Analysis
-
max time kernel
27s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-06-2021 05:13
Static task
static1
Behavioral task
behavioral1
Sample
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe
Resource
win10v20210410
General
-
Target
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe
-
Size
227KB
-
MD5
b37073ae26f632e2dacc72c6bdcac77d
-
SHA1
fc05be408949282741a271ba827037665762187a
-
SHA256
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce
-
SHA512
c5cc4d8707211893b66a1b4bb9ac609789a87e59a0b7fd429b473245e2e9367a3295a42665959a406ea1ed18d969e432a0c3e0830d8771feec19b038498d1e17
Malware Config
Extracted
C:\odt\74we96t-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/252E352639CBC4AB
http://decryptor.top/252E352639CBC4AB
Extracted
sodinokibi
7
3
sochi-okna23.ru
www.blavait.fr
kamin-somnium.de
geoweb.software
www.drbrianhweeks.com
kombi-dress.com
johnkoen.com
prodentalblue.com
transifer.fr
matteoruzzaofficial.com
jax-interim-and-projectmanagement.com
hawaiisteelbuilding.com
www.kausette.com
www.galaniuklaw.com
www.atma.nl
www.piestar.com
www.kerstliedjeszingen.nl
biodentify.ai
endlessrealms.net
condormobile.fr
www.cxcompany.com
www.cascinarosa33.it
awaitspain.com
ultimatelifesource.com
goeppinger-teppichreinigung.de
apmollerpension.com
pilotgreen.com
universelle.fr
www.letterscan.de
www.maxcube24.com.ua
www.sarahspics.co.uk
www.projektparkiet.pl
initconf.com
www.augen-praxisklinik-rostock.de
levelseven.be
triplettabordeaux.fr
gavelmasters.com
www.voetbalhoogeveen.nl
www.dr-vita.de
www.ebible.co
pinthelook.com
www.omnicademy.com
www.slideevents.be
myplaywin3.com
chatterchatterchatter.com
karelinjames.com
www.cap29010.it
www.voice2biz.com
mrkluttz.com
watchsale.biz
www.rs-danmark.dk
rizplakatjaya.com
moira-cristescu.com
www.mazzaropi.com.br
www.eyedoctordallas.com
morgansconsult.com
michaelfiegel.com
lifeinbreaths.com
acumenconsultingcompany.com
www.singletonfinancial.com
www.bjornvanvulpen.nl
www.publicompserver.de
www.epsondriversforwindows.com
www.ijsselbeton.nl
mercadodelrio.com
lesyeuxbleus.net
uncensoredhentaigif.com
www.deduktia.fi
gsconcretecoatings.com
www.crestgood.com
www.alabamaroofingllc.com
rentingwell.com
mike.matthies.de
www.rechtenplicht.be
almamidwifery.com
drnelsonpediatrics.com
www.pays-saint-flour.fr
thegrinningmanmusical.com
www.mediahub.co.nz
opt4cdi.com
anchelor.com
liepertgrafikweb.at
www.netadultere.fr
tecleados.com
leatherjees.com
elitkeramika-shop.com.ua
www.uci-france.fr
tatyanakopieva.ru
global-migrate.com
hnkns.com
advance-refle.com
mayprogulka.ru
harleystreetspineclinic.com
bilius.dk
trivselsguide.dk
www.guohedd.com
witraz.pl
primemarineengineering.com
www.explora.nl
zorgboerderijravensbosch.nl
parseport.com
kiraribeaute-nani.com
ced-elec.com
deziplan.ru
www.wg-heiligenstadt.de
techybash.com
www.jimprattmediations.com
stitch-n-bitch.com
www.texanscan.org
auto-opel.ro
www.golfclublandgoednieuwkerk.nl
business-basic.de
www.smartmind.net
schluesseldienste-hannover.de
www.hensleymarketing.com
amco.net.au
www.spacebel.be
www.stoneridgemontessori.com
domilivefurniture.com
trevi-vl.ru
kryddersnapsen.dk
sshomme.com
acornishstudio.co.uk
www.profibersan.com
www.arthakapitalforvaltning.dk
hostastay.com
smartworkplaza.com
www.stage-infirmier.fr
altocontatto.net
narca.net
www.reizenmetkinderen.be
bluelakevision.com
www.boloria.de
www.jobkiwi.com.ng
ingresosextras.online
housesofwa.com
rozmata.com
www.web865.com
powershell.su
adterium.com
mesajjongeren.nl
bonitabeachassociation.com
airvapourbarrier.com
www.magnetvisual.com
malevannye.ru
altitudeboise.com
saboboxtel.uk
tetameble.pl
leijstrom.com
valiant-voice.com
www.breakluckrecords.com
www.parentsandkids.com
www.pourlabretagne.bzh
perceptdecor.com
silverbird.dk
vedsegaard.dk
craftingalegacy.com
cp-bap.de
belinda.af
www.matthieupetel.fr
mgimalta.com
medicalsupportco.com
rentsportsequip.com
energosbit-rp.ru
egpu.fr
creohn.de
richardmaybury.co.uk
mahikuchen.com
cmascd.com
www.lgiwines.com
tradenavigator.ch
www.ciga-france.fr
www.schroederschoembs.com
ninjaki.com
ygallerysalonsoho.com:443
flossmoordental.com
avtoboss163.ru:443
maryairbnb.wordpress.com
www.ownidentity.com
vitoriaecoturismo.com.br
carolynfriedlander.com
imagine-entertainment.com
forskolinslimeffect.net
www.beandrivingschool.com.au
www.secrets-clubs.co.uk
unboxtherapy.site
yourhappyevents.fr
www.hotelturbo.de
avis.mantova.it
acb-gruppe.ch
customroasts.com
chris-anne.com
alattekniksipil.com
adaduga.info
qrs-international.com
www.mursall.de
www.cardsandloyalty.com
walterman.es
hepishopping.com
www.animalfood-online.de
tanatek.com
scholarquotes.com
naukaip.ru
asiaartgallery.jp
www.bescomedical.de
speiserei-hannover.de
www.sytzedevries.com
awaisghauri.com
comoserescritor.com
bookingwheel.com
www.betterce.com
andreaskildegaard.dk
studionumerik.fr
www.agora-collectivites.com
11.in.ua
tweedekansenloket.nl
nauticmarine.dk
racefietsenblog.nl
www.aoyama.ac
pazarspor.org.tr
cormanmarketing.com
www.leloupblanc.gr
rhino-storage.co.uk
bd2fly.com
antesacademy.it
janasfokus.com
jlwilsonbooks.com
handyman-silkeborg.dk
www.fskhjalmar.se
goodboyscustom.com
www.kelsigordon.com
www.lovcase.com
julielusktherapy.com
www.ruggestar.ch
slotspinner.com
artcase.pl
lumturo.academy
specialtyhomeservicesllc.com
agrifarm.dk
aquacheck.co.za
mikegoodfellow.co.uk
pxsrl.it
www.springfieldplumbermo.com
www.premier-iowa.com
goodherbalhealth.com
paprikapod.com
www.sjtpo.org
www.invela.dk
curtsdiscountguns.com
victorvictoria.com
www.operativadigital.com
jefersonalessandro.com
site.markkit.com.br
www.berdonllp.com
www.cssp-mediation.org
jmmartinezilustrador.com
optigas.com
xn--billigafrgpatroner-stb.se
rolleepollee.com
johnsonweekly.com
www.der-stempelking.de
www.vipcarrental.ae
diakonie-weitramsdorf-sesslach.de
www.alpesiberie.com
ntinasfiloxenia.gr
skoczynski.eu
www.photonag.com
www.terraflair.de
the-beauty-guides.com
wallflowersandrakes.com
www.3daywebs.com
www.skinkeeper.li
thegetawaycollective.com
www.cac2040.com
jlgraphisme.fr
forumsittard.nl
evsynthacademy.org
imajyuku-sozoku.com
www.craftron.com
gatlinburgcottage.com
www.azerbaycanas.com
otpusk.zp.ua
werkzeugtrolley.net
bulyginnikitav.000webhostapp.com
mediabolmong.com
lookandseen.com
wasnederland.nl
midwestschool.org
casinodepositors.com
fla.se
www.zuerich-umzug.ch
inewsstar.com
billscars.net
www.makingmillionaires.net
tbalp.co.uk
bumbipdeco.site
charlottelhanna.com
www.afbudsrejserallinclusive.dk
www.gta-jjb.fr
landgoedspica.nl
www.brinkdoepke.eu
etgdogz.de
gbk-tp1.de
www.linearete.com
www.thesilkroadny.com
bringmehope.org
justaroundthecornerpetsit.com
www.bcmets.info
www.startuplive.org
www.signamedia.de
graygreenbiomedservices.com
vdolg24.online
eastgrinsteadwingchun.com
modamarfil.com
www.toranjtuition.org
www.theater-lueneburg.de
breathebettertolivebetter.com
bridalcave.com
www.catalyseurdetransformation.com
delegationhub.com
whoopingcrane.com
natturestaurante.com.br
monstarrsoccer.com
alwaysdc.com
mariajosediazdemera.com
duthler.nl
premiumweb.com.ua:443
www.chorusconsulting.net
levencovka.ru
girlish.ae
buerocenter-butzbach-werbemittel.de
www.jayfurnitureco.com
www.mslp.org
www.so-sage.fr
christopherhannan.com
legundschiess.de
molade.nl
thestudio.academy
www.patriotcleaning.net
ivancacu.com
www.frameshift.it
www.lexced.com
dinecorp.com
smartercashsystem.com
akwaba-safaris.com
kellengatton.com
oncarrot.com
sprintcoach.com
www.nrgvalue.com
saberconcrete.com
www.reygroup.pt
hotjapaneselesbian.com
cainlaw-okc.com
speakaudible.com
block-optic.com
oro.ae
epicjapanart.com
yourcosmicbeing.com
teethinadaydentalimplants.com
bubbalucious.com
supercarhire.co.uk
www.leadforensics.com
www.forextimes.ru
iron-mine.ru
fazagostar.co
