Analysis
-
max time kernel
147s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe
Resource
win10-en-20211208
General
-
Target
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe
-
Size
160KB
-
MD5
8f22758b941d97d837c65cbd7a113811
-
SHA1
93da39be6c6297d464574aa92b2d7fd844e60a3d
-
SHA256
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2
-
SHA512
1c7c4482b13e8fad4c26a939c8b25730fa05a2a8af3655085504b80dd0c3fd3ea75279539521d357693b277a7ea9be73e619ba728249db98188da7bd9104e017
Malware Config
Extracted
C:\rkkxc57f44-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/265519BDCC103C77
http://decryptor.top/265519BDCC103C77
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitExit.raw => \??\c:\users\admin\pictures\WaitExit.raw.rkkxc57f44 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => \??\c:\users\admin\pictures\ExportSearch.tiff.rkkxc57f44 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\users\admin\pictures\ExportSearch.tiff 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\users\admin\pictures\InstallUnregister.tiff 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => \??\c:\users\admin\pictures\ExitTrace.png.rkkxc57f44 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => \??\c:\users\admin\pictures\InstallUnregister.tiff.rkkxc57f44 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File renamed C:\Users\Admin\Pictures\SelectSearch.tif => \??\c:\users\admin\pictures\SelectSearch.tif.rkkxc57f44 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exedescription ioc process File opened (read-only) \??\Y: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\Z: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\A: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\F: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\I: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\J: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\W: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\B: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\U: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\R: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\T: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\X: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\G: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\K: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\M: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\N: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\Q: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\S: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\V: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\E: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\H: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\L: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\O: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened (read-only) \??\P: 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33i.bmp" 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Drops file in Program Files directory 36 IoCs
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exedescription ioc process File opened for modification \??\c:\program files\ReadCompress.jpeg 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\SearchCompress.docm 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\UndoPublish.cr2 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\UnprotectFormat.svg 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\rkkxc57f44-readme.txt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\InstallUnblock.mp3 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\rkkxc57f44-readme.txt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\37796a6c.lock 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\rkkxc57f44-readme.txt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\UnregisterSelect.pps 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\37796a6c.lock 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\ExportApprove.php 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\MoveSave.001 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\OutConvertTo.rmi 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\TraceGrant.scf 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\CheckpointLimit.avi 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\CloseTrace.mid 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\EditPing.avi 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\RequestPublish.html 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\37796a6c.lock 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\rkkxc57f44-readme.txt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files\37796a6c.lock 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\CompleteUnblock.png 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\DenyCompress.gif 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\FindUndo.clr 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\SearchSkip.odt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\37796a6c.lock 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\JoinOpen.ppt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\OutImport.doc 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\ProtectGroup.zip 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\StartCopy.gif 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\UninstallUndo.xhtml 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File created \??\c:\program files\rkkxc57f44-readme.txt 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\DisableLimit.wps 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\MeasureAdd.vbs 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe File opened for modification \??\c:\program files\NewStart.ppsm 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 240 vssadmin.exe -
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exepid process 1308 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.execmd.exedescription pid process target process PID 1308 wrote to memory of 368 1308 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe cmd.exe PID 1308 wrote to memory of 368 1308 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe cmd.exe PID 1308 wrote to memory of 368 1308 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe cmd.exe PID 1308 wrote to memory of 368 1308 834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe cmd.exe PID 368 wrote to memory of 240 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 240 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 240 368 cmd.exe vssadmin.exe PID 368 wrote to memory of 240 368 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe"C:\Users\Admin\AppData\Local\Temp\834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB