sodinokibi | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

General

Target

145ba213336bbb05c09d2bcf198aa3bd.exe
Size

416KB
MD5

145ba213336bbb05c09d2bcf198aa3bd
SHA1

517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
SHA256

6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
SHA512

1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1

Score

10^/10

ransomware persistence spyware sodinokibi

Malware Config

Extracted

Path

C:\odt\d31985o9-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got d31985o9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/79BD66702E965ACE Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/79BD66702E965ACE Page will ask you for the key, here it is: JRDayGbe4RBJmccs8epn4K8BzP6EUBtRiYrfiJ04hmreG756doEHVZ1pwrVbJ+2V yIP2FN/RA3m8okChclenjwk0NFfdyI+Lqf3YiaeiT/IeT5fZlHnszCBaQU7FGOlP /1b0I4ll5Y99qJP5TbQaWZ9W5K9KhNFyzbFzR6M4i77EKvo6kQoEpV170qbVDmVv TxB0MHED5dsJCT/Ub69nrQVwowalkP1xiDCArLiyvqdrsc3MVHDuNkOx9xDDRPj1 mD5fIgdS6vwhxSWdulvmv7qBCkMmOWyH3IWYjmVknRsZEr2/xSbYNXbHsQrvGGRB 8c0IqyIWJZhvXKPyI9UpGRO9lSkdhPgNTWcgm9JZ0OCyH8B/kBChRZsb7RYQ0bZt lBlu8d7T3yDAZroTje19qDn/F9fnUy2tiLKkUwsvRhJbwPm3eG/U3qgnURySHv01 bNYV3Wsa2hHY9cLyMX4jxSwhmr8wB3h6R+eqfbmUM02J84z1PvzrFv6z+YthN0jR s0uAramER2tyAvMEtxrmyuzOILpmmbsMMNNtMuRHNTiB6HARm3Sl6jWjFIvdn47R EZFt/oe4KRxS/U33cy+dxTtOh4wnlDDQ7BMjDcFj1rTWHHCB7mALd/yHOSyXDnFD pewfYyYLb+Wd5HTUB6unCCrFdPyEedlOWQTLnO/sig7MNLRIg1MsQkXtOemQIxLJ zsSjYFP93GnSHgdeRcsf++fL9RzbUglSM3c3xUTE2nx0Iy4EDfbnEefF+ow42JyO Za1ePDAxdGDIq7wgh8BKQX2Y/JZw1O5+t14IA1wTPwSe3KbkNhtbcUQNHYywXDXH zXEk83XaIscaf9xPqDkHbZ9JqmfI0F4VrVuHnz8qf8N9/wMK1G+Hwykq9wuBhHb5 Voi025RK5m8MLCY7bxYSmsevkGxx4qrROjW1CXBSIqYaF7f4KhqtLNr4gRqJdqS0 hux3NjWQrJwbYpQIqWxt1hlBMwmO+iTrMxr2UTOSmK+POXdmou7BEEeTW9INVM3v ZB+AebK5HILzzvc7QLY5quz04+QHvPSUz2gjkNBwLiICfK08DB/ioOD2Z6aPmnFX pcoyPXuDYuWTqg==

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/79BD66702E965ACE

http://decryptor.top/79BD66702E965ACE

Signatures

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

145ba213336bbb05c09d2bcf198aa3bd.exe

pid	process
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe
2896	145ba213336bbb05c09d2bcf198aa3bd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

145ba213336bbb05c09d2bcf198aa3bd.execmd.exe

description	pid	process	target process
PID 2896 wrote to memory of 3836	2896	145ba213336bbb05c09d2bcf198aa3bd.exe	cmd.exe
PID 2896 wrote to memory of 3836	2896	145ba213336bbb05c09d2bcf198aa3bd.exe	cmd.exe
PID 2896 wrote to memory of 3836	2896	145ba213336bbb05c09d2bcf198aa3bd.exe	cmd.exe
PID 3836 wrote to memory of 996	3836	cmd.exe	vssadmin.exe
PID 3836 wrote to memory of 996	3836	cmd.exe	vssadmin.exe
PID 3836 wrote to memory of 996	3836	cmd.exe	vssadmin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

996 vssadmin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

145ba213336bbb05c09d2bcf198aa3bd.exe

pid process

2896 145ba213336bbb05c09d2bcf198aa3bd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3832 vssvc.exe
Token: SeRestorePrivilege 3832 vssvc.exe
Token: SeAuditPrivilege 3832 vssvc.exe

pid	process
996	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	3832	vssvc.exe
Token: SeRestorePrivilege	3832	vssvc.exe
Token: SeAuditPrivilege	3832	vssvc.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Windows directory 2108 IoCs

Processes:

145ba213336bbb05c09d2bcf198aa3bd.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_71383c7ced7c7587_memtest.exe.mui_77b8cbcc	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.15063.0_none_68849b6d0ebd999f.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_2e0498215340df5e_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_fa7db1d69e32c652_winsku.dll_6e6c7799	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.15063.0_none_dff11f9f2a050a3f_w32topl.dll_1a0f388b	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.15063.0_none_7ed69818195848c4.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.15063.0_none_6dc3296afdb08731.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_01db4feacaa336b9.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.15063.0_none_314522d34b560919.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_fe9533b44b551ea9.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_810921f84ce2cbc4.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.15063.0_none_0f5cdf3669d57e57_profapi.dll_d55ae499	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.15063.0_none_4921bb9511ea287a_sceregvl.inf_9fe633c0	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_cvgafix.fon_c20a9ed9	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.15063.0_none_967718b9eaf79e2a_winbioext.dll_b698c00f	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_10.0.15063.0_none_90a5466e89ec288b_mrxsmb.sys_cf1a02fc	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.15063.0_none_8dcaa66b34a35c05_winnsi.dll_53ccebf2	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_37f9af358af4f949.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_cd56dce90e2409c7_samlib.dll_caeebf04	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_fwremotesvr.dll_afaa5ea8	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.15063.0_none_7946d91d5ecb8a06_ncrypt.dll_0f36c580	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_b2fa0d00b493b950.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_tr-tr_fc701b8f57f23c7f.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.15063.0_none_7ed69818195848c4_nirmala.ttf_2e14013a	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_es-es_d21d37cff862835d_memtest.exe.mui_77b8cbcc	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nb-no_8d1e810c801783ea.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lv-lv_182c8e682a72c4dc_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.15063.0_none_775b66db9a440a77.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_en-us_473e623ce5a97e31_appidsvc.dll.mui_6717e231	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_el-gr_8f9125b021f304a0_bootmgfw.efi.mui_a6e78cfa	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_ce3b1a34396db477.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_b324b5ac254d7072_vds.exe.mui_2268d934	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.15063.0_none_74e72d87b68106ce_gdi32.dll_1f014d57	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_156aa3a91701e260_wuaueng.dll.mui_297f975d	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_5977f50474c0ba78.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.15063.0_none_a4a4021e107e099a_xmllite.dll_ce078c31	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_62a053e1dd4c4aba.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-ca_2ae4eb43198d1604_bootmgfw.efi.mui_a6e78cfa	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_332a24478e119029_schannel.dll_7364eaa8	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_fb5f79a44d5c1ae9_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_9eee956fea195b3b_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.15063.0_none_7bfeabd9337d55a1_vdsutil.dll_f2ef43cf	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-ca_f4a5b54d6c6b3700_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2_iscsiexe.dll.mui_7d81b1cc	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a_gpuenergydrv.sys_9567f543	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_40f4f6ac6faa981f.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_dciman32.dll_a41dd515	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.15063.0_none_1f020fb05f5437ab_combase.dll_a2567a6a	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_c57ff9d901ccef55.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_987c8d6bc746e508.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8_setupapi.dll_8d9de2e7	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db_windows.ui.xaml.dll_9c9d9ec9	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_cvgasys.fon_a23acca1	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d2	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_de4c457aa62b389a.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_6aa64f572618dbd7.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_10.0.15063.0_none_de44366355bc504a.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.15063.0_none_e8a0efccda8bfa95.manifest	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgafixt.fon_de219118	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_6f2b6a7eee701612_rasdiag.dll.mui_15cb4ec4	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.15063.0_none_43a8144aec22156f_wiarpc.dll_5aecac54	145ba213336bbb05c09d2bcf198aa3bd.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_d90ce5ca72c0a37e_bootmgr.efi.mui_be5d0075	145ba213336bbb05c09d2bcf198aa3bd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

145ba213336bbb05c09d2bcf198aa3bd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oi8.bmp"	145ba213336bbb05c09d2bcf198aa3bd.exe

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd.exe
"C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in Windows directory
- Sets desktop wallpaper using registry
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3836