sodinokibi | 80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765

General

Target

evil.exe
Size

157KB
MD5

cbf729eace9735977cf545be8f37a28f
SHA1

a247e58c2671283b0889db953af284517d75668b
SHA256

80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765
SHA512

115f1f3ae9900eda0d1c19fdb7b7a35d0cf4392831a54190c9c51ffe67463f888a58a4ce4edfd8cea72bd4359be755e82f5b1a6d1ccc2a324b8db37e95b32bb9

Score

10^/10

ransomware sodinokibi persistence spyware

Malware Config

Extracted

Path

C:\odt\mof2o3o9.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion mof2o3o9. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/703CE496AE2B5312 c) Open our secondary website: http://decryptor.top/703CE496AE2B5312 When you open our website, put the following data in the input form: Key: 4Tp+nyyx4itIIconZFLf3FRpSG05PprHLeYIQAjLoyw0B9t5h87Dl/tz2SNnF1hg 71lUOSTchBqQDqIyUHSZ+qisyLBk9nyZfj3FhFSl/QS1DmaDpZzFLZMxHHGVLDMK NoMDFJUYncQlaSs++/zH0odDRrNqKqmiDhX6GlIYtg7iSmJPM8x04pckoa2yvmi3 1MUyCi3SLoSDbHF0/NRULNh6xEhLJgqFceFfPOT/i7myQrhFpKlRZX61EQ3XbNCs BwBsUfjGyEWqBica0JIn6c4vbFMaFlwUxqN4y9l0d70Ae4Ub05mCBqxE77uLLljH mdeoG7fnYqXMpMXW0hJPuWi2aHiUYshup2P/CGwXc7evZtsbisxg/ksuq2nh+mRT prHhRAyP4xu9NI8Bcx6Wb0BLg9TclUTPvJwVLKxH1afm0iHD+zzrHsDh8yah9UGg ++wFWRxKX5rIPS+drIOg6DhoHgnH5Fe4FqoeLA5U91XKrTs3gN8PFg9BCky+TxgV bmW1ry6B24SJfc+0z2TnP3M3oiAES+Yr1LJGdtNpPUjwZxohUNbqcoDH5KCQgX+b MSSmNk+C0WZdOmjqZHUgkJZzLpAUkMf4wqfO35PM/SgIeoGZrNt+KYMaxPnJcStU zpppiMs+i1HIdTHsU9eF+BoK6TcfzP8DkXlZA1wYkNcuU06ZepvbAaJVspa/Qoa7 yv7B1ODR5Gp2NykFs3YqyScv50hOam/dGojtvRHC3NCwHeCHpTVQg3KW4ZRDGPNR Rz7wFJrqBFQD+BD0sabCwFL5hi2G6eVj99Bcu5yYYdzcSLpPAcnqiW+KbZTyfCDO sy4PjEPmAt9GEOXXEyEXNDg5mTMumoU8jx8LInN6F5h4KCAamLI9daO7bM+3pU69 mJUiQobsxN0n8X3NsiCCVlqYKqP+2njVQFpVKB4SdkHRcWjLtgqn+AVW20QVosxT kMU/uIy7JM+frv04Pz9TFM6ROzOVmBJhMnqKqxtsBiC0nnxps9gR6I8109Mh/pSG NZfbYZVqgg5Nb96U3RHxjSx91F7ImPfjuJvv0gtj1reuErBUtkmr50z/bcmM5pF0 Pp87Xg1PHS84rQ== Extension name: mof2o3o9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/703CE496AE2B5312

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

evil.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\FormatMerge.png => C:\Users\Admin\Pictures\FormatMerge.png.mof2o3o9	evil.exe
File renamed	C:\Users\Admin\Pictures\GetBlock.crw => C:\Users\Admin\Pictures\GetBlock.crw.mof2o3o9	evil.exe
File renamed	C:\Users\Admin\Pictures\ResolveGrant.raw => C:\Users\Admin\Pictures\ResolveGrant.raw.mof2o3o9	evil.exe
File renamed	C:\Users\Admin\Pictures\SyncDismount.raw => C:\Users\Admin\Pictures\SyncDismount.raw.mof2o3o9	evil.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

evil.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 640	1928	evil.exe	cmd.exe
PID 1928 wrote to memory of 640	1928	evil.exe	cmd.exe
PID 1928 wrote to memory of 640	1928	evil.exe	cmd.exe
PID 640 wrote to memory of 1000	640	cmd.exe	vssadmin.exe
PID 640 wrote to memory of 1000	640	cmd.exe	vssadmin.exe
PID 640 wrote to memory of 1000	640	cmd.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 468 vssvc.exe
Token: SeRestorePrivilege 468 vssvc.exe
Token: SeAuditPrivilege 468 vssvc.exe
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1000 vssadmin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	process
Token: SeBackupPrivilege	468	vssvc.exe
Token: SeRestorePrivilege	468	vssvc.exe
Token: SeAuditPrivilege	468	vssvc.exe

pid	process
1000	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

evil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9zb7f8p11b.bmp"	evil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

evil.exe

pid process

1928 evil.exe
1928 evil.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

pid	process
1928	evil.exe
1928	evil.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Windows directory 2108 IoCs

