sodinokibi | c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757

General

Target

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
Size

158KB
MD5

21409a615234a47e7799d1d9a7b3aa56
SHA1

cafee6c61566fa05e6f4caf53e8ddbd4d604a7c9
SHA256

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757
SHA512

32468ccc092fc9222984c912dc8f0f997d13d0754530ad0b03cefaf76381c3be66cbf1fceb8b8e6f3814b665d9078d5efddc7e9b2e38514bff3d9727d634411d

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\y2fs51o8d0-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion y2fs51o8d0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7A47843E0E9EE02 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B7A47843E0E9EE02 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: uqgy8VnC8iAgSPTCz2lU363adQkmws0zucgOQoyAifNcXmx/HXByEZZL1gGc5AaU Fl+k/D4ltxMYqRTZ+ER6yieM1a3tfpkOsPsnBswcYUyAOegcSg00sDX108O3cvra 3w1186FgvAj5fPiX4T/Ci9Wo3riY8GE9tIukx3/dtmgJCPXjsuaQZbgRLy6xfvaD e9yadZ9YEV2QUtKwdFO4Eamu7tMM39pkg839mEFjYp9DIIgIhp/TCZq+VJkpSn58 4asoXvJHKhgZ46E5QQr0FD2VTjf506vuccKCZO79NExYz7eYJ2+k1/gPm+pTtVIR FGQsDBGb+NJMgExz/6pM+d5XR4dV5qTwFkpZ1BBHqbp0KAf98AmPbo6z74jzlvox NQ4x2HbI7cLeFmtd870MYtQWnaAoeezZCbCJzRQyNRiAESGm+bD9C3AemI4fJXzW ZAshuRAWCLvIG6ddG+U+r+Mw7A0xLpUIBOSkRflP8NjwY1OnY411zFJ6WAgwZdPr fBtH4Qev9x6jclwlSM5FbfLNju339VqioE70d0hh+fQRms63zPLK6EAPf4P5klA7 2w1uFYN6hmvy1zUrRcDrM/G8N4i67340mWCBsqJGgoKtYSzNy5mGUH1Kjtu9TJgH 2Ki/AHJx6A5LpuAcEY6kpDJ3r9zvmFT6XW7qj9OFSx/Q5L1LfeAecqwhdKVk+5DH NVjMHVB3VfmtQxRfcfoR+MyTKpkhgSjCNZpV6bkE5N5nJM6DMmEjJXR6MjTsCES6 EUuSc/MLsJ+VTQ952iPIIOGqQzHNjr7mRTsn2ToLDWLBl3wBypxQNJSciVfKtYnw qzCptqmPw2tYkeDYHPJx1Q3t7pMF9XeohgRZgGBVicncr67DnKnPF9PPTL8kV96v YsIYusXIt4vFyOBN1jNtsROC0XhV4iY5HIv3gx1Bx/mGgMT5sX+3l4LATBThXV1g VtI2AhWxmqlVA9lKb78lCB0gJUAZJL0GnuThMZtKJQrkNAZKesHoEXJtM+iqq8LB 8ZdC1wQA2dxNaVLtg/G9gTqiZriuGDUgi6j749roW9Dt8a+ucTGKoMNNCdT9aP4U DFY9NansQZbZVQ== Extension name: y2fs51o8d0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B7A47843E0E9EE02

http://decryptor.top/B7A47843E0E9EE02

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RemoveDeny.tiff	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File renamed	C:\Users\Admin\Pictures\RemoveDeny.tiff => C:\Users\Admin\Pictures\RemoveDeny.tiff.y2fs51o8d0	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File renamed	C:\Users\Admin\Pictures\ResetSkip.crw => C:\Users\Admin\Pictures\ResetSkip.crw.y2fs51o8d0	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

Drops startup file 2 IoCs

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

description	ioc	process
File opened (read-only)	\??\J:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\L:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\P:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\V:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\X:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\Y:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\B:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\F:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\O:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\Q:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\R:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\S:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\E:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\H:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\N:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\W:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\Z:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\A:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\G:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\M:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\T:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\U:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\I:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened (read-only)	\??\K:	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

Drops file in Program Files directory 64 IoCs

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Resources\cursorXBOX_active.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-100.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rounded Rectangle.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\Common Files\microsoft shared\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2bb76f1c.pri	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectMedTile.scale-200.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-100.jpg	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-400.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\_Resources\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_cube.3mf	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Dust.jpg	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_2015.7668.58071.0_neutral_~_8wekyb3d8bbwe\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\_Resources\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxMetadata\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\y2fs51o8d0-readme.txt	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleAppList.scale-125.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File created	C:\Program Files\Mozilla Firefox\browser\1dbc51d0.lock	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-400.png	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.ps1	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1536 vssadmin.exe

pid	process
1536	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

pid	process
3424	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
3424	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3624 vssvc.exe
Token: SeRestorePrivilege 3624 vssvc.exe
Token: SeAuditPrivilege 3624 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 3500	3424	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe	cmd.exe
PID 3424 wrote to memory of 3500	3424	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe	cmd.exe
PID 3424 wrote to memory of 3500	3424	c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe	cmd.exe
PID 3500 wrote to memory of 1536	3500	cmd.exe	vssadmin.exe
PID 3500 wrote to memory of 1536	3500	cmd.exe	vssadmin.exe
PID 3500 wrote to memory of 1536	3500	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe
"C:\Users\Admin\AppData\Local\Temp\c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3500