nbva.co.uk
rsidesigns.com
www.markseymourphotography.co.uk
agencewho-aixenprovence.fr
www.triavlete.com
www.qandmmusiccenter.com
napisat-pismo-gubernatoru.ru:443
wirmuessenreden.com
innovationgames-brabant.nl
concontactodirecto.com
parisschool.ru
donau-guides.eu
nevadaruralhousingstudies.org
ayudaespiritualtamara.com
raeoflightmusic.com
glas-kuck.de
www.aslog.fr
fsbforsale.com
www.selected-minds.de
designimage.ae
www.thiagoperez.com
outstandingminialbums.com
www.fysiotherapierijnmond.nl
www.hvitfeldt.dk
ruggestar.ch
factoriareloj.com
www.palema.gr
cmeow.com
reputation-medical.online
polynine.com
ketomealprep.academy
lisa-poncon.fr
www.brannbornfastigheter.se
111firstdelray.com
signededenroth.dk
www.soundseeing.net
ziliak.com
www.husetsanitas.dk
www.radishallgood.com
latableacrepes-meaux.fr
dcc-eu.com
groovedealers.ru
www.gurutechnologies.net
www.adedesign.com
o2o-academy.com
www.jeanmonti.com
www.janmorgenstern.com
kenmccallum.com
galatee-couture.com
apogeeconseils.fr
www.cops4causes.org
benchbiz.com
zealcon.ae
www.lollachiro.com
www.marcandy.com
www.loparnille.se
www.bruut.online
www.sweetz.fr
teamsegeln.ch
tesisatonarim.com
xrresources.com
interlinkone.com
www.newonestop.com
atelierkomon.com
www.9nar.com
hartofurniture.com
avisioninthedesert.com
proffteplo.com
xn--80abehgab4ak0ddz.xn--p1ai
www.citiscapes-art.com
sachainchiuk.com
jandhpest.com
lattalvor.com
greenrider.nl
www.craftstone.co.nz
wrinstitute.org
triplettagaite.fr
askstaffing.com
teutoradio.de
cc-experts.de
www.chainofhopeeurope.eu
www.mangimirossana.it
www.nieuwsindeklas.be
innervisions-id.com
expohomes.com
www.solidhosting.nl
www.lsngroupe.com
katherinealy.com
www.sololibrerie.it
pureelements.nl
www.tothebackofthemoon.com
frimec-international.es
metroton.ru
affligemsehondenschool.be
clemenfoto.dk
belofloripa.be
www.peninggibadan.co.id
kuriero.pro
magrinya.net
kvetymichalovce.sk
baumfinancialservices.com
www.bmw-i-pure-impulse.com
dennisverschuur.com
www.hospitalitytrainingsolutions.co.uk
www.skyscanner.ro
successcolony.com.ng
www.atrgroup.it
metriplica.academy
mind2muscle.nl
unislaw-narty.pl
www.ilovefullcircle.com
www.baita.ac
bellesiniacademy.org
eventosvirtualesexitosos.com
jollity.hu
www.carmel-york.com
line-x.co.uk
cymru.futbol
www.alharsunindo.com
www.jdscenter.com
livedeveloper.com
encounter-p.net
mollymccarthydesign.com
beauty-traveller.com
www.mundo-pieces-auto.fr
sycamoregreenapts.com
www.luvbec.com
www.dinedrinkdetroit.com
the5thquestion.com
yayasanprimaunggul.org
wyreforest.net
quitescorting.com
yuanshenghotel.com
www.physio-lang.de
innersurrection.com
www.bourchier.org
www.tastevirginia.com
autoteamlast.de
from02pro.com
www.mrcar.nl
www.topautoinsurers.net
andrealuchesi.it
santastoy.store
www.o90.dk
johnstonmingmanning.com
www.glende-pflanzenparadies.de
brighthillgroup.com
biketruck.de
www.opticahubertruiz.com
hom-frisor.dk
richardkershawwines.co.za
weddingceremonieswithtim.com
four-ways.com
fridakids.com
phukienbepthanhdat.com
redctei.co
onesynergyinternational.com
computer-place.de
www.redpebblephotography.com
www.perfectgrin.com
www.drvoip.com
nexstagefinancial.com
www.sbit.ag
geitoniatonaggelon.gr
renderbox.ch
koncept-m.ru
pvandambv.nl
eafx.pro
www.strauchs-wanderlust.info
www.advancedeyecare.com
descargandoprogramas.com
ncjc.ca
drbenveniste.com
pedmanson.com
www.test-teleachat.fr
www.auberives-sur-vareze.fr
fitnessblenderstory.com
hameghlim.com
kosten-vochtbestrijding.be
n-newmedia.de
indiebizadvocates.org
www.kemtron.fr
salonlamar.nl
www.5thactors.com
nourella.com
hiddensee-buhne11.de
lmmont.sk
motocrossplace.co.uk
therapybusinessacademy.com
www.mjk.digital
www.edvestors.org
dantreranch.com
scentedlair.com
achetrabalhos.com
insane.agency
bayshoreelite.com
www.rhino-turf.com
towelroot.co
subquercy.fr
pansionatblago.ru
miscbo.it
www.mazift.dk
azloans.com
www.nginx.com
m2graph.fr
photographycreativity.co.uk
chomiksy.net
www.relevantonline.eu
rapid5kloan.org
www.alltagsrassismus-entknoten.de
ronielyn.com
aidanpublishing.co.uk
www.hawthornsretirement.co.uk
www.bluemarinefoundation.com
marmarabasin.com
bcabattoirs.org
laylavalentine.com
scietech.academy
alaskaremote.com
furland.ru
kroophold-sjaelland.dk
rossomattonecase.it
ykobbqchicken.ca
espaciopolitica.com
www.gardenpartner.pl
www.ikadomus.com
clinic-beethovenstrasse-ag.ch
manzel.tn
www.bratek-immobilien.de
jameswilliamspainting.com
dnqa.co.uk
malzomattalar.com
datatri.be
die-immo-agentur.de
alisodentalcare.com
www.mustangmarketinggroup.com
lyricalduniya.com
martinipstudios.com
traitware.com
www.vapiano.fr
fotoeditores.com
foerderverein-vatterschule.de
suonenjoen.fi
www.simpleitsolutions.ch
www.cleanroomequipment.ie
nepressurecleaning.com
trainiumacademy.com
the-cupboard.co.uk
kartuindonesia.com
www.phoenixcrane.com
www.eksperdanismanlik.com
palmenhaus-erfurt.de
www.janellrardon.com
www.gazelle-du-web.com
diverfiestas.com.es
frankgoll.com
alexwenzel.de
amyandzac.com
www.devus.de
www.dmlcpa.com
sber-biznes.com
cuadc.org
nykfdyrehospital.dk
min-virksomhed.dk
axisoflove.org:443
osn.ro
amelielecompte.wordpress.com
kafkacare.com
www.annenymus.com
vvego.com
www.pharmeko-group.com
www.lassocrm.com
pankiss.ru
motocrosshideout.com
edrickennedymacfoy.com
ceocenters.com
www.muller.nl
bodet150ans.com
bychowo.pl
neolaiamedispa.com
www.1deals.com
kdbrh.com
linkbuilding.life
www.paardcentraal.nl
zinnystar.com
metallbau-hartmann.eu
www.cyberpromote.de
tages-geldvergleich.de
www.druktemakersheerenveen.nl
tieronechic.com
www.advanced-removals.co.uk
richardiv.com
irizar.com
www.hekecrm.com
elliemaccreative.wordpress.com
www.pokemonturkiye.com
boomerslivinglively.com
framemyballs.com
www.jobscore.com
plbinsurance.com
cotton-avenue.co.il
www.buzzneakers.com
2020hindsight.info
protoplay.ca
www.keuken-prijs.nl
barbaramcfadyenjewelry.com
www.catering.com
keyboardjournal.com
gaearoyals.com
log-barn.co.uk
ya-elka.ru
www.anleggsregisteret.no
boyfriendsgoal.site
qwikcoach.com
www.rattanwarehouse.co.uk
circlecitydj.com
activeterroristwarningcompany.com
kryptos72.com
worldproskitour.com
kristianboennelykke.dk
vitormmcosta.com
aheadloftladders.co.uk
burg-zelem.de
5pointpt.com
www.campusce.com
kookooo.com
oraweb.net
pro-gamer.pl
brisbaneosteopathic.com.au
gosouldeep.com
www.mariamalmahdi.com
lovetzuchia.com
liverpoolabudhabi.ae
skolaprome.eu
csaballoons.com
zdrowieszczecin.pl
ikzoekgod.be
imaginekithomes.co.nz
aktivfriskcenter.se
livelai.com
t3brothers.com
webforsites.com
topvijesti.net
paradigmlandscape.com
www.theintellect.edu.pk
akcadagofis.com
entdoctor-durban.com
prometeyagro.com.ua
happycatering.de
volta.plus
skooppi.fi
lagschools.ng
martha-frets-ceramics.nl
easydental.ae
www.rino-gmbh.com
www.yournextshoes.com
georgemuncey.com
turing.academy
rtc24.com
professionetata.com
nalliasmali.net
www.agriturismocastagneto.it
carsten.sparen-it.de
www.nutriwell.com.sg
www.mbuildinghomes.com
www.chatberlin.de
www.olry-cloisons.fr
orchardbrickwork.com
allinonecampaign.com
www.banukumbak.com
charlesfrancis.photos
www.saint-malo-developpement.fr
satoblog.org
www.stathmoulis.gr
www.hoteltantra.com
wineandgo.hu
enactusnhlstenden.com
www.brunoimmobilier.com
www.ufovidmag.com
gratiocafeblog.wordpress.com
fidelitytitleoregon.com
endstarvation.com
thisprettyhair.com
billyoart.com
oportowebdesign.com
www.mondolandscapes.com
krishnabrawijaya.com
thehovecounsellingpractice.co.uk
skyboundnutrition.co.uk
www.tchernia-conseil.fr
babysitting-hk.helpergo.co
globalskills.pt
jalkapuu.net
www.oscommunity.de
www.eurethicsport.eu
www.lidkopingsnytt.nu
ox-home.com
bakingismyyoga.com
bertbutter.nl
www.hinotruckwreckers.com.au
shrinkingplanet.com
mneti.ru
www.masecologicos.com
rarefoods.ro
juergenblaetz.de
www.fanuli.com.au
www.heimdalbygg.no
distrifresh.com
www.adabible.org
eshop.design
artvark.nl
yvesdoin-aquarelles.fr
soncini.ch
molinum.pt
mediogiro.com.ar
www.smartspeak.com
verbouwingsdouche.nl
www.sharonalbrightdds.com
www.pajagus.fr
www.schlagbohrmaschinetests.com
www.mariannelemenestrel.com
sealgrinderpt.com
docarefoundation.org
holocine.de
alcye.com
fbmagazine.ru
www.internalresults.com
www.digitale-elite.de
christianscholz.de
www.skidpiping.de
ludoil.it
c-sprop.com
www.aberdeenartwalk.org
agendatwentytwenty.com
www.ncn.nl
spirello.nl
www.putzen-reinigen.com
dibli.store
www.zumrutkuyutemel.com
leansupremegarcinia.net
www.bendel-partner.de
purepreprod4.com
www.profiz.com
www.electricianul.com
wademurray.com
b3b.ch
randyabrown.com
rubyaudiology.com
pisofare.co
rvside.com
direitapernambuco.com
www.ahgarage.com
iactechnologies.net
www.bagaholics.in
nicksrock.com
awag-blog.de
www.licensed-public-adjuster.com
www.limounie.com
efficiencyconsulting.es
goddardleadership.org
poems-for-the-soul.ch
fta-media.com
bodymindchallenger.com
rename.kz
theboardroomafrica.com
mieleshopping.it
chinowarehousespace.com
jag.me
www.arearugcleaningnyc.com
www.bajova.sk
scotlandsroute66.co.uk
www.birthplacemag.com
alene.co
www.jacquesgarcianoto.com
www.blucamp.com
dentourage.com
stabilisateur.fr
wordpress.idium.no
k-v-f.de
dentalcircle.com
andermattswisswatches.ch
www.the3-week-diet.net
www.sellthewrightway.com
solutionshosting.co.uk
devplus.be
muni.pe
theatre-embellie.fr
www.greeneyetattoo.com
rokthetalk.com
fi-institutionalfunds.com
www.ravage-webzine.nl
www.liveyourheartout.co
www.istantidigitali.com
hostingbangladesh.net
jobstomoveamerica.org
neonodi.be
futurenetworking.com
limmortelyouth.com
dieetuniversiteit.nl
www.g2mediainc.com
bohrlochversicherung.info
rishigangoly.com
pixelhealth.net
www.ilveshistoria.com
www.biblica.com
letsstopsmoking.co.uk
myfbateam.com
greatofficespaces.net
utilisacteur.fr
renehartman.nl
floweringsun.org
sambaglow.com
eatyoveges.com
stanleyqualitysystems.com
bavovrienden.nl
campinglaforetdetesse.com
funworx.de
www.nationnewsroom.com
www.angelsmirrorus.com
centuryvisionglobal.com
www.fixx-repair.com
www.mrmac.com
www.glennverschueren.be
palmecophilippines.com
slotenmakerszwijndrecht.nl
enews-qca.com
agenceassemble.fr
www.buffdaddyblog.com
unexplored.gr
thepixelfairy.com
alnectus.com
www.airserviceunlimited.com
www.angeleyezstripclub.com
www.finsahome.co.uk
ramirezprono.com
angelika-schwarz.com
www.basindentistry.com
k-zubki.ru
www.bluetenreich-brilon.de
omegamarbella.com
dayenne-styling.nl
www.arazi.eus
memphishealthandwellness.com
www.loysonbryan.com
heuvelland-oaze.nl
parksideseniorliving.net
luvinsburger.fr
www.colored-shelves.com
logosindustries.com
animation-pro.co.uk
www.baptistdistinctives.org
spartamovers.com
www.humanviruses.org
dogsunlimitedguide.com
stringnosis.academy
metcalfe.ca
www.fluzfluzrewards.com
baikalflot.ru
www.haus-landliebe.de
www.dierenambulancealkmaar.nl
www.stralsund-ansichten.de
focuskontur.com
corporacionrr.com
www.astrographic.com
aciscomputers.com
www.denhaagfoodie.nl
coachpreneuracademy.com
www.dreamvoiceclub.org
www.sunsolutions.es
www.zwemofficial.nl
mindsparkescape.com
www.ronaldhendriks.nl
fire-space.com
citydogslife.com
cesep2019.com
90nguyentuan.com
taulunkartano.fi
finnergo.eu
www.zaczytana.com
hutchstyle.co.uk
lashandbrowenvy.com
karmeliterviertel.com
littlesaints.academy
xn--80addfr4ahr.dp.ua
iexpert99.com
khtrx.com
ledyoucan.com
www.blueridgeheritage.com
wribrazil.com
ideamode.comву
collegetennis.info
banksrl.co.za
www.suitesartemis.gr
rivermusic.nl
nuohous.com
www.penumbuhrambutkeiskei.com
www.schulz-moelln.de
www.precisetemp.com
hm-com.com
annida.it
www.lunoluno.com
broccolisoep.nl
tutvracks.com
aceroprime.com
smarttourism.academy
xn--ziinoapte-6ld.ro
www.jakubrybak.com
cincinnatiphotocompany.org
www.apiarista.de
fascaonline.com
michal-s.co.il
look.academy
xtensifi.com
www.bundan.com
amorbellezaysalud.com
www.cl0nazepamblog.com
catchup-mag.com
www.grancanariaregional.com
louiedager.com
www.itheroes.dk
www.pubcon.com
larchwoodmarketing.com
www.spectamarketingdigital.com.br
arabianmice.com
nvisionsigns.com
advesa.com
oththukaruva.com
bg.szczecin.pl
www.billigeflybilletter.dk
internestdigital.com
www.hypogenforensic.com
kompresory-opravy.com
campusescalade.com
abulanov.com
www.claudiakilian.de
jglconsultancy.com
peppergreenfarmcatering.com.au
latteswithleslie.com
www.welovecustomers.fr
promus.ca
envomask.com
www.switch-made.com
mamajenedesigns.com
www.production-stills.co.uk
riffenmattgarage.ch
eos-horlogerie.com
tzn.nu
www.stressreliefadvice.com
kickittickets.com
tellthebell.website
klapanvent.ru
fann.ru
mindfuelers.com
noda.com.ua
margaretmcshane.com
www.stagefxinc.com
fotoslubna.com
www.sveneulberg.de
lapponiasafaris.com
patassociation.com
www.placermonticello.com
www.sppdstats.com
www.nepal-pictures.com
laaisterplakky.nl
subyard.com
www.factorywizuk.com
www.directique.com
www.onlinemarketingsurgery.co.uk
brownswoodblog.com
nxtstg.org
dentallabor-luenen.de
oexebusiness.com
www.albcleaner.fr
www.domaine-des-pothiers.com
p-ride.live
thenalpa.com
grupoexin10.com
www.haard-totaal.nl
www.silkeight.com
www.queertube.net
cookinn.nl
tramadolhealth.com
globalcompliancenews.com
denverwynkoopdentist.com
www.shortysspices.com
jaaphoekzema.nl
mac-computer-support-hamburg.de
www.acibademmobil.com.tr
leopoldineroux.com
www.a-zpaperwork.eu
www.testitjavertailut.net
go.labibini.ch
ocduiblog.com
daveystownhouse.com
www.mensemetgesigte.co.za
circuit-diagramz.com
davedavisphotos.com
tilldeeke.de
shortsalemap.com
www.onlinetvgroup.com
www.veggienessa.com
buonabitare.com
elex.is
www.hostaletdelsindians.es
happylublog.wordpress.com
www.grafikstudio-visuell.de
jonnyhooley.com
www.pinkxgayvideoawards.com
ddmgen.com
-
net
false
-
pid
7
-
prc
mysql.exe
-
ransom_oneliner
Image text
-
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
-
sub
3
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandGroup.tif => C:\Users\Admin\Pictures\ExpandGroup.tif.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File renamed C:\Users\Admin\Pictures\MountExport.tiff => C:\Users\Admin\Pictures\MountExport.tiff.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File renamed C:\Users\Admin\Pictures\OutCheckpoint.tiff => C:\Users\Admin\Pictures\OutCheckpoint.tiff.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File renamed C:\Users\Admin\Pictures\RemoveConvertFrom.raw => C:\Users\Admin\Pictures\RemoveConvertFrom.raw.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File renamed C:\Users\Admin\Pictures\RevokeDeny.crw => C:\Users\Admin\Pictures\RevokeDeny.crw.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File renamed C:\Users\Admin\Pictures\UnblockRestore.tif => C:\Users\Admin\Pictures\UnblockRestore.tif.74we96t ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\MountExport.tiff ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\OutCheckpoint.tiff ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exedescription ioc process File opened (read-only) \??\B: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\J: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\A: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\L: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\M: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\N: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\O: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\H: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\F: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\I: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\K: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\P: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\R: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\S: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\T: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\E: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\U: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\Q: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\V: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\W: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\X: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\Y: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\Z: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\D: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened (read-only) \??\G: ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a49ld.bmp" ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe -
Drops file in Windows directory 64 IoCs
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171_ikeext.dll_3ac4406c ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_10.0.15063.0_none_de44366355bc504a_shsvcs.dll_f8739230 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.15063.0_none_2612286889b4755c_version.dll_406ddf44 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmilib_31bf3856ad364e35_10.0.15063.0_none_6a68d3903cfb6ab2.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_en-us_1390cc3203d04dcf_sdbinst.exe.mui_258ad624 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_da-dk_e9cf62e131074778_bootmgr.efi.mui_be5d0075 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_10.0.15063.0_none_b784197455bb2003_msfs.sys_ea96697c ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_bae6f1b1935516b4_fontdrvhost.exe_94bdc76d ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_289be2d20b46e0d6_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32full_31bf3856ad364e35_10.0.15063.0_none_7153f6fb947272a7.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.15063.0_none_a32b60693a25b222_sechost.dll_a7bf8aa9 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_33fd71df8d841cd9_bootmgr.exe.mui_c434701f ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga950.fon_09ed4d3d ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_848d8c2152ade85d.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_en-us_addbd04b6fa954b7_sppsvc.exe.mui_40875a72 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-us_59ac98207499c8d3_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-comdlg32_31bf3856ad364e35_10.0.15063.0_none_c6c4eadade764d0d_comdlg32.dll_b1ffde97 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_sv-se_7507d03f69e9add9_bootmgfw.efi.mui_a6e78cfa ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.15063.0_none_70a7191ccd7e3047.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_fab89c2a8a882a6b_msimsg.dll.mui_72e8994f ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_10.0.15063.0_none_7199b2a6f00baf63_sxssrv.dll_4cd0c747 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_cd56dce90e2409c7.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.15063.0_none_91cc889b9049023b.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.15063.0_none_bc3418ff9281264f.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_c57ff9d901ccef55_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.15063.0_none_16962c30782ca7e5.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ja-jp_887ce05731dfc833.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_72b493d71f56c769_appidapi.dll_affa6810 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_winipsec.dll_abfff1a2 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_96a997d1296ad733_mprdim.dll.mui_11b5ef08 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5_msimsg.dll.mui_72e8994f ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.15063.0_none_e819281ea9bc03bf_axinstsv.dll_ebc2b91e ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.15063.0_none_5e2ff11ada5cd7a4.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_59d1ffcc04432003_msimsg.dll.mui_72e8994f ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.15063.498_none_008383882272dab0.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_0ed5b4a952aaf957.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_704919a91fc309dc_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_030818d8b79b4c05.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d2d_31bf3856ad364e35_10.0.15063.0_none_c3056a4fc9207495.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_en-us_a159cef78915f1d9_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_10.0.15063.0_none_780221c56ec53292.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.15063.0_none_dcc6defb6a563ec2_wshtcpip.dll_7ee2ca52 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ko-kr_f8d3bd33bc42d1fc_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-br_2835cecc79400925.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_en-us_a2d137bdfba7a703.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.15063.0_none_781ef03933a1cb3c_bootvhd.dll_c136fd9e ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsiconnection.cdxml_1f2347b5 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-e..storage-classdriver_31bf3856ad364e35_10.0.15063.0_none_6f036e8ca54f9cc4.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf_netlogon.dll_90e0458e ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.15063.0_none_cf6322a2b243cac2_rpcrt4.dll_5aa847dd ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_fc9c46454adb8ec6_drvinst.exe.mui_e88f4c73 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspppoe_31bf3856ad364e35_10.0.15063.0_none_67475d59d366927c_raspppoe.sys_5bc9d88d ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_de-de_c555f926322a28c7.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fi-fi_0d2d30b01649185b.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.15063.0_none_f45c2ae3bf507218_advapi32.dll_9512793c ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_5c26751810f1e40b_comctl32.dll.mui_0da4e682 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_c711bce2d4fc5c72.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.15063.0_none_04ced512d82feb94.manifest ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_cis.scp_0303a193 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exepid process 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1112 vssvc.exe Token: SeRestorePrivilege 1112 vssvc.exe Token: SeAuditPrivilege 1112 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.execmd.exedescription pid process target process PID 3952 wrote to memory of 192 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe cmd.exe PID 3952 wrote to memory of 192 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe cmd.exe PID 3952 wrote to memory of 192 3952 ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe cmd.exe PID 192 wrote to memory of 3004 192 cmd.exe vssadmin.exe PID 192 wrote to memory of 3004 192 cmd.exe vssadmin.exe PID 192 wrote to memory of 3004 192 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\ed6a1ed68b174317a010ce5ce54c5e7a865e11ddbf44ab46655dab99cbcb7fce.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/192-120-0x0000000000000000-mapping.dmp
-
memory/3004-121-0x0000000000000000-mapping.dmp
-
memory/3952-114-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/3952-115-0x0000000000720000-0x0000000000743000-memory.dmpFilesize
140KB
-
memory/3952-118-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/3952-117-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/3952-119-0x0000000000AF0000-0x0000000000AF6000-memory.dmpFilesize
24KB