Processes:

evil.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.15063.0_none_105acb72b1898804_lucon.ttf_76ed00f1	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_2655bd395ad3f038_sens.dll.mui_64739194	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_862002b5f3ade598.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_en-us_2fe8c1faaca6f250_samsrv.dll.mui_32250491	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_et-ee_67d1f793253502c0.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_d6a49a3e7445e0ae_bootmgr.efi.mui_be5d0075	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_he-il_404f12a54e01d1c8_comctl32.dll.mui_0da4e682	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.15063.0_none_ec0ee8641d359fdf_windows.ui.xaml.phone.dll_f3375243	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_7f2aa019e80ba70a_userdeviceregistration.ngc.dll.mui_d2c6ca95	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.15063.0_none_e2c299561290de8e_msasn1.dll_e56dbc57	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.15063.0_none_85ed41598f9336e6.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_d8c07703ded57c9e.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_0ea4cb22c39b2f3e_wldap32.dll_09c99dc1	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sl-si_55950d3867c13540_comctl32.dll.mui_0da4e682	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.15063.0_none_98ae07171eea9e46.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_14df7debb094c606_msimsg.dll.mui_72e8994f	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_1141baa620971e6b_msimsg.dll.mui_72e8994f	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_2be6bd0c24508f49_comctl32.dll.mui_0da4e682	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f2e55c68b9b08e2_certprop.dll.mui_602eaab4	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0_ucrtbase.dll_a00b9625	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_72e9ed34808e8431_msimsg.dll.mui_72e8994f	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sr-..-rs_1d6a7473dd864fbc_bootmgfw.efi.mui_a6e78cfa	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40850.fon_5e8f5479	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.15063.0_none_790e90d47316785c.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.15063.0_none_e90c5eeaeffd537f_tcpip.sys_3339bd51	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpsvc.dll_2d2efa15	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_2c356fb707873159_memtest.exe.mui_77b8cbcc	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.15063.0_none_c7862ae75f80dbe7.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.15063.0_none_e5fbbfb47ce3ad1f.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.15063.0_none_44fadb58fe4497d9.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sv-se_3d51cb70dfbd2866.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_25c594c5597fd699.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_e71b894d9eb700bd_wship6.dll_db4127c3	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fi-fi_f892f9b169daaca2_comctl32.dll.mui_0da4e682	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.15063.0_none_505ddd3c336d55b8.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_b2b63099374d63dc_windows.ui.xaml.maps.dll_b092594a	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootnxt_07e7ea74	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sr-..-rs_fbc5757cdcd2dc71.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302_applockercsp.dll.mui_d2a0df70	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bebc164cdf01a737.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.15063.0_none_67eb29450cc6d505_ktmw32.dll_835a43ee	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.15063.0_none_b2b63099374d63dc.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.15063.0_none_d3bbda919a7b39f1_mswsock.dll_e2ad0f2d	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_05f11f02c39a39ea_bootmgfw.efi.mui_a6e78cfa	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.15063.0_none_44fadb58fe4497d9_dwm.exe_04cf416e	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_cvgafix.fon_c20a9ed9	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77_iprtrmgr.dll_50f5fe79	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-es_5977f50474c0ba78_comctl32.dll.mui_0da4e682	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_439feb4b4bf29ff6.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_8efb8f901141355a.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d6f50d621285b042.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_ce5152af8ee877a4.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgr.efi.mui_be5d0075	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_69eab77b34fc657e.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_10.0.15063.0_none_b6f8740d3f5e547a.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_nb-no_b6e3d3e4670da360.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_da-dk_21e0c564d3266f5e.manifest	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga860.fon_07129997	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f_volsnap.sys_d7206f48	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_60ce145177b6c10a_wininit.exe.mui_997435f5	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..rservice-extensions_31bf3856ad364e35_10.0.15063.0_none_dda2d70f5ef170e7_umpoext.dll_fd62cdf4	evil.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-gb_5223dd027971150e.manifest	evil.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

evil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	evil.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	evil.exe

C:\Users\Admin\AppData\Local\Temp\evil.exe
"C:\Users\Admin\AppData\Local\Temp\evil.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Modifies system certificate store
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:640