sodinokibi | 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b

General

Target

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Size

160KB
MD5

b572a0486274ee9c0ba816c1b91b87c7
SHA1

43a904323a8583203b307c622c71c8ca706c2462
SHA256

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07b
SHA512

77d4ee400ded4b4be92da0170e7d2c197c312089429a1650e2843d0ceb15402d14f7e4fc3c2e84f20eeaa24995f0814c2106a37fc4cc32de7dbb4c15b6c5a171
SSDEEP

3072:tp5SexkWi1Lbi4eTMlwDCnu/qjUt7ptQJS+s:HvGWwbnWJ/3tTQg

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\93menjskj8-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 93menjskj8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE5898E3DF8D088C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DE5898E3DF8D088C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: x2A01CzCTvygb/wjPC1ISyNZJuwkmKJlgqtoyaeIcK37uA0tZarju0uvUccAWo7g krXQe2/EOpZWSze8vnxzfFzTZJc+aevgDbTieYAMfse8YLJRVezuOBn1sTKBE0BR WHbD1dj9T/k9Q1JMun8NOxBsuFqKezbFAup/DkLI8MDk5duj2ortghRf1O5H6nN3 o0x7A8EZsmaf7qUpWPJyrttgvcVFqlCUMo9Fd/S59MrtIT4kl1GcVSH9wYGctPZQ ThNrMFL28fe0aZu2lnkwTzgoDqvX6D6hzIWpJ9t1DXEJFBlHMxxCmLtRM0Pe5OcB 4PrjgwjdytfI6+1+lSCWru/xc39UJ/OuML2th88EPzV2YDVj+5VjoXFOOQIW2Pmh df/jfuFksb2t77/EJtgDDSH/xr8UlqdlpFLr34VLJTeuS5Kre7HMw6JyP1KUZcrm lULgTqJv2NPtJ2EKtKUrIernCF87mp5L57dTfsZxhd7vzpDIT3/WgcvU9o61129h K0aA3EemITP/Lfl1jqqynm5ihWR8vb45zNQ3uUB8Lju30wvScjZsFezzfzXuTnif h0y3tzZNWwvEdmPXDY5RBjp8sCCxzu+qFgPtX2qaNiikqyo3ROlkEtXsXO9nlYus uumLQkjpPDwvpdEnRYr7JsBYEKGRxbHRR2PoVVhQoeJi0AvBNHZexWJjLKTLjcLx w0GP7n8dafsJrEJSXvg4leZGb+19pLU2+T1ezmrKArG3lgq1cS6ZIsKxwCxFwu4I He8fenUXwDKSiR50Xs7ZRYX6wtwp3XBx/LA4m8GDUjXV1I3j627DyA4i6W+01IoY +5PqKCC4WIrf4EHSbzL8zIP2GVGgwK3/vMRoxTOCsV/zGJUs24ZWrO+WtkyP2/6B joLaHRUm5CKX1D3GZ8K+tXRM0Hb3quZrVMhYw8VvTg9F0aTR3crmPsdOKKJakLbg o1fe7MJujEanF51UAMpWbt5cn88Grs4xmjoBKY4/r6FGGJ5Mhq5Z4h6U9Nxq0G8U DER54XfUvn4k2jZ0m2P6ENNXCRSs/oH2YcxLVTeOYLzF+6ocD1wVYnm5h0rJPp6N TXw8c4PTEzhoikqS5afd4dwU/LIKAugPMkJs+JH7VcVoxp/2kYX3H6pWRAc01WJ7 9vskJddRQJ2zD5y9hFiIkPYVVAc4+ePqvgdZFMd6ce6lMm8rbPXu6RlkNyyihSaa lU7xPGP7wOcdYJVEOLuoLQ== Extension name: 93menjskj8 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE5898E3DF8D088C

http://decryptor.top/DE5898E3DF8D088C

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

description	ioc	process
File opened (read-only)	\??\G:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\K:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\P:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\X:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\Z:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\D:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\H:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\L:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\M:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\O:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\S:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\U:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\Y:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\E:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\I:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\N:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\R:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\F:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\A:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\B:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\J:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\Q:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\T:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\V:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened (read-only)	\??\W:	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\h36362t8vvv.bmp"	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

