sodinokibi | 20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15

General

Target

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
Size

179KB
MD5

c81b771a8e8762a89b54f69a0d7755af
SHA1

e884e59df82d2a796c2de1e1c6cbd1e491e16e30
SHA256

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15
SHA512

f2975e6f20bda5c054ea7d4bd385bf9fd52306407a6ae0d01730a340b7bc53582a98e4af4871b01eb5a94c6edfc611014fa17b7e01d7e9150351b5827c99cf2d

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\sbz256p6q-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion sbz256p6q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30CBA8F5934A73E0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/30CBA8F5934A73E0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CFaSgNrdyw8NhfSDrc3pstWD1BsotPDo5SY0nqRLChfZO7jAktP2f+KdpKmJh9KS L2qcT4syTx3nZ680PiOv1zeGJjB8D7xrTGx/lcSvXGPCfbdbXHT5gw9S4aBcQM00 yUFCQjb3BWv0nahLyZqJz2puqtABc2wl+qozt42rZr1DZKsWrp0RoehE5A6HsRU9 vIme4tVhA9XDz2pKMsUuyDyibTmtz1OEXaAinyQngxsVstu9u1HxJfDYu7B1ls6m x1WVLCm1U005S1AShN8nmw7078lBIh6LuhyguO/m5RIpDJWZfpV+wB/zqrl1TMFO o5IydKR0BpR7ipQuQOtQgPy2TkVFzti7YMtkelRMl4GbVW2tf2TxTSG21xGMpVBb MvYcar6cXSAXq+Iy7gMJv3K8/3oOwWvcZZ2d9UFAThuC6s+vZY84ZVVYvypWO5CD nEOVEjkkJff9zDtcp3oCYHsA4mrQY1YrR1ieGAp3mkjr8JcOs1pvDIXJ3afxbdCC zk8NStViJDJV/ioq+6Ak4cMxQaNo+bOV5VmkR7K2bED5uJtwCBOHQmIu1PL1iv5X KB2SWcqmFehariaz1mN571VKLF/uYqPKQgRvpDghmYjs+or6KP0k/n5f7Gx152ak qHpwTWoIg6Xcg4FfUftK4CsG84q9s5svdyrjHIniONHhPSsGTwZMt3P2D6l/mY95 5vUUA+j4Cqjav/xYlMVKSkxDPTNI5JmK61ghri3uSn17aV9BNcJa4ZpW1pksDIWt YjH3gWQ5sRtTwGMhj/oOKF39quCipxFprhu3Jg1GsBuqz1iNynuquKi2oABJxdhi 9mF7Q3a66x79BasjB6xS5I1i3RoULyguW4V4AvCyXtFbnynBw2BEjHvFyqGgGmeL cnuG/j4PDn1HUc4+HggGO+iyn+fY6m2ya++O+7kynO0OJ7p5QNn7+oSZPbYWz6S7 BT5zUCLv/yQfYDWmEGtDTZwLro90+KOU6afDz9nnIpOdS0fgRXzrV3q89e2zyTyR bq/rDU1algXCvzGAE3P3C2zwGgQM3eHR1TIkW0QZkt0DA/qSyyin8FxIoGAzYKVB k71HyLwZRKMEIxpPfflPcVZA9CvV8lgHhwZG6Cs3sQrQ1sgRzo2eUKB6143t1ZN5 DGpeWpPltQc= Extension name: sbz256p6q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30CBA8F5934A73E0

http://decryptor.top/30CBA8F5934A73E0

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

description	ioc	process
File opened (read-only)	\??\J:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\M:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\O:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\P:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\V:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\W:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\F:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\G:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\X:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\Z:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\N:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\R:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\T:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\B:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\E:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\L:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\Y:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\D:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\H:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\I:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\Q:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\S:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\U:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\A:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened (read-only)	\??\K:	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

Drops file in Program Files directory 20 IoCs

Processes:

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

description	ioc	process
File created	\??\c:\program files (x86)\sbz256p6q-readme.txt	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\BackupEnable.snd	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\InitializeUpdate.tmp	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File created	\??\c:\program files\sbz256p6q-readme.txt	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\RegisterImport.mht	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\RemoveProtect.vssm	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\SetPublish.cr2	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\HideBackup.aif	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\ImportBlock.vdx	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\OpenStep.3gp	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\ResetCheckpoint.wmx	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\TestInstall.WTV	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sbz256p6q-readme.txt	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\DismountInvoke.otf	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\ExpandPop.dotm	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\ExpandWrite.xltx	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\FormatApprove.html	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\SwitchGrant.xlsb	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\sbz256p6q-readme.txt	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	\??\c:\program files\DenyAssert.ttc	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

Drops file in Windows directory 64 IoCs

Processes:

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e89294b2fdfa6c6f_explorerframe.dll.mui_074caeb5	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e80fbb8ab24365d6.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5514f8211751b1ec_vdsutil.dll.mui_0caf9b0e	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_7723bc0307a2c52a.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69d35b8da4b97527_htui.dll.mui_038c60dd	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-irdaircomm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_840039706a95661d.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e34804ff1d51125.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_kor-kor.xml_35ecd9ba	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6e4eb2f75bef81_sti_ci.dll.mui_f0a16278	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ef6f7dfede59572_appidapi.dll.mui_b6af37bb	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d03d19912f2e87b9_cliconf.chm_12e2bd62	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_cc2ae7a603d88da8.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_jsmalle.fon_4f77c739	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_th-th_6c5db85765f279c8.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_66df39372ddc410d_odbcjet.chm_2a003207	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_ee99ceab3ae3ff86_comdlg32.dll.mui_ac8e62f4	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0eb241dcc51f079.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_856144d7e24caf0a_mlang.dll.mui_2904864a	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66a957f5f121da3c_objsel.dll.mui_9b915792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_099b02651e31eb2c_iscsicli.exe.mui_64c0a23c	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41ae913e62031c5c_memtest.efi.mui_71e15c22	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1c083148b78fc347_objsel.dll.mui_9b915792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63097ee7553ecff7_basecsp.dll.mui_04bea7ac	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_d102e18929d497cb_uiribbonres.dll_b1ad5a7c	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_269ffdbfc2380290_winbio.dll.mui_7a8d17bd	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_1ea06bbff56ef9c1_bootmgr.exe.mui_c434701f	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2590890fddbcebf_winload.efi.mui_35ee487d	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..pe-malgungothicbold_31bf3856ad364e35_6.1.7600.16385_none_41783c072f347b6d_malgunbd.ttf_6ad5519c	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ee797247339fb7c_puiobj.dll.mui_b9c0c4d6	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_base_heb.xml_f444f554	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0461a1caf4c48ce6_wmpdui.dll.mui_92411657	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3867543ec5b9244.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ea79c4c6eb99ea3d_pshed.dll.mui_d7f9a40f	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9335f7a3da9ee7a7.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2df3e3ed6ffd20e3.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d1256a4a3c8105f9.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d17bb570ccd9cec0_imageres.dll.mui_3e41dee6	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7601.17514_none_ddb772a467bcf964.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dcb97024f9925cb8.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cecbfd173661bff0_ndadmin.exe.mui_2e106c3e	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68d891dc840c463a.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ac8dab2ec7d412b_nsisvc.dll.mui_237a741f	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_7.5.7601.17514_en-us_74a88136fae6c08c.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805_rasautou.exe_477abe34	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-852_31bf3856ad364e35_6.1.7600.16385_none_cebe6552fc856926_c_852.nls_bb0fdbcc	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c23ae2f697bdf562.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-aparajita_31bf3856ad364e35_6.1.7601.17514_none_d123c185ad71f4d5_aparajbi.ttf_02c81200	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_6.1.7601.17514_none_604653a7c0745b40.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10ebf64ee4a72787_ntmarta.dll.mui_027ef4fc	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f52607304e593d93_setupapi.dll.mui_bcc172a4	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cede4f0eaa33bc3b.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674_clusapi.dll_06332635	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991_afd.sys_084af4a8	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_b18e5ca4be201fbf_hbaapi.dll_4e36083f	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_643c507363ea9836_comctl32.dll.mui_0da4e682	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53712ba885839443.manifest	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68750ba1329f3c6f_services.exe.mui_86ea5e71	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c4612d3f03b3254c_ndptsp.tsp.mui_5bee9ce3	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_ec45e4073c5a6ba2_comdlg32.dll.mui_ac8e62f4	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1804 vssadmin.exe

pid	process
1804	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

pid	process
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1976 vssvc.exe
Token: SeRestorePrivilege 1976 vssvc.exe
Token: SeAuditPrivilege 1976 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 1076	1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe	cmd.exe
PID 1792 wrote to memory of 1076	1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe	cmd.exe
PID 1792 wrote to memory of 1076	1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe	cmd.exe
PID 1792 wrote to memory of 1076	1792	20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe	cmd.exe
PID 1076 wrote to memory of 1804	1076	cmd.exe	vssadmin.exe
PID 1076 wrote to memory of 1804	1076	cmd.exe	vssadmin.exe
PID 1076 wrote to memory of 1804	1076	cmd.exe	vssadmin.exe
PID 1076 wrote to memory of 1804	1076	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe
"C:\Users\Admin\AppData\Local\Temp\20684d3edd9d61bbe0a84559c8e197a02a123e697bc8d05bd9305cf1d3984c15.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1804

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1792-56-0x0000000002240000-0x00000000022DF000-memory.dmp

Filesize
636KB

Download
memory/1792-57-0x00000000022E0000-0x000000000240D000-memory.dmp

Filesize
1.2MB

Download
memory/1792-58-0x0000000000210000-0x000000000022F000-memory.dmp

Filesize
124KB

Download
memory/1792-60-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/1792-62-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1792-64-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1792-63-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1792-61-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1792-59-0x00000000026A0000-0x00000000027A9000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads