dk_c82a63ea3053d42d_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_de-de_1f0c5aa0d4fcc3f8_memtest.efi.mui_71e15c22	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_10.0.15063.0_none_3b66d324c049b96f_fsdepends.sys_fe2390cb	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_74c14604b5d544fd_srpapi.dll.mui_2693a558	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_c729b8d286af64eb.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_d802f55807fa1ec7.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_it-it_1c96973febe6955c_bootmgr.efi.mui_be5d0075	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.execmd.exe

description	pid	process	target process
PID 908 wrote to memory of 1496	908	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 908 wrote to memory of 1496	908	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 908 wrote to memory of 1496	908	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 1496 wrote to memory of 1648	1496	cmd.exe	vssadmin.exe
PID 1496 wrote to memory of 1648	1496	cmd.exe	vssadmin.exe
PID 1496 wrote to memory of 1648	1496	cmd.exe	vssadmin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b4023453000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f0020004300410029000000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 19000000010000001000000082218ffb91733e64136be5719f57c3a10f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb40400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c0000000100000004000000001000000400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b4023453000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f0020004300410029000000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df119000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\298ht4.bmp"	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

pid	process
908	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
908	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1888 vssvc.exe
Token: SeRestorePrivilege 1888 vssvc.exe
Token: SeAuditPrivilege 1888 vssvc.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

description	pid	process
Token: SeBackupPrivilege	1888	vssvc.exe
Token: SeRestorePrivilege	1888	vssvc.exe
Token: SeAuditPrivilege	1888	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
"C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1496