General
Target

d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

Filesize

207KB

Completed

24-01-2022 01:09

Task

behavioral1

Score
10/10
MD5

8af4a97a5a07807277a02eb69a859120

SHA1

c9752d458c840ea4585efcdd16bbb5bf1a05ac44

SHA256

d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424

SHA256

c9e79390acf6245bb7936df92bf7bf560266c262199abb586a5d8f14d320a17a5a8ec3ff97efaeab11a12dc252f2fa2aaa185947faf40620b79a3bd3b4a8d393

Malware Config

Extracted

Path

C:\7x8f6ued-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7x8f6ued. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2377B5A9E37B39BA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2377B5A9E37B39BA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HMyfPLqTEdUZMnm99Rcb4VP9j1EEUjGOrzIPfgQTHcR5mDrzlWVe8oJNu6PbZ8c/ U1tF/sP9LLtW0Z3UVQm+q5NVOyKH08+if1mXlVDz3tynFXVfD31DVwgqzKB6ZGT2 1N4IiGvMNryyqaUOUNVUkwZooUJO4meHkwoaM8oqsjpzl9mqlVfnQUmBOu741JG6 S4sLlFWMu0xib6vX+ArV8+Z1B23i9EYa1QPElmEO4xy+YeNfA4H78HWwAj5at3bG JEsfUVuCQHWg82yAmJQ1wIvIBsHLzHEiZksrNRxjm/OXO37c7ZqMj/dFsthRIckP UWioIkhOEvN+CBbOlQX32AtznqVKFLNiYVXMOpLO7vPRV9XRpqncckcpi+N47RsL U6/5kCZhFvdZjY2tTbFIib9HCveqjObfsU9f0ZvXSbIMXIKNzE1l8fcGtd7ZbeP+ rTuG0dT8J0yyws5cKLg0pQ2fy9uHFOOpcLHjvk9fzC8FGo3YNaQFJ96a1CkYq3z9 dpZHsIj6h+Hr5VlzU6jEmKcnBUJN/0uKHUtkCcbBtpiCPsTaPXTuyddU+uyTlg0S Tiloyppn1/3ssqBw18QUD6yvV1kffwExvTm4DcjBWVF0vEQvtPjhgDQG4HcFXmsa BG1h79cjCAaSIpvI9zIeZwq4nEh1RKu7hgBVCa8CUFxG2Io0ettXNs9L1w9OqNn6 SAM1ByANauvmUPahCNeNWaXtITLU65JA2hZjwDHjdb1B6UWZ5hIpCCTWjSsUmADr ZiIgVgfGBhGcjYb1bZwqcDhV8xsuCpQ7RXxjMzFn7Zn7iagEd+RV2KIyko3Vkc1X 72BP3NM61DMEM+UXhXeOm/byDjn7V8TIZ37e7piJPBjY1gRaEC89Ae2c3QHmMalN o8HdBQJ+dXqt1LWtPHtg7Y/Bs/1tCs/zZhJDz5SEAdFuJzVbxDySbPoXmZvkaQUI 8GgDqNC02xCDODZvjIzSZhzuyA+xn09zrDsKA8nTky8pI3PmTkYoBlTFhqGx34de +Z0RVsOmj4uVaXOpA2jBo/+j3UsE23cana/MNgFQkJvQFFWdguHB4zUU1CMCeiH5 yJMQTaYjMCuZ2X4GSRW/ivXz5k4m2+42bF/vlO9HYPg5AfM5E/ZvNpNdo+Kg7mPL 6qMLHr6qjtVtTkEvGS0Fpx4QjkZPW3bO5R/bE2pvFlPzhFyJxwNvlHOOYaZybWl/ Pq+99TtfAOfVdFb7QlQJgsLtVExnbNH+DPo0EIO5Spa+QgR0Nqei9lykGZVJwQqp fJ/DUFE6gXMGjYEJ2TaCUZtbFWCbFgw/BF/zYw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2377B5A9E37B39BA

http://decryptor.cc/2377B5A9E37B39BA

Extracted

Family

sodinokibi

Botnet

$2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva

Campaign

3178

C2

tinyagency.com

oldschoolfun.net

anthonystreetrimming.com

botanicinnovations.com

thefixhut.com

polymedia.dk

reddysbakery.com

kindersitze-vergleich.de

theapifactory.com

partnertaxi.sk

deschl.net

gw2guilds.org

smartypractice.com

restaurantesszimmer.de

vitavia.lt

advizewealth.com

edelman.jp

fibrofolliculoma.info

zweerscreatives.nl

almosthomedogrescue.dog

charlesreger.com

manijaipur.com

blog.solutionsarchitect.guru

the-virtualizer.com

fairfriends18.de

tennisclubetten.nl

body-armour.online

aarvorg.com

rumahminangberdaya.com

sw1m.ru

macabaneaupaysflechois.com

themadbotter.com

maasreusel.nl

jadwalbolanet.info

advokathuset.dk

walter-lemm.de

securityfmm.com

smhydro.com.pl

citymax-cr.com

solinegraphic.com

abogadoengijon.es

jiloc.com

ziegler-praezisionsteile.de

argenblogs.com.ar

aprepol.com

petnest.ir

wasmachtmeinfonds.at

answerstest.ru

imperfectstore.com

nakupunafoundation.org

Attributes
net
true
pid
$2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva
prc
winword
excel
visio
oracle
isqlplussvc
firefox
dbeng50
mspub
xfssvccon
encsvc
dbsnmp
thebat
mydesktopservice
sql
steam
wordpad
infopath
agntsvc
synctime
outlook
ocautoupds
onenote
sqbcoreservice
ocomm
tbirdconfig
thunderbird
msaccess
powerpnt
ocssd
mydesktopqos
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3178
svc
memtas
mepocs
backup
sophos
sql
svc$
vss
veeam
Signatures 18

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Modifies system executable filetype association
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    pidprocess
    544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Modifies extensions of user files
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\users\admin\pictures\CompleteRestart.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\users\admin\pictures\PushRemove.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\users\admin\pictures\StopSet.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\users\admin\pictures\WatchSet.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\JoinDeny.crw => \??\c:\users\admin\pictures\JoinDeny.crw.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\users\admin\pictures\ResolveExit.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\MeasureStep.raw => \??\c:\users\admin\pictures\MeasureStep.raw.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\ResolveExit.tiff => \??\c:\users\admin\pictures\ResolveExit.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\users\admin\pictures\UnlockCheckpoint.tiffd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\BackupResolve.png => \??\c:\users\admin\pictures\BackupResolve.png.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\InstallConvertTo.raw => \??\c:\users\admin\pictures\InstallConvertTo.raw.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\CompleteRestart.tiff => \??\c:\users\admin\pictures\CompleteRestart.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\StopSet.tiff => \??\c:\users\admin\pictures\StopSet.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\PushRemove.tiff => \??\c:\users\admin\pictures\PushRemove.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\UnlockCheckpoint.tiff => \??\c:\users\admin\pictures\UnlockCheckpoint.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File renamedC:\Users\Admin\Pictures\WatchSet.tiff => \??\c:\users\admin\pictures\WatchSet.tiff.7x8f6uedd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Loads dropped DLL
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    pidprocess
    1588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    1588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    1588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Rund62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe"d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Enumerates connected drives
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\G:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\I:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\K:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\M:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\N:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\Q:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\U:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\E:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\S:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\T:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\V:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\W:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\X:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\P:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\B:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\J:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\L:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\O:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\Y:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\D:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\A:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\H:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\R:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\Z:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened (read-only)\??\F:d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Drops file in System32 directory
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\CatRoot2\dberr.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Sets desktop wallpaper using registry
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93hmz.bmp"d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Drops file in Program Files directory
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\ConnectMove.ppsmd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\ConvertToMerge.ramd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\PushStart.mp4d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\FindImport.AACd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\PushUse.jfifd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\ResumeSend.crwd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\OIS.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\ApproveRead.vssmd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\RevokeSet.m3ud62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\OpenInstall.xlad62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File created\??\c:\program files\7x8f6ued-readme.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\PPTICO.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\TestLimit.pptxd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\UnblockBlock.vstmd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\7x8f6ued-readme.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\WinMail.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\StopCheckpoint.pcxd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\RepairEdit.xlsbd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wabmig.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\7x8f6ued-readme.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\LockProtect.mp3d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\EnterRedo.M2Vd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\RestoreInstall.fond62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modification\??\c:\program files\UndoSync.mhtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File created\??\c:\program files (x86)\7x8f6ued-readme.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\7x8f6ued-readme.txtd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Drops file in Windows directory
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comd62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
  • Suspicious behavior: EnumeratesProcesses
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe

    Reported IOCs

    pidprocess
    544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    1520powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    Token: SeDebugPrivilege1520powershell.exe
    Token: SeBackupPrivilege1632vssvc.exe
    Token: SeRestorePrivilege1632vssvc.exe
    Token: SeAuditPrivilege1632vssvc.exe
  • Suspicious use of WriteProcessMemory
    d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1588 wrote to memory of 5441588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    PID 1588 wrote to memory of 5441588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    PID 1588 wrote to memory of 5441588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    PID 1588 wrote to memory of 5441588d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exed62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    PID 544 wrote to memory of 1520544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe
    PID 544 wrote to memory of 1520544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe
    PID 544 wrote to memory of 1520544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe
    PID 544 wrote to memory of 1520544d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exepowershell.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
    "C:\Users\Admin\AppData\Local\Temp\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe"
    Modifies system executable filetype association
    Loads dropped DLL
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1520
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:620
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1632
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

                MD5

                a055246b0e804eb3a1dda52937f556ef

                SHA1

                6807425e1252f1154664fc8072dde03558ed35fe

                SHA256

                a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3

                SHA512

                18b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95

              • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                MD5

                9e2b9928c89a9d0da1d3e8f4bd96afa7

                SHA1

                ec66cda99f44b62470c6930e5afda061579cde35

                SHA256

                8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                SHA512

                2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              • \Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

                MD5

                a055246b0e804eb3a1dda52937f556ef

                SHA1

                6807425e1252f1154664fc8072dde03558ed35fe

                SHA256

                a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3

                SHA512

                18b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95

              • \Users\Admin\AppData\Local\Temp\3582-490\d62240e4e9af350be38acaa7d0fb3d9d99224b5afb73130bfedd1d8ed913a424.exe

                MD5

                a055246b0e804eb3a1dda52937f556ef

                SHA1

                6807425e1252f1154664fc8072dde03558ed35fe

                SHA256

                a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3

                SHA512

                18b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95

              • memory/1520-62-0x0000000002462000-0x0000000002464000-memory.dmp

              • memory/1520-59-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

              • memory/1520-63-0x0000000002464000-0x0000000002467000-memory.dmp

              • memory/1520-60-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

              • memory/1520-64-0x000000001B750000-0x000000001BA4F000-memory.dmp

              • memory/1520-65-0x000000000246B000-0x000000000248A000-memory.dmp

              • memory/1520-61-0x0000000002460000-0x0000000002462000-memory.dmp

              • memory/1588-54-0x0000000076151000-0x0000000076153000-memory.dmp