sodinokibi | 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

General

Target

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Size

157KB
MD5

b488bdeeaeda94a273e4746db0082841
SHA1

5dac89d5ecc2794b3fc084416a78c965c2be0d2a
SHA256

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
SHA512

2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score

10^/10

sodinokibi persistence ransomware spyware

Malware Config

Extracted

Path

C:\odt\62n690ip3.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 62n690ip3 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7E4CE5FC33369BBF Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/7E4CE5FC33369BBF Page will ask you for the key, here it is: IQWTTIX3GXJa+DY3YSd0SuARrD99Z1BviT/LijIzyB4sKz1yX01EqH9uLuXPeo8M l8uzw+ODCFrhdkgPQ2Ab4qVNk2hbEd6T0li2mGGlWvcaGLVMyaZFWnkAedI1NAfa GAHKtEEMrYa5YbZAJpm3e72fh/r+T3EBu4/Y6lDg5Bd/6bT0aLayaY0Au3CRtpWG pBBi5bknC2Kv8xiYyxnNexU4duXeIDPoACsh52guZp7KvFh3xrIMddwdBLmH9vMr iuIfIpZHGFXl0Hxn0B5/QeOFFnQnAFK1Bbwah3hczDAscL2+pGvtLyQ3sHtDJRUl N1VEY5ogQI8DvYyMHcLpB8CdCmUkbw7av9Np2jB6v/R9GkzuekXWrKuVGNC5cdXs oy5pPCfZFXyzPx05ir7BN+p9znXR/ptkNzSglpf3uW04hMyzejAQex91Jmh4AKCj eKlHJWOOLqvcejR0G8VJdynlVWGXf3UuxveHFqSx+AeCATsdgRplpELoyDjOou+f Af1WRzMIGxOgVy8UuU+h2K0PIMvKHjErst0W+EpPT0MgMQGnbfB5xWvO4wF5eYS7 IQmPaiG3g4ZN4B6YYU86IBD3RFiupke8deA8vFNh/xsjA4+PL5b1psLN5yYVIGwi 2V6tqJDOgijwpZQmDx2iDKx4wCNuUrJBtc05puSq8e3e4DxdIDBxbWJxQRSL4tos ncvz3cCd9wehVxV/ZuzTjCeCdJtxplgBVBmcHHwQnPdjm1i72/I3kz8HFJ3CENCo mQHF12dawGWVvI7t0NijdCdn/Y8Ot94sbHkIUqrAlkFbQCubScMR+lcF1oLenX0P lxFWUC/q696BPDiHRIu6TcimjygH/Ua5YXYOdyT408PyBSg2mmoCq9eCTFkpSbDU hfdTn/dGH7ZufXQuEtfsr0VEaKsRL+nsGRMcrmgsajVGDDe7R0o1xRm3qaeHCNkt p3bU1ZYXyr+88f54W4VyliR+K6oupT9FRMAepdhLNQKnxUpnA2cl1cvnfLBp84CG buF12m+h16sR84VV5rCUXN4b3GEBIpEKYSguyKXSp6q5GHxnYhJMgtLt2or4xFDU QZbta3OtTNA=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7E4CE5FC33369BBF

http://decryptor.top/7E4CE5FC33369BBF

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupMeasure.tiff	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File renamed	C:\Users\Admin\Pictures\BackupMeasure.tiff => C:\Users\Admin\Pictures\BackupMeasure.tiff.62n690ip3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File renamed	C:\Users\Admin\Pictures\EnableWait.crw => C:\Users\Admin\Pictures\EnableWait.crw.62n690ip3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File renamed	C:\Users\Admin\Pictures\RequestTest.raw => C:\Users\Admin\Pictures\RequestTest.raw.62n690ip3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File renamed	C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.62n690ip3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.62n690ip3	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened (read-only)	\??\A:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\I:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\R:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\Z:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\J:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\N:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\O:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\Y:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\Q:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\T:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\U:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\V:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\H:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\L:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\M:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\P:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\W:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\D:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\K:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\S:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\X:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\B:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\E:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\F:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened (read-only)	\??\G:	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8396ypa34wu3f.bmp"	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Drops file in Windows directory 2108 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.15063.0_none_045020d08f3a6d43_wldap32.dll_09c99dc1	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.15063.0_none_cc71085d9f6d2948.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_2be6bd0c24508f49_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_da-dk_807d2d131bd7ab27.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.15063.0_none_722119dd79a37b23.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.15063.0_none_70a7191ccd7e3047.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.15063.0_none_fb51a18514e4621f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lv-lv_9d6c57b8ade8de89_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.15063.0_none_10f67b1bc734d81b_sxsoa.dll_cb87188c	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.15063.0_none_09f516f85c9523f2_bcrypt.dll_e2f091ac	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.15063.0_none_39373b181fd15f6d_gpsvc.dll_970be02b	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_f71c2ad88cd00633.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_fontsub.dll_367a1189	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_et-ee_9ae4f76b8d42c00d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.15063.0_none_d802f55807fa1ec7.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_bd795ffe59ae326d_vds.exe.mui_2268d934	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_d84575ef7f0e3162_rasauto.dll.mui_12fa2c50	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_35d482afdcce483a_memtest.exe.mui_77b8cbcc	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.15063.0_none_7bfeabd9337d55a1_vds_ps.dll_fed45dfd	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_14793e40fc75bb05_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ro-ro_6d5264705f16445d_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_a48bffd7a7f2582e.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_en-us_692cd2ccf2f68bd9.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-us_a159cef78915f1d9_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.15063.0_none_5e2ff11ada5cd7a4_directmanipulation.dll_07c179b4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_d3ee117064ef8f57_memtest.exe.mui_77b8cbcc	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-ca_3c52ec2480e76006.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d2	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.15063.0_none_f39dd1f571ccd621_memtest.exe_01d80391	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_he-il_e2b9a848b899ba23_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ru-ru_b767e6d3720d3033_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sl-si_55950d3867c13540_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rdbss_31bf3856ad364e35_10.0.15063.0_none_6ae8b1059a3828fc_rdbss.sys_f97a2535	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894_mofd.dll.mui_793ef98d	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d4cfe0dc645eff33.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.15063.0_none_45de7edd11c7c1ce_acpiex.sys_6a8b9aed	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_s8514oem.fon_304f98b5	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.15063.0_none_9981d57bcfa52887_msxml6r.dll_d8460bdb	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_ca38bcecc16963b9.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ru-ru_a2cdafd4c59ec47a_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_19203acea52963ba.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc172dc3df31b12e_msimsg.dll.mui_72e8994f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_5b9d9831c6538b40.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_fr-fr_43dca1da7c0ef9e0_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_da-dk_c82a63ea3053d42d.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.15063.0_none_22f6ec0bb529250e_httpprxc.dll_53471021	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.15063.0_none_f2afecc4f33e49fb.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.15063.0_none_bcd50e80524ea2f0.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mprtp.dll_0827df93	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.15063.0_none_be8221ec6a07dad4_powrprof.dll_480be757	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ro-ro_b4ff9b4773926d63.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_84a6e53ddce0735f_memtest.efi.mui_71e15c22	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_d3bf5352148cac82_bootmgr.exe.mui_c434701f	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-mx_fe19784dddec867e.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_j8514sys.fon_cfb116c0	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ependencyminifilter_31bf3856ad364e35_10.0.15063.0_none_3b66d324c049b96f.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40737.fon_5e5746b1	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_bg-bg_3839d6513809d2fd_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_el-gr_263eefe20cc3684f_comctl32.dll.mui_0da4e682	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9.manifest	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga865.fon_08a7fd42	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.15063.0_none_d3bbda919a7b39f1_mswsock.dll_e2ad0f2d	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3816 vssadmin.exe

pid	process
3816	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 19000000010000001000000082218ffb91733e64136be5719f57c3a10f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb40400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c0000000100000004000000001000000400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df119000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

pid	process
656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 536 vssvc.exe
Token: SeRestorePrivilege 536 vssvc.exe
Token: SeAuditPrivilege 536 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 3196	656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 656 wrote to memory of 3196	656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 656 wrote to memory of 3196	656	139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe	cmd.exe
PID 3196 wrote to memory of 3816	3196	cmd.exe	vssadmin.exe
PID 3196 wrote to memory of 3816	3196	cmd.exe	vssadmin.exe
PID 3196 wrote to memory of 3816	3196	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
"C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3196