sodinokibi | 600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
22-03-2021 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Size

118KB
MD5

2e764ef19607b6531a7f07dd25240998
SHA1

181fc4e81bbf08f63965f15b8cb5ceee6f6486cb
SHA256

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31
SHA512

f18199704a6a3c282d48df0e82bbbb49f704575149adfa499e14f2d9e152668b895c75876988b6fa1ef5c0bb98bd300b8399f7ddda456b3ace3473ba92428ce0

Score

10^/10

sodinokibi persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\9h66kzho-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9h66kzho. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E62C1849B07C7E89 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/E62C1849B07C7E89 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4e3qEqZGvZQtWijNq23YwNdpxu6Qt3MguqRY2V5D8jgJlOea6J59+smXF+V0z0Jo Zz4PuwFDFJzdALPonqffKOiD1iTMCqY/IG7+OtZ6T8kvDJK5jYfS0g5XU6lmB9hj 8DJ8PLn9pjUXGMzmpl3XrhlSt8JLvOvYVAi+9RtlSr+94wlgetAQIjWNd42yjN3u B65F+Shsu13tScFY/E4Tno4JEWq1ooPIUnMpe9WPfJ29lu2AeLr2qsfR8SWvcLV0 EvtzsLVoFtq875YbBCyvAE2asBjtTvy83GUSPI733JnPhDNMC4o7MZnZA3koOj/Z YEIDlcqD1cTmPv64DTVswuKz+VhHoUysi2rb5LFpdnelLZk7W238Ht+GUKLUTTbV 9r0fH7wTVwOHzPGSGk4rWKKj7PuDsPltW1hzlSqejBp/Q8WKw3vgdzuB0zhaJUxC hCStbQx9hxzGUsYOggOOHtcAMxB2jsXSnhH0UIAaIUgD2WJJpquynIBx0KvJ9PX2 w3+b9ZNrb0k0RhSF+D7pxt0EUTtbC6s09QSLbagesQVFHVBbheM75zBnWUGCxCmm 4dLIv2lD/oNprYSR17amzP6HRo6r+mJIxzM7qh7pYlygNcVS/c6Grx1b4bq4qHE7 PynzlHdaEJuBgAoql5t49N3yZY/QccWZafv3uO/P5Q0mQ4rhUwzhEHhAbMrGXOJn 6ZpJpYOWCR5/iDUPZU4HKTLq2YMO9Wx1pbzim0rxjMiCX3JsqPuokdoD02Yb/1AI Ngqn7M3+r7q6xMs9nlKEtrJioAOjJhIvrtNU4QRaonxQygyxzJY4OlMXFl2FH3gP UMhe3KrccBlPvAaFwOOVN8K5KaJTkm3M4H3WgtsBIYWAjb8OYv2aBj3fAov5iR4Q jR8s7cxc5/gs7WtVvEKXcv570Xj6SE1G1XbAao/4CNIxm8uIUK0NpJudwRv1+ZP9 yq5IEOARdgJ5lDgIY3Ft9BWOZ/0PZb6F7FNU2JE1vx39lI+moPbLUSznu/GaRKBH L+yXkFSW/3mh0xaT0mpCnliOr5QPy2c4ZsZlafXzzhbL7Va4EZeR7JXyyIIN60Kw xY5dGNVY5y7Z2I0gJOJpa+ri2n2fs3XrBdqmAjZgUvLowtRoRLpyA2KKAXWWilXJ ySFJX/J2wmWsANiO6G2U6r0grRwkaxUarirp/opLZ5Z4eD7DAGX1yh7KJnHG8rDa AK78bcfri2N7oY7X7A8hkg+J3/Jx6aHEm7selR2mzIdqImVO3MHzjkhrGsTBjBVl OZLuEHhJjY1g+BT7QVBR1QTXI+Y= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E62C1849B07C7E89

http://decoder.re/E62C1849B07C7E89

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AssertAdd.tiff => \??\c:\users\admin\pictures\AssertAdd.tiff.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\ConvertDebug.png => \??\c:\users\admin\pictures\ConvertDebug.png.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\pictures\PopTest.tiff	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\PopTest.tiff => \??\c:\users\admin\pictures\PopTest.tiff.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\LockNew.crw => \??\c:\users\admin\pictures\LockNew.crw.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\pictures\AssertAdd.tiff	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\CompareShow.crw => \??\c:\users\admin\pictures\CompareShow.crw.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\DisconnectImport.png => \??\c:\users\admin\pictures\DisconnectImport.png.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File renamed	C:\Users\Admin\Pictures\ExitExport.raw => \??\c:\users\admin\pictures\ExitExport.raw.9h66kzho	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Drops startup file 3 IoCs

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\9h66kzho-readme.txt	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9h66kzho-readme.txt	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1E8NAmhfRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe"	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\sendto\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group3\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\application shortcuts\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\libraries\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessibility\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessibility\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group3\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\burn\burn\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group1\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group2\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group2\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\maintenance\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\sendto\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group1\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\public\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessories\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\administrative tools\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu places\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\accountpictures\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\recent\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\system tools\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\history\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessibility\Desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
File opened (read-only)	\??\U:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\Z:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\D:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\H:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\N:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\O:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\S:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\V:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\Y:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\A:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\E:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\F:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\Q:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\B:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\K:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\L:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\P:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\R:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\T:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\W:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\G:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\I:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\J:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\M:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened (read-only)	\??\X:	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\72h22etj8y9.bmp"	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Drops file in Program Files directory 39 IoCs

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
File opened for modification	\??\c:\program files\UninstallExpand.xlsx	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\CheckpointUpdate.rm	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\DisableApprove.3gp2	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\GetMerge.ppsx	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ProtectStart.exe	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\SelectFind.ppt	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\DebugShow.ex_	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\DisableMerge.aiff	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\GroupCompress.ogg	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\OpenSkip.ram	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ApproveUnprotect.pptm	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\CopyGet.mp4	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\OptimizeBlock.ppsm	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\SetSend.ps1	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\SwitchComplete.inf	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ShowSelect.dll	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\SkipConnect.3gp2	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ConnectUnregister.mov	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\DenySelect.mpeg3	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\EnterClose.ico	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ExpandDeny.mov	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\MountOpen.ppt	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\PushUnprotect.tiff	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\GrantConnect.rtf	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\MeasureClear.ADT	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\RestoreCheckpoint.midi	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ResumeInstall.mht	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\SaveRemove.xlsx	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ConvertClose.ps1	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\GetUnpublish.pptx	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\PublishConfirm.wax	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\BackupTrace.wps	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ExportFormat.xlt	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\OutSearch.aifc	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\MergeWait.dotx	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\OpenSelect.mht	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
File opened for modification	\??\c:\program files\ResizeResume.jfif	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1880 3128 WerFault.exe
2468 3644 WerFault.exe explorer.exe

pid	pid_target	process	target process
1880	3128	WerFault.exe
2468	3644	WerFault.exe	explorer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exeWerFault.exeWerFault.exe

pid	process
4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exevssvc.exeWerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Token: SeTakeOwnershipPrivilege	4020	600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
Token: SeBackupPrivilege	4040	vssvc.exe
Token: SeRestorePrivilege	4040	vssvc.exe
Token: SeAuditPrivilege	4040	vssvc.exe
Token: SeDebugPrivilege	1880	WerFault.exe
Token: SeShutdownPrivilege	3644	explorer.exe
Token: SeCreatePagefilePrivilege	3644	explorer.exe
Token: SeShutdownPrivilege	3644	explorer.exe
Token: SeCreatePagefilePrivilege	3644	explorer.exe
Token: SeShutdownPrivilege	3644	explorer.exe
Token: SeCreatePagefilePrivilege	3644	explorer.exe
Token: SeShutdownPrivilege	3644	explorer.exe
Token: SeCreatePagefilePrivilege	3644	explorer.exe
Token: SeDebugPrivilege	2468	WerFault.exe
Token: SeShutdownPrivilege	3644	explorer.exe
Token: SeCreatePagefilePrivilege	3644	explorer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe
3644 explorer.exe

pid	process
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe

pid	process
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe

C:\Users\Admin\AppData\Local\Temp\600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe
"C:\Users\Admin\AppData\Local\Temp\600bf6f0e433f87dee2edf79d8480bf7901c4980bed18830a449f18b6ba29e31.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 2652
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3644 -s 2044
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.9h66kzho
MD5
ec79f518859150bb1c8765f59f1cc8ef

SHA1
f910ad9ead079e54543a44ad879d7de7a9df3b93

SHA256
340e995098a8683ca0a643e5bd01ef6b18e278ef2a831e594cdc6a56b58656ed

SHA512
bcb404ef1a0e080a827e2bb7a356310676d3eaa090c81f7a222d21903baf7aa8187bc6bc928b52a02d282c26f151d3939d6e28545a529be318b733a55c005c06

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\Report.wer
MD5
eed3e312a8a0d62860b9afe99d688a97

SHA1
7401415fe8ad7d3a00c63ed21dc691190c793bdf

SHA256
ea04b4149d6b959b965981a1033040e61f7b86d769a38428e5c912c46d4b4300

SHA512
072a3935bf031ef6548b69826e4fd5c6a516b31a25bd7ee002c61b8a4d090e270a6977794ddff9a757ac994ef50982857a49ba1f3b4ba6ea9c3fd6508f9b0749

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\WERCD0A.tmp.WERInternalMetadata.xml
MD5
d2632856e4debc2ab95b30fc7aa7ea70

SHA1
4081640dabc1a56e6d42b9fb9270dfb0a8651b22

SHA256
e2d0b1f120474d6b9b5c5ca5cc5161225db503346c55108f5dc9432fef902850

SHA512
b381ecba735d7910dff4a15a007d24777e931fddea9cd346084136e91e363f6e7bc2db1a96e8488570572463b45490ebd5d14c6d471c9adec605cb838a814b9a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\WERCD29.tmp.csv
MD5
c717fc6d775915bca4bd75b8c8d8dd96

SHA1
c61edaac22b4d058815d96c977e3a069577c1c10

SHA256
82f600f7a534998b5d430143b72ee76c5b2ba4b224cd23a903827b7f4c9be70a

SHA512
c5fd2bcc1dbccfe5242b120a58c1a688feabb93cbb98042e9ad9184e8225e087097fcfd49c3e969ffa9ec07fc157a0d1e1d3a6a3da21aefdd4e9f02b503cbfb7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\WERCD3A.tmp.txt
MD5
fc1f7771d3fdd00084d5fa1fcad24e8b

SHA1
d5d4f54fcd9f5d5558a2a97aa5737dfb188b6615

SHA256
e25d4d35490f5bb6f3da7a2854c1734d94df8fe512fafc4c7a61fc44e4ce0ec7

SHA512
d3c548ebd15b4a69f4692e46d2b110fdfea7ee78935dee5df250fcc24dd93412e6f30ff4b71b7dc3d09457dd3542715b44b6206fbe50f2d150181f8584e08389

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\WERCE06.tmp.appcompat.txt
MD5
92498bd0d631f63bd29f2ee1a35d8119

SHA1
3c91162cafce68751d5db76e6722ce0f37a8237a

SHA256
b3e6ed61ba854c6a921ffff5e8e8df7458811639d772222a3079173061eb540f

SHA512
f301c03356676d9338273a9ec1aa029e7aa73991a765c52d8881a6eae6d93203326b7f54fb7d5e960343c5f27faacafcd527d5e7bbe3d082186b83f4f66bc3ae

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\memory.hdmp
MD5
651b7ce5e630dabde688c6e7b3ed8587

SHA1
73ccc990dc4d6765698fd408a0be6229cb60a0c2

SHA256
fa6c24745a6a3d3eb9f4243279d70d860b4070212cb60d1ff2e70230d723117d

SHA512
da68adf6fcab25e2a53ca3fdc452b4a689ccb5f6434d0230e1aeb83d0daac301354b88f0003a79a757c7ecd98f7b8a7a4af124e9998ebcf76e03350d30670582

Download Submit
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_28cfa8b3d0f0ccca608b49d257b92547f98ab5ba_41822faa_cab_082cce52\minidump.mdmp
MD5
91f06f476afaa36b8778c7d7e5406b9a

SHA1
783335cd653dc01b47d924836b829aae2e06c3b4

SHA256
98362316431a35a96bbb6e0fda0bc1381a2bb7f49d3c4bb3f383e0dd3d74f7c9

SHA512
ae07561bb4bde820ec12053e7fbfab35f44b994fb71f6aab9ddc9c842feed854ef0ffd12f0b5208487ef0fbe1d0ed5c5bf0b85e4f80d2d9e8a348070a0e8c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAXCDA7.tmp
MD5
0b9adcc4ac6866c855432c482eeb217d

SHA1
d1c8e8b4c04ad73eaab882f73d62dbb547ecc3b1

SHA256
53f81a0b0250613bc91b1fc9d4c24e7aa309e58fa43d2c3cf19f2dcfc4e2bc0e

SHA512
6bdfd82e77dc3ef83f412e41f9f5539d4fa86db756bdac0895d404468109a38baf0d0ba4582e49ae0a72afcfa942ba68cd756aada2cdc638a2ca96e13e9ba9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WERCE06.tmp.appcompat.txt
MD5
92498bd0d631f63bd29f2ee1a35d8119

SHA1
3c91162cafce68751d5db76e6722ce0f37a8237a

SHA256
b3e6ed61ba854c6a921ffff5e8e8df7458811639d772222a3079173061eb540f

SHA512
f301c03356676d9338273a9ec1aa029e7aa73991a765c52d8881a6eae6d93203326b7f54fb7d5e960343c5f27faacafcd527d5e7bbe3d082186b83f4f66bc3ae

Download Submit
memory/1880-2-0x0000024B885F0000-0x0000024B885F1000-memory.dmp

Filesize
4KB

Download
memory/1880-3-0x0000024B885F0000-0x0000024B885F1000-memory.dmp

Filesize
4KB

Download
memory/2468-6-0x00000254EC400000-0x00000254EC401000-memory.dmp

Filesize
4KB

Download