sodinokibi | 861bc212241bcac9f8095c8de1b180b398057cbb2d37c9220086ffaf24ba9e08

General

Target

861bc212241bcac9f8095c8de1b180.exe
Size

161KB
MD5

e6566f78abf3075ebea6fd037803e176
SHA1

de960051530de0ec06b72b8e3e1cb558e09a1c77
SHA256

861bc212241bcac9f8095c8de1b180b398057cbb2d37c9220086ffaf24ba9e08
SHA512

8c648916151d7515899b142a982ba530881245a709bf146861f0d4b1e460fc9bd6ff4df40f8fe29533c3f01c9df25cc5333f9a1a8159d7db70e80fc269fea2e8

Score

10^/10

sodinokibi ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\u7n5gh-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u7n5gh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ABE12F67F4420E1C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/ABE12F67F4420E1C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: itjDragzXPq8hLd6qRovVYD+S/8sFvSwG1UXHoUXsaAqPreLTrvcO6L1edKCE7os BY+ZC3MhpGSsOLNzsKuaXq6tjDrSXmnICqTqnH/lXTLro1mXGboCzNHAom7fZDLj Daf1aR6U3yifZyaX9Zs2Y3StyB7z40tnBiQy2LtcEtKue/I9mVsLtmmm4FR3zvTR TiMDvUhVfSRkWVtJ1eZngkrBjWNdhb8s7AzPNl9AEidpmNmc55fKXpBbB4rl/hJI SU3XEEQqUdRvLJwqEWVHwDkiTVzH+hWI6x1supHgs36hsXLB/YkABRDl4lv/BMAt 8FlhgP+Q2/d8z4iQiTtZLqk1djCeFg6al8cIg0K61PdjH3iX4pUnZOocnGitH6Ad /axPLF2ztqhk7rEWi1lJ2TMOUxCelbp0/YJrfNN19K/FpVGQmwCNzNgUmpNuml08 sWGMGp6kXsgmBQNXTnOX4YUD4HYYA9fh/o/XfsDNpNBBYFpNdoMijNOYWIAnwSz/ SMq/jiBQtDk7Hfib6rpJKaxZ3ljM3tT3+0lH8vwW390RdaMRXZjZv++jUydw7JaQ yP2l69SQEXJ/zujLX75KRUbfvloVOeXOZ6QZM4SUF9yYmMvYcWiI9yMebmyGW6vk PElE6eSqmg9eRUQGKNjRrSlEPbPmeUbLE0qDMNVbbmM3bQ71lwaWggC6EgnxzAmp rsjaiJ/sqDyzImJh+tazrRPlNblVEqd9Woh6ne523GbnTJ/3g30tcbhm0wfxB1J4 VtmiBrC0uI9LoHQwcGLaZf/fvffr+KbJOfKb/u0iKXm/NAeQFUo4dfnVj4JdEQJU DSiKtSUUKe8+rMX/GaFZWosn7NsfIm/PP+i7OAyytPdnaWaW7PZ9MJOkq5YfDqHP ajPvGBHvuZ4IhVxlL86VAL1kEyxCQNi2Il9Y4tX2TXH1Ms2q6LS2qmSZgxnOSP2/ 8OTpuN1drB/NXa/0QAE1ETSqpwZwadauDjLsuz7MTjMYG5JhL9bYGOuVrZj9UZDh INk82Fs6dCFh7aVuLvRzYZ4u8gZ+pjqAl79zrbd9raOmKxw86hoyFzSWZGyDedQz J4vAPb32ZQTqASAp69eMnsIG0wZfxHoJlskNWtvSrqkQPnUpu85eSFLbqkAJMIkD 0HVIYQcHru8= Extension name: u7n5gh ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/ABE12F67F4420E1C

http://decryptor.top/ABE12F67F4420E1C

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
suricata: ET MALWARE Self-Signed Cert Observed in Various Zbot Strains
suricata: ET MALWARE Self-Signed Cert Observed in Various Zbot Strains
suricata

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ProtectAdd.png => \??\c:\users\admin\pictures\ProtectAdd.png.u7n5gh	861bc212241bcac9f8095c8de1b180.exe
File renamed	C:\Users\Admin\Pictures\RestartResize.crw => \??\c:\users\admin\pictures\RestartResize.crw.u7n5gh	861bc212241bcac9f8095c8de1b180.exe
File renamed	C:\Users\Admin\Pictures\RegisterUpdate.tif => \??\c:\users\admin\pictures\RegisterUpdate.tif.u7n5gh	861bc212241bcac9f8095c8de1b180.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	861bc212241bcac9f8095c8de1b180.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
File opened (read-only)	\??\N:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\O:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\P:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\Q:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\U:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\V:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\F:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\M:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\X:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\I:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\Z:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\E:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\G:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\H:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\S:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\T:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\W:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\D:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\A:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\B:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\L:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\R:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\Y:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\J:	861bc212241bcac9f8095c8de1b180.exe
File opened (read-only)	\??\K:	861bc212241bcac9f8095c8de1b180.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4yki306bf01.bmp"	861bc212241bcac9f8095c8de1b180.exe

Drops file in Program Files directory 25 IoCs

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
File opened for modification	\??\c:\program files\ShowStop.vb	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\SplitStop.txt	861bc212241bcac9f8095c8de1b180.exe
File created	\??\c:\program files\u7n5gh-readme.txt	861bc212241bcac9f8095c8de1b180.exe
File created	\??\c:\program files\fd2bcd2c.lock	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\ClearSplit.wma	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\OptimizeUnpublish.ods	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\PublishOut.wdp	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\ResetSelect.xsl	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\SuspendStart.xps	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\WaitSubmit.aiff	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\BackupProtect.mhtml	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\ExportUnlock.ttc	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\FormatWrite.shtml	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\SelectSet.mpe	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\SendRestart.DVR-MS	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\WaitMerge.ini	861bc212241bcac9f8095c8de1b180.exe
File created	\??\c:\program files (x86)\u7n5gh-readme.txt	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\DisableConvertTo.js	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\InvokeWrite.xsl	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\RenameGrant.png	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\UnprotectWait.mov	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\UpdateInstall.edrwx	861bc212241bcac9f8095c8de1b180.exe
File created	\??\c:\program files (x86)\fd2bcd2c.lock	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\DismountReset.wax	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	\??\c:\program files\RemoveRename.vsdm	861bc212241bcac9f8095c8de1b180.exe

Drops file in Windows directory 64 IoCs

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_33d8c3da77d0026d_memtest.exe.mui_77b8cbcc	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_pt-br_26e2b4db2a2335ea_msimsg.dll.mui_72e8994f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_he-il_47e71de5429c9e8d.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_12d9c0bd87ce2a84.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_de-de_5552d9a70ffd76be.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8aee78c9c9067008_user32.dll.mui_14652dbb	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi_31bf3856ad364e35_10.0.19041.1_none_b43a1380d0644b6a.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.19041.1_none_7bf3412dc0d2d29d.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_et-ee_704c52b0a2cbb688.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_it-it_f28f9ae87dfce6f4.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_20bf32b2e3f96cf5.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.207_none_415109dc8f3c6aa6.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pcw_31bf3856ad364e35_10.0.19041.1_none_70574e342a3eaf92.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a_applockercsp.dll.mui_d2a0df70	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80869.fon_2e7bdf2f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_wmiapres.dll.mui_c1b8803f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_fr-fr_c7c95139b0684052.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3ef054dca7ac088_user32.dll.mui_14652dbb	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_be18ea1916c99427_wiarpc.dll.mui_0c913b87	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_9468ebbd3ef7a656_mpssvc.dll.mui_4b194b5f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_it-it_05ff04e5d71bfd5f_bootmgr.exe.mui_c434701f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_46feaa68fea5a157.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_79ada47f6e975332_webauthn.dll.mui_acc69b8d	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-es_a8bd371b7dd7b043.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_4f4ffbe799f4762e_clipsvc.dll.mui_18823613	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e_bootmgfw.efi.mui_a6e78cfa	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga775.fon_05cd499c	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32full_31bf3856ad364e35_10.0.19041.1110_none_cab79e1fdc701903_gdi32full.dll_ffcb16f4	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shacct_31bf3856ad364e35_10.0.19041.610_none_ae6a94eab49269de_shacct.dll_f953c950	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_df1bb4b828f1e5a9.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_certprop.dll.mui_602eaab4	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-sysntfy_31bf3856ad364e35_10.0.19041.1_none_0b6400a5af10cbc9.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.1_none_df4e7b90a62a08e3.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_432d585a19d46624.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_80b4fbf2a39aea5a.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_cc60cf52118b76e2_memtest.efi.mui_71e15c22	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_1724b854923485bf_themeservice.dll.mui_9e71f1ab	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8112e5615ba7a9e8.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_de-de_dae1741014353963.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fi-fi_6a478e93686bf3a8.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8e9e696a3f31534b_appidsvc.dll.mui_6717e231	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.1_none_a6f4c35bde1bc697.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-process_31bf3856ad364e35_10.0.19041.1_none_e9d80fa364d364ec.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.19041.1266_none_727d8ac8ed2b3e80.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_de-de_4c6b2c19811dd13e_webclnt.dll.mui_e8f04040	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.19041.546_none_386df5495b49cc70_duser.dll_a2bd2fa9	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_ce34d3262165aa68_gpsvc.dll.mui_0c160ac2	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_d05d0ca80efc5352_memtest.efi.mui_71e15c22	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeres.dll_55e40455	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_userdeviceregistration.dll.mui_22ab8f29	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_userdeviceregistration.ngc.dll.mui_d2c6ca95	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.19041.1_none_f8bf334f59f2a511_bootvid.dll_c188118d	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.19041.488_none_96f4e9b1e7889a13_scesrv.dll_07b1e224	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service_31bf3856ad364e35_10.0.19041.1_none_71aa3a855e54ea84_sens.dll_d4c507f7	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_wmiapres.dll.mui_c1b8803f	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9b77d25cc7b8e67d.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_it-it_3ac41f540029466c_apphelp.dll.mui_59096153	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_es-es_3d251e9a2dfca3c0.manifest	861bc212241bcac9f8095c8de1b180.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_de-de_b41cd8ef1bbad800.manifest	861bc212241bcac9f8095c8de1b180.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	861bc212241bcac9f8095c8de1b180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	861bc212241bcac9f8095c8de1b180.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	861bc212241bcac9f8095c8de1b180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	861bc212241bcac9f8095c8de1b180.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

861bc212241bcac9f8095c8de1b180.exe

pid process

4816 861bc212241bcac9f8095c8de1b180.exe
4816 861bc212241bcac9f8095c8de1b180.exe

pid	process
4816	861bc212241bcac9f8095c8de1b180.exe
4816	861bc212241bcac9f8095c8de1b180.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

861bc212241bcac9f8095c8de1b180.exe

description	pid	process	target process
PID 4816 wrote to memory of 1468	4816	861bc212241bcac9f8095c8de1b180.exe	cmd.exe
PID 4816 wrote to memory of 1468	4816	861bc212241bcac9f8095c8de1b180.exe	cmd.exe
PID 4816 wrote to memory of 1468	4816	861bc212241bcac9f8095c8de1b180.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\861bc212241bcac9f8095c8de1b180.exe
"C:\Users\Admin\AppData\Local\Temp\861bc212241bcac9f8095c8de1b180.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1468