sodinokibi | ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397

General

Target

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Size

1.2MB
MD5

8a18fa2696f31992ef9bb3a971724f29
SHA1

5aa9a303eedb9d0a6f0dc5d6c78ccd90b1e6852f
SHA256

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397
SHA512

29739792b87432f7aa065a99bcbe613e91edc3957ea0742f98bc7a3b44773a56b6c49c8b844cd1353b9172c2970c0b07767b8b9ea5157457c8bac2e1b18795e4

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\rp81h-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion rp81h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0020EED3735AAE05 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0020EED3735AAE05 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iXEzECXLIJRid3i5wU/mmXePBCRyu8XYkPxS5mjd9OKRF7alcvAHCExEXrIN7WUE wTxR1pNN4dmwMkXC9q2AXL1La+gUXQfV+x+S2yEJHSiGMpeEcPiVN/woCdXkZMfg Nit6ZDP4pfuY0hVPbtjTVAU17ToakBmurhE0ZKHkC90uprF4ZbfElYeS+SykiHd0 C9d6A7pYt3o3PFbfp0ndHSTyjIsmcio1xq7XMnrPUsGRXvW+fxxmKtU26hfi/Vvx ljZ67lPB0KSelxIvEhkC2uKkm9knSMR0OZBZPip+863TxnF1Pw949Wk+ZeMk7yat YKbIArrcXxJAJX7r8UzWK4SC2dJsR/jjc8+4zzvrHwHKsvjeBBhnivaJn3/apKSL 3KfeODQvbnfPatf33FqnDJR2fSy9uQid6uGEzyAWusZU3HaK1mD9N6GDc90z7Yif iZbvVnf8Y+d5FvoTLPIcmkT9dCL9jw+z9MJzZasU2Hy9LHSfm54dH4wdcaZ+rZYD WbH5iXbAG48BepIwgbLbrVlINnQhbxHH9oz3NpH5POi5KP8pvsQPCOoUQR7v9P3I 2+sgq3Ns5jKhsIxNsYqwdpPcx+2F3Dttr3PrmZTAHpPQs9fhPIcJs+JCM5V0EOd9 vXtxZ7iEojmEXYnAhejjUK2aoX0jT9hAWWK4H6o8wJLto6yIWhqzvNMvr2susPjV dwtsn77KbHNdrhlXeSWee6cdOgoRaRef6PANDUjpo20x1wLsZqA+kBOKd1tFu6Ob FnvP20XWSI0egVkQIIxAhVCOILpg9vvhYWpGxK0hXzJJW9/7+H5SOxMZ/6OWCDeB pjcoWpL5WRSI2evVyWkGtyuKXR9xUTw/LUHIPHT1dgPILPdBPfbbQ7gePqBCSsb0 duWBHkJQh9D0e+Lv19lkPqHy5UZYx69fKpYFER+/Ou7con3py03xegnJt7W4UIxM HmKgBMcuQPMWKloPUDCoegvu5f0KQ0cA4MbcWSzurBKdUryemIq8kYH08RWpXmtE o11RGa90O+r1ievOpC9A5BPG5wfheZlWvKNkCcfTb6c/T2cK53e5CnU2quSVYNLY eNJgmgvqH3Pwj1mNLFWeHfOp Extension name: rp81h ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0020EED3735AAE05

http://decryptor.top/0020EED3735AAE05

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.rp81h	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File opened (read-only)	\??\N:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\O:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\P:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\S:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\F:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\G:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\I:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\J:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\T:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\D:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\W:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\Y:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\B:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\H:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\L:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\R:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\A:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\U:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\V:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\X:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\Z:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\E:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\K:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\M:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\Q:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xbi5s0qqg3a.bmp"	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Drops file in Windows directory 64 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7faa65cac325ae1_hdwwiz.cpl.mui_cdafedff	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_it-it_da07c19fed2a5c2c_certenroll.dll.mui_a77d5a29	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_es-es_783d473f4a0142a2_winresume.exe.mui_ff8b5358	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d0162c550c828a3.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6aad367e92b2a27c_msxml6r.dll.mui_4516d602	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_de-de_eec5a30173304188.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-capi2_31bf3856ad364e35_6.1.7600.16385_none_5803d21d45e2e6dc.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_32ea4b9e4497e627.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-browseui_31bf3856ad364e35_6.1.7601.17514_none_8f08e721fcf5575d_browseui.dll_7a6f3790	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2e452ff3e70e56b2.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_6.1.7601.17514_none_c5144dfb4c96036b_tdi.sys_d1537112	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddcb06b06b14a827.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8b9b6cce3abf5f_ddraw.dll.mui_95b8c3ab	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e6cb80742e82457e_partmgr.sys.mui_b800c491	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_9633e7caefbaf953_scecli.dll_149e0f7b	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_57ecb43cdf43ac54_acledit.dll.mui_5f932ccb	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6b7b4102d6a6798a.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-855_31bf3856ad364e35_6.1.7600.16385_none_cebe20fafc85b609.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-mangal_31bf3856ad364e35_6.1.7601.17514_none_125c068ced09fd34.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70554f7eaa2b7caa_vsstrace.dll.mui_3a1fe238	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_4dd43f34b0b06f44.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e58ff5baa9a5ab26.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c10af1bed239c523_gpsvc.dll.mui_0c160ac2	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a96db6468fda66c8_scksp.dll.mui_05f14191	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b5fa959a738d6d74_msobjs.dll.mui_d054e07b	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9038f177d74f2f88_mdminst.dll.mui_19a87063	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..sam-win2k.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b42b42d087532bda.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178_system.ini_96e9118b	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_6.1.7600.16385_none_2a863865442ba065.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7fe9ec9f7f467dd.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0b77acd0b184bdb.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16f7dbd4736deb32_pautoenr.dll.mui_9667d15f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cd9dd16d431d523f_msimtf.dll.mui_e40b8b25	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ce52f37bdc6a3877_aclui.dll.mui_adadbfb7	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c285e7fbf22f0_scarddlg.dll.mui_300ae9df	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2327f9833f998849_netiougc.exe.mui_ad7a9e4d	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_a739b25289bf5dc4_hbaapi.mof_4e35fdd7	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_oskpred.xml_423830b1	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24f0d0f9c3af26a9.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12_wmiapres.dll.mui_c1b8803f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1f237cc3876b81ab_bootmgr.exe.mui_c434701f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f73c4ca850777cb_puiapi.dll.mui_e94aeb19	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a547f57d755ff33d_msimsg.dll.mui_72e8994f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa8c8b00989fc5d5_certcredprovider.dll.mui_b5ad161e	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-irdacoreprotocol_31bf3856ad364e35_6.1.7601.17514_none_ea0c02c127ba16bc.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winload.exe.mui_3bc5b827	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc6.dll.mui_b45c7567	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bca30fa029c53981_listsvc.dll.mui_27f0fc85	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd_nlscoremig.dll_0ee3acd5	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnsapi.dll_c81f5791	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa60e56750ed0f15.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..s-runtime.resources_31bf3856ad364e35_6.1.7600.16385_it-it_92cb8ba242972046.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c9fda5ebcaab2f61.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..s-runtime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b94e880341eb9832.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57_advapi32.dll_9512793c	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.exe.mui_ff8b5358	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538_winresume.efi.mui_f412814e	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_6.1.7600.16385_none_026531e2369d6d42.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1212 vssadmin.exe

pid	process
1212	vssadmin.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A4DE4279214CB0C85FCB0A13CB3F6DE949E211EF	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A4DE4279214CB0C85FCB0A13CB3F6DE949E211EF\Blob = 0f00000001000000200000003d8c44a04feb2e22566adeabdd39f67da502bb2268502c2b70b2ca00b72aefdc030000000100000014000000a4de4279214cb0c85fcb0a13cb3f6de949e211ef2000000001000000f9020000308202f5308201dda003020102021065067b5bcb96347433b1fc2867ed8e78300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c34ec8e51af6fa1862bb8a689f3c34c8f4fffca4c996128f93e6d2c6ed14f34c1e44115a8e819391ffaa0a56a05f729810aa3a2fa11518c2f6df6e15e17bea0d9a18ec73a6114c855177c482f878c76dd5fd5b76a21ff2b2633d944b7afce93f8ecb63ce1b1d894049d8a09a89f235fee08170134cc5b9cca909ea3a6e12df2f5957c3cd0c5e3ffefd1d77b2c51cf1c278e988af38b0dcd4512758ad1305ca4d5250e4dd8ca24e5866f76e79b4d70e9b1bf9a0aca4be0b1d548230892f18e44833fbe8a2f801aded7414bc45f3c2e85688a37cf2ed8ae56ad68a0aed136b1bc683edcc6bb75fc392c675f2824441b7c0a4fdd8b50538f498b826aa772dd305b30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b49910b8d23e2fec5b26bfc44ab12aa9d9c95ae3300d06092a864886f70d01010b050003820101009415be7c650e8c56486b7859df4e5f5e44a5fa7a7ea258887eaeca29d1eec4aad2d41c8fd96b5cb4d8002bebd8d340bd18c05ad0418cfdfaa3bce1b72cbf167402013c142a6427a5f7863d13a7ec5ed9e1dcec5876c4554d145db135540a82ac097950045fd2a21b1749785c81d5838fd2032761d5d01333364db71ad05d8d177a07fe0888b9b06e1f8bb04e2b2d773f53b8011eb4d6defc1c01fff93255fa24f9d71e02a775bf6e59924dbe66b0727231f7483a098dd89c92eee33ac45dcdf55f27bc1091713e06f01b08a985608bea6143170a992415d57579c479af10e7da7f33abde66c1928ea061282b274554933afabd763f2111edbca829e5dc3fcc7f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A4DE4279214CB0C85FCB0A13CB3F6DE949E211EF\Blob = 140000000100000014000000b49910b8d23e2fec5b26bfc44ab12aa9d9c95ae3030000000100000014000000a4de4279214cb0c85fcb0a13cb3f6de949e211ef0f00000001000000200000003d8c44a04feb2e22566adeabdd39f67da502bb2268502c2b70b2ca00b72aefdc2000000001000000f9020000308202f5308201dda003020102021065067b5bcb96347433b1fc2867ed8e78300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c34ec8e51af6fa1862bb8a689f3c34c8f4fffca4c996128f93e6d2c6ed14f34c1e44115a8e819391ffaa0a56a05f729810aa3a2fa11518c2f6df6e15e17bea0d9a18ec73a6114c855177c482f878c76dd5fd5b76a21ff2b2633d944b7afce93f8ecb63ce1b1d894049d8a09a89f235fee08170134cc5b9cca909ea3a6e12df2f5957c3cd0c5e3ffefd1d77b2c51cf1c278e988af38b0dcd4512758ad1305ca4d5250e4dd8ca24e5866f76e79b4d70e9b1bf9a0aca4be0b1d548230892f18e44833fbe8a2f801aded7414bc45f3c2e85688a37cf2ed8ae56ad68a0aed136b1bc683edcc6bb75fc392c675f2824441b7c0a4fdd8b50538f498b826aa772dd305b30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b49910b8d23e2fec5b26bfc44ab12aa9d9c95ae3300d06092a864886f70d01010b050003820101009415be7c650e8c56486b7859df4e5f5e44a5fa7a7ea258887eaeca29d1eec4aad2d41c8fd96b5cb4d8002bebd8d340bd18c05ad0418cfdfaa3bce1b72cbf167402013c142a6427a5f7863d13a7ec5ed9e1dcec5876c4554d145db135540a82ac097950045fd2a21b1749785c81d5838fd2032761d5d01333364db71ad05d8d177a07fe0888b9b06e1f8bb04e2b2d773f53b8011eb4d6defc1c01fff93255fa24f9d71e02a775bf6e59924dbe66b0727231f7483a098dd89c92eee33ac45dcdf55f27bc1091713e06f01b08a985608bea6143170a992415d57579c479af10e7da7f33abde66c1928ea061282b274554933afabd763f2111edbca829e5dc3fcc7f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A4DE4279214CB0C85FCB0A13CB3F6DE949E211EF\Blob = 190000000100000010000000c9003150cf133b4dff067c1a81ff6f420f00000001000000200000003d8c44a04feb2e22566adeabdd39f67da502bb2268502c2b70b2ca00b72aefdc030000000100000014000000a4de4279214cb0c85fcb0a13cb3f6de949e211ef140000000100000014000000b49910b8d23e2fec5b26bfc44ab12aa9d9c95ae32000000001000000f9020000308202f5308201dda003020102021065067b5bcb96347433b1fc2867ed8e78300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303432393133303030305a170d3237303432383133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c34ec8e51af6fa1862bb8a689f3c34c8f4fffca4c996128f93e6d2c6ed14f34c1e44115a8e819391ffaa0a56a05f729810aa3a2fa11518c2f6df6e15e17bea0d9a18ec73a6114c855177c482f878c76dd5fd5b76a21ff2b2633d944b7afce93f8ecb63ce1b1d894049d8a09a89f235fee08170134cc5b9cca909ea3a6e12df2f5957c3cd0c5e3ffefd1d77b2c51cf1c278e988af38b0dcd4512758ad1305ca4d5250e4dd8ca24e5866f76e79b4d70e9b1bf9a0aca4be0b1d548230892f18e44833fbe8a2f801aded7414bc45f3c2e85688a37cf2ed8ae56ad68a0aed136b1bc683edcc6bb75fc392c675f2824441b7c0a4fdd8b50538f498b826aa772dd305b30203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414b49910b8d23e2fec5b26bfc44ab12aa9d9c95ae3300d06092a864886f70d01010b050003820101009415be7c650e8c56486b7859df4e5f5e44a5fa7a7ea258887eaeca29d1eec4aad2d41c8fd96b5cb4d8002bebd8d340bd18c05ad0418cfdfaa3bce1b72cbf167402013c142a6427a5f7863d13a7ec5ed9e1dcec5876c4554d145db135540a82ac097950045fd2a21b1749785c81d5838fd2032761d5d01333364db71ad05d8d177a07fe0888b9b06e1f8bb04e2b2d773f53b8011eb4d6defc1c01fff93255fa24f9d71e02a775bf6e59924dbe66b0727231f7483a098dd89c92eee33ac45dcdf55f27bc1091713e06f01b08a985608bea6143170a992415d57579c479af10e7da7f33abde66c1928ea061282b274554933afabd763f2111edbca829e5dc3fcc7f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

pid process

944 ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1860 vssvc.exe
Token: SeRestorePrivilege 1860 vssvc.exe
Token: SeAuditPrivilege 1860 vssvc.exe

pid	process
944	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	pid	process
Token: SeBackupPrivilege	1860	vssvc.exe
Token: SeRestorePrivilege	1860	vssvc.exe
Token: SeAuditPrivilege	1860	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.execmd.exe

description	pid	process	target process
PID 944 wrote to memory of 1960	944	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 944 wrote to memory of 1960	944	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 944 wrote to memory of 1960	944	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 944 wrote to memory of 1960	944	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 1960 wrote to memory of 1212	1960	cmd.exe	vssadmin.exe
PID 1960 wrote to memory of 1212	1960	cmd.exe	vssadmin.exe
PID 1960 wrote to memory of 1212	1960	cmd.exe	vssadmin.exe
PID 1960 wrote to memory of 1212	1960	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
"C:\Users\Admin\AppData\Local\Temp\ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-54-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/1212-56-0x0000000000000000-mapping.dmp

Download
memory/1960-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads