sodinokibi | ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397

General

Target

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Size

1.2MB
MD5

8a18fa2696f31992ef9bb3a971724f29
SHA1

5aa9a303eedb9d0a6f0dc5d6c78ccd90b1e6852f
SHA256

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397
SHA512

29739792b87432f7aa065a99bcbe613e91edc3957ea0742f98bc7a3b44773a56b6c49c8b844cd1353b9172c2970c0b07767b8b9ea5157457c8bac2e1b18795e4

Score

10^/10

sodinokibi ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\odt\p9836f4476-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion p9836f4476. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72872CA1B3B79513 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/72872CA1B3B79513 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kLFBkfxNlYjw+GwTJnIboHIdiTc/R2ux0gHiS3mDceOJN6Kh79KeHEaKTAzloH2J 9YzO682UeV8U4rjMozkRcwh1Jv9JqNr+jrHGHODnl8xsnDViRdMzAWcio3uenf/Z DqiKccXwsYMkLcwHei5yhsJkXpaTmSRoVsTmclkuQmMs+zNKkc10GGzQwYEblNIK Fh+Rb3RftzE67YTuAte6dYnjEQvcG8Sm6J3PZXe/wRZ5IrTK65w+/ROBcmE01V7D PaSVcSngaJGuyufy8lW0eb52vViecF4+RBaJQz7Lmo5ZohJN8keQmgwzA6xL8URs pShl1pRT1DrILjFro1O95Z1zcxzIL4zLs2D62FgDUfbzG8vDnuazYpCltYBRnKkZ 3FTV59PZHARzJjZ0It8r+TCLgCWEeIQg056e01p6iqigYjMZnDGXKRtTivlPOhO3 j6eekGuytVpjcKDxxy55mpJ9OuyZLZPtO8+/vyBCrNPtgqy4PmRyl/clysqj10Yw r9hhpf3fxtRn8egx3EfFpzB9a8wc7HgINhQ2CRCEYOamrbvqN6CigDwz0Rwain8/ 5S7XMUAMeSMxTosYlXLbm0x1wxMp6dpfNH4s98gjMDE1ti7QrzUsnzz7alocwg0M V+eMR2DIo8rL4WdqGxdkPDmelvoTDJCPygUZOoWZxYg656EFREJ4E8XpR4jI/ev+ PuzR5qWJF6Q9wwNJCoU7V/dHs0qQizkPCCdyidG2vgpuLR+3/ymS5UWBcSDV/Lap gdBrjggObbQQVf/uNaytroWacVrouBrKuxHIaFj163B/s//2uLhTwFmBh5li3AIw KVjYbFeM8LRbY9IXNQmmp3WRyKu+Ma+aIsWgkpgokm4ze0qimseKpli84W++oo+1 ZbkAarvRdrYD6vZE3Ex+a9VHxPzhQn62o4/Bmr/x4Ht4ls8Zgw87ymLJHLiEOVYh 9Pl+kCioKBbV9AggM7uB+6tNYopCN+sZV7onsV6ibbDImPuBGfvqqRtqGNzjiEi/ vTEuyXRdXKJubAhsqog9Db9J3VsaFiK+p71Jhwprri/eEiffecbe7XUr7LnW5RHz 4VjMerrwwMW26ql2GsXrcSI/rCaNlcra Extension name: p9836f4476 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72872CA1B3B79513

http://decryptor.top/72872CA1B3B79513

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
suricata: ET MALWARE Self-Signed Cert Observed in Various Zbot Strains
suricata: ET MALWARE Self-Signed Cert Observed in Various Zbot Strains
suricata

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RevokeLimit.tiff	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\ClearSet.raw => C:\Users\Admin\Pictures\ClearSet.raw.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\RevokeLimit.tiff => C:\Users\Admin\Pictures\RevokeLimit.tiff.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\SearchResume.tiff => C:\Users\Admin\Pictures\SearchResume.tiff.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\SetRequest.raw => C:\Users\Admin\Pictures\SetRequest.raw.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\SuspendUse.raw => C:\Users\Admin\Pictures\SuspendUse.raw.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\UnblockUndo.tif => C:\Users\Admin\Pictures\UnblockUndo.tif.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Users\Admin\Pictures\InstallMount.tiff	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Users\Admin\Pictures\SearchResume.tiff	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\ClearInvoke.tif => C:\Users\Admin\Pictures\ClearInvoke.tif.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\InstallMount.tiff => C:\Users\Admin\Pictures\InstallMount.tiff.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\OptimizeOpen.raw => C:\Users\Admin\Pictures\OptimizeOpen.raw.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File renamed	C:\Users\Admin\Pictures\UnpublishCopy.raw => C:\Users\Admin\Pictures\UnpublishCopy.raw.p9836f4476	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File opened (read-only)	\??\Z:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\A:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\E:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\G:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\H:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\M:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\N:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\S:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\V:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\B:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\F:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\I:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\L:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\Q:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\R:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\T:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\D:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\J:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\K:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\O:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\X:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\Y:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\P:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\U:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened (read-only)	\??\W:	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nsg.bmp"	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Drops file in Windows directory 64 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_kmddsp.tsp_c999e400	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_pppmenu.scp_74b84d65	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_31cb74c54c7c9cce_wiaservc.dll.mui_54051b53	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.546_none_66aec7957bfb79d1.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-es_791f98a00d18017f_bootmgr.exe.mui_c434701f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_en-us_89e92105cd6d77fe_credprov2fahelper.dll.mui_71e4ecb5	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.19041.546_none_386df5495b49cc70_duser.dll_a2bd2fa9	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_dc08fa18555f7cbb_ngcsvc.dll.mui_96312421	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1_none_030656e323303a3e.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.19041.1266_none_6ec8b79d83a2fd27_wintrust.dll_abec426a	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_de-de_157d8b1ac43d0595_comctl32.dll.mui_0da4e682	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9123280a93582482.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_mofcomp.exe.mui_35badf56	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.546_none_5cab63307361e177_kbdus.dll_c99f1a3f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_it-it_2d34a08f6318de6b.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_94d8a2f49b8df947_mofcomp.exe.mui_35badf56	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_abf2f270a2e2fdd5_rasauto.dll.mui_12fa2c50	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_es-es_fb21fb2daa0bbdc7.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-br_78cb45bacb7e5c6a_memtest.exe.mui_77b8cbcc	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9d4111d99a4c2411_combase.dll.mui_6db10b33	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.19041.1_none_8ca608a8d0ab598e.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f58d254bd51feff_wmpdui.dll.mui_92411657	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.1_none_8bf8bd980545cdd0.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_es-mx_36cb4cea87054a3a.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.546_none_e09b38c4879eb2b7.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_6e688577a32f8855_themeservice.dll.mui_9e71f1ab	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_wmiapres.dll.mui_c1b8803f	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.546_none_acd68d6650059b4e_w32topl.dll_1a0f388b	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_9acd392c5a6ac8a8.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9b77d25cc7b8e67d.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_hr-hr_91b1079c55cc3459_comctl32.dll.mui_0da4e682	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.19041.1_none_1b31c6067f7278ae_msjh.ttc_ea675e59	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7e2e7925487a8e96_ngcsvc.dll.mui_96312421	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_it-it_8206cb3c3a26ca88_webclnt.dll.mui_e8f04040	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-deviceguard-gpext_31bf3856ad364e35_10.0.19041.546_none_48d6c53e575a9a81_dggpext.dll_0c91d307	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_85775.fon_f144fe91	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_de-de_2e39fba38cc03f66_webauthn.dll.mui_acc69b8d	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_hu-hu_1ebc558b5fa34c0d.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938_kerbclientshared.dll_1fa7b356	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_dsreg.dll.mui_5d9efc7e	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.546_none_acd68d6650059b4e.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_bg-bg_0eb33b9b299bb6ee.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_it-it_63d59ac645c938b0.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478_tcpipcfg.dll.mui_a5479fc1	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_636449faa48a1497.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui_31bf3856ad364e35_10.0.19041.1_none_12c29d7ca1405b69.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_7869ead9de8ed48b.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35fcf50d32ba29_dsreg.dll.mui_5d9efc7e	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_950d46109b6707a2_wmiutils.dll.mui_42583eaf	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_pt-pt_ab6fe027e9d42c19_comctl32.dll.mui_0da4e682	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_nb-no_27a70b04b2458f02.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e_bootmgr.efi.mui_be5d0075	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f67aaff953259297_wevtsvc.dll.mui_f41bf7b7	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_37c7228cf0c127fb_w32time.dll.mui_b382d4b4	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.450_none_107cae8412302d3e_sti.dll_d93e8a42	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesrs5_31bf3856ad364e35_10.0.19041.1_none_11f6e41b011d9fec_windows.ui.xaml.resources.rs5.dll_48e2ada6	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-null_31bf3856ad364e35_10.0.19041.1_none_5f56fb00ba5a9142.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_en-us_7d22aa39e59cfe75_rasautou.exe.mui_55686a97	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a404249a5c38819f_themeservice.dll.mui_9e71f1ab	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_a254f4e433806f5f_gdiplus.dll_423f7010	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_el-gr_78f993560d286ca3.manifest	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_it-it_09805d42c133e875_wudfplatform.dll.mui_d815d31a	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a069e8cf0cb9bc28_axinstsv.dll.mui_be092a2d	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

pid	process
2888	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
2888	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe

description	pid	process	target process
PID 2888 wrote to memory of 3292	2888	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 2888 wrote to memory of 3292	2888	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe
PID 2888 wrote to memory of 3292	2888	ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe
"C:\Users\Admin\AppData\Local\Temp\ecac12520eaa08addb97ed05c2ac1406d56e58eb422954b704ef5c5516e02397.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3292