Drops file in Program Files directory 46 IoCs

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

description	ioc	process
File opened for modification	\??\c:\program files\CloseEdit.vssx	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\EditUnpublish.svgz	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\FormatReceive.sql	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\GetReceive.mht	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\SkipProtect.i64	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\SkipWatch.wps	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files\93menjskj8-readme.txt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ApproveInitialize.i64	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\GrantSelect.ex_	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\RepairDeny.vdx	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\93menjskj8-readme.txt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\93menjskj8-readme.txt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\5c4c3ad0.lock	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\AssertShow.wmv	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\DismountCompare.xml	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ProtectConvert.pot	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\PushClear.htm	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ReceiveDeny.xml	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\StartSave.001	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\5c4c3ad0.lock	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ConnectDeny.nfo	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\UnlockRevoke.midi	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\UseConfirm.tiff	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\93menjskj8-readme.txt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\5c4c3ad0.lock	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\DenyPop.xht	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\MoveRemove.wpl	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\BackupSplit.wdp	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\CompareAdd.xlt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\SaveWrite.xml	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\SplitLimit.MTS	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\EnableOut.docm	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\EnterSend.mpeg3	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\PushCompress.easmx	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\SelectPush.jpeg	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\StepWatch.mov	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files\5c4c3ad0.lock	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\93menjskj8-readme.txt	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\AssertRemove.ini	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\CheckpointWait.ps1xml	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ConvertFromUndo.mov	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\MoveBlock.xsl	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\ReceiveWatch.vsw	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\TraceGet.rm	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File opened for modification	\??\c:\program files\UnpublishRepair.zip	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\5c4c3ad0.lock	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2756 vssadmin.exe

pid	process
2756	vssadmin.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

pid process

3056 15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2076 vssvc.exe
Token: SeRestorePrivilege 2076 vssvc.exe
Token: SeAuditPrivilege 2076 vssvc.exe

pid	process
3056	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe

description	pid	process
Token: SeBackupPrivilege	2076	vssvc.exe
Token: SeRestorePrivilege	2076	vssvc.exe
Token: SeAuditPrivilege	2076	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.execmd.exe

description	pid	process	target process
PID 3056 wrote to memory of 1048	3056	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe	cmd.exe
PID 3056 wrote to memory of 1048	3056	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe	cmd.exe
PID 3056 wrote to memory of 1048	3056	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe	cmd.exe
PID 3056 wrote to memory of 1048	3056	15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe	cmd.exe
PID 1048 wrote to memory of 2756	1048	cmd.exe	vssadmin.exe
PID 1048 wrote to memory of 2756	1048	cmd.exe	vssadmin.exe
PID 1048 wrote to memory of 2756	1048	cmd.exe	vssadmin.exe
PID 1048 wrote to memory of 2756	1048	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\15ef2d6ef402a46165be39d9dbc0081cf28ebca0f407306dd80ac3a73a32c07bexeexe_JC.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\93menjskj8-readme.txt
Filesize
6KB

MD5
01af861e151d6a4ef07b815c5649f077

SHA1
4ed2d1d4c9dd0f9c010b469e749cbfe67616f75e

SHA256
6cfaea9cf4efdcd1ebf23f0f484444971bd52ea037bc54c24a1875f6f186ddbc

SHA512
9b1f0aa17716258ec418cbaac1cf487bd60dd61091a657a3538229d001038a4a81a8a850ee768661977c913f38b860f1f00d4fd79aa131d889d4763acc29afaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a48d803d363e4a03364a348cf34552b3

SHA1
06fc3a750ecd7f1af5ce1bf33cd743301b4d3c8f

SHA256
77f9dd4d5136d583a31c131db05bb5c663cf21956e1b46cfd57a0e40b1657563

SHA512
a1709c29396084dbc294482894ba0ebe7191747b855d73746b15844768cc7e5427a87c52633626c27583d94ed78c2809dd415459b5453486c3c2c5eb441e2ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
4468b30224e4de11ba0e99691ea0f933

SHA1
67fb603bdb859625cf4cf784b8974d5014f787e9

SHA256
ab5976a5499d5f8af90409ac912322ac40e6ea48cbe150f56285bad08bbb6747

SHA512
c3b08c384db2d68f98b5cc7ad1835734d22051db69052f2694ae709be2c407532f1399c22dbc80b7d29530ae79364f680b485e4385e5cdde2df4d8739bc975b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar591.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads