sodinokibi | a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a

General

Target

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
Size

159KB
MD5

89b21e0bdc3be808c42a82e17372b4c6
SHA1

6a19a7205c51dc59938b0264f173eeb1815ff4e1
SHA256

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a
SHA512

22449634409904eda5f312266afb6f3200e35a1177222be0bc505b6bec2accc5ad3cef3ba43b17c2d2947f6b6f694ba7bc0b3fe825488365565b7972465354b4

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\g1r6cn8-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got g1r6cn8 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5FA34714DF9BD92 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/A5FA34714DF9BD92 Page will ask you for the key, here it is: EACcvSM32CWobXBJp9crymLpiTToZlWtJdH13TTvJ4WYASXVcrypSxUGk0lTCiHh dTabnJpBAiV24LjYsBpA4pZOcWcg6ReD7Wq5L3fhCN1YzI5Lh0QwTAZdYzJ3VkSF Lvd25DAe7sOLu4BmDvI82RoZEQojzwiCDamNBZQ/eMZTOFdkMenMYCxPS8JjN6eQ LfZtb39WboZ5dU7Y+c7vul60WAQjBxp+k28BPMQeAraflkGN2nxkS+uprsRmmfph 7JJSXYG/73c3lBolCgAWuVlO9H7n0RWAbx8o73jFrOiHqLI05zl+L0/epbZCfws3 jL9yntzNvULdoE2Azwh3fletqHaZhgt4dWlG2eft1ZhCeT8W5DV5mTdZ1JhtJmnL f84sd/OrVbxSWRmODnzQD/U0+jp3/h25ZKrqfGSkAptMUrYFOHfvVN2uX99CgajD 5x6z1UoQ2zmOgkejfG68njd5khDeQvL1kJzZXCAeRvituoDpOu/aB7r/i1EbayTZ AVO/jnJMEqQCZZT2EpC7s+GnpA/+oZiDmSrXvsmiI3DDxny3KkXWO+9PlH/g7UEN LBZsadUMU1H/d/mfGX6JoCNTciPDhEJrApGjbxWKzJbXVo98acJWhbjz4GqAa0Zj 8W+t2aLI4octUjubMMCjAstIbAQqmqwnETbIpe3guXfs0dOYp1IVIIBFordNqur4 LDoNkQrre+INZIltw0Ky2F1MJTbY+Vfu0MQh3XznNjgtJHJn3aw85YiQ3r+aAAAD WnaFht285dl1Ky1vlSiUovyrp/jF1doM6eVnCrb9jQg78ZV4EotyyOYEra/seOMP +HlY8RecVqcr8Id8LeruwNLxahBKbAbZQv7iAhZ+vQRnjJ+/MkJGk1JCARbwMHoY cMcSSVsb91cJ13jAsFkw+00E2roMYAUQacLfS0g9RfCTN1KKgkUczh274UJJhMMJ XiCQmmyLG/zzIBIuhS+iX0L7YZssTHL5Lqh8Sp8PxwY4CskXcTa0+SEym/Ai7Ef/ u4Ky9tyrxl2B+giVJx5sGGm5BtkLPCvlKzrwvTTnwVJGh863CQX5WBKhc0iGd8Z6 YwtQAj4R1fSSzCQgvVtuu/cr

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5FA34714DF9BD92

http://decryptor.top/A5FA34714DF9BD92

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitClose.png => C:\Users\Admin\Pictures\ExitClose.png.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\ResolveEnter.tiff => C:\Users\Admin\Pictures\ResolveEnter.tiff.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveEnter.tiff	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromGet.crw => C:\Users\Admin\Pictures\ConvertFromGet.crw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\PushInitialize.crw => C:\Users\Admin\Pictures\PushInitialize.crw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRename.png => C:\Users\Admin\Pictures\ReceiveRename.png.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\TestSkip.tif => C:\Users\Admin\Pictures\TestSkip.tif.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeSearch.tiff	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\OpenRestore.crw => C:\Users\Admin\Pictures\OpenRestore.crw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\ReadUndo.crw => C:\Users\Admin\Pictures\ReadUndo.crw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\EnableClose.raw => C:\Users\Admin\Pictures\EnableClose.raw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\SuspendGrant.raw => C:\Users\Admin\Pictures\SuspendGrant.raw.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File renamed	C:\Users\Admin\Pictures\SyncLimit.png => C:\Users\Admin\Pictures\SyncLimit.png.g1r6cn8	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
File opened (read-only)	\??\E:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\G:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\I:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\P:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\W:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\A:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\L:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\M:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\S:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\T:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\U:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\J:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\N:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\O:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\V:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\X:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Y:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Z:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\B:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\F:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\H:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\K:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\Q:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\R:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened (read-only)	\??\D:	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3vv9cbu305p1.bmp"	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Drops file in Windows directory 64 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec9de4f9127a9ac3.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e531c8a834aefdb9_vsstrace.dll.mui_3a1fe238	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidsvc.dll.mui_6717e231	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c_msxml6r.dll.mui_4516d602	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_6.1.7601.17514_none_3fc218fad10f1ad4_partmgr.sys_fcac898c	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-videoport_31bf3856ad364e35_6.1.7600.16385_none_180f3dba1e158073_videoprt.sys_3ed5b0a0	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c110f4bd66485354.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c464d2bacfbc42a4.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_26cee700b53a673d.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_apphelp.dll.mui_59096153	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bca30fa029c53981_listsvc.dll.mui_27f0fc85	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-862_31bf3856ad364e35_6.1.7600.16385_none_2ade0120b4e1f3b3.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_98db12093f1c71e3_kernel32.dll.mui_c29170cd	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3ea6d01c34b5cc55.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_b04d655eff508002.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7600.16385_none_aa5813cb3a17070e_polstore.dll_6cd3e56e	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1_rasdiag.dll.mui_15cb4ec4	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-daunpenh_31bf3856ad364e35_6.1.7601.17514_none_65eab3ba3a64f6af.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_9ee1491f45855a27.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2e336fbd1d49b11b.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0e539441d9ce77a_uxtheme.dll.mui_15ce9297	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_85a00075758466ca_bootfix.bin_ee6f205e	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bb0de36cbae98857.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_es-es_616970d2c502550e_dui70.dll.mui_de5f27e2	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f5c532dcc8fdb89b_bootfix.bin_ee6f205e	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_49429473d09ea38c_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3165765b03216fd8.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06dfc9a050d64566.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3158500bccac60ee.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_671c48b9c28e5906.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6f6ef85e234a7943_advapi32.dll.mui_28c7718f	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4d08ffffd9f8bb31_bootfix.bin_ee6f205e	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_848d9eb0d8a9fb44_dhcpcsvc6.dll.mui_b45c7567	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33bb1a534004f6c6.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_24ff5a886963291e_mlang.dll.mui_2904864a	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_442e570e6aa0d70c.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_perfc.dat_f4bd9339	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_lodctr.exe_b02cefba	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_61e865cf65610452.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_33b6644f20ba3abe_comdlg32.dll.mui_ac8e62f4	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_60de2899d60bf39a.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef147641e3c9d2c0_sendmail.dll.mui_cbac108c	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_33e993f0490559ab_powrprof.dll.mui_a2448a34	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44c69dc0653f7644.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b9d7dfd0cf7954f6.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_30bc7fe1e159c5d3_wmiutils.dll.mui_42583eaf	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69d35b8da4b97527.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appid.sys_fe1d01e3	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_a77de2d787af8188_comctl32.dll.mui_0da4e682	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_caaa36f086983095_ddraw.dll.mui_95b8c3ab	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-installer-service_31bf3856ad364e35_6.1.7600.16385_none_f39e7046aecd86ef.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_468dbb8913417112_rpcepmap.dll.mui_349798e1	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_41a82a52123f4af2.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_754bce83add5924d_printui.exe.mui_5e66aade	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3cb61b2fa392838e.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14400aaa57809682.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d16a6a0766330383_puiobj.dll.mui_b9c0c4d6	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0edef610009d2270_shell32.dll.mui_19f538b4	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b_winsockhc.dll_817ccaf3	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_37c1dc5aeeb79d37.manifest	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_305b8c9d36da5a85_searchfolder.dll.mui_8c30bdaf	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1732 vssadmin.exe

pid	process
1732	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

pid	process
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 852 vssvc.exe
Token: SeRestorePrivilege 852 vssvc.exe
Token: SeAuditPrivilege 852 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	852	vssvc.exe
Token: SeRestorePrivilege	852	vssvc.exe
Token: SeAuditPrivilege	852	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 1624	1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1864 wrote to memory of 1624	1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1864 wrote to memory of 1624	1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1864 wrote to memory of 1624	1864	a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe	cmd.exe
PID 1624 wrote to memory of 1732	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1732	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1732	1624	cmd.exe	vssadmin.exe
PID 1624 wrote to memory of 1732	1624	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe
"C:\Users\Admin\AppData\Local\Temp\a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1864-57-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/1864-58-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1864-59-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1864-60-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1864-56-0x0000000002030000-0x00000000020CF000-memory.dmp

Filesize
636KB

Download
memory/1864-61-0x0000000002190000-0x00000000022BD000-memory.dmp

Filesize
1.2MB

Download
memory/1864-62-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/1864-63-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1864-64-0x0000000002690000-0x0000000002799000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads