sodinokibi | d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c

General

Target

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Size

164KB
MD5

6b391f91c63765876e2571e87fe46575
SHA1

d508632ca452af6325c06434b29883cfa55d7948
SHA256

d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615c
SHA512

2e1c522393b137d7847c405cdaa735a4255fde534c8006460ef1a984eacc135fd8668fbd756d06b9011299911c2fd57c1a9112d01c046ebe8c98058b1abfae34
SSDEEP

3072:pEa2d8CfSXceqmPDu7lvspW0kAo0BQhyI0hQMnnsJ:5CqlPDuBkJpoQQgdnns

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\82c52-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 82c52. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A93EE1D97B5204A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3A93EE1D97B5204A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: U/2TzqxHaWZQ56uGjmbXkyV8Y+87ioLI0OQ80Dk0sMuDR4qtrUtoDg3Q8M7/imoz ym5b5YYbn5DrCJcgx62R3f1WDOvYhFHy/6nsuL4nWcXr2DYqCoj5L3v2pShzcdVk eLf6xTOc8s8XbLfSNC4yHCXYSQoJOMUpFmmdbYxF0LzZGcY+gbOOxSO14WNJh3kS 04kwc2KFnkh3oIddBFoNPTrYujgH6tSjJtxGT95IB3bE8rpCYJEynhH/IU09zzPr 35Axe63nwaEzsGaI61VsCwMfLj3RqluNwEYOPidanXMU7KpaNVvOB0ZJY5beYCxd f96GO161QyZeqDg9Lteo1m8yudwelke0mkeFGYSyMXYjNc/3Q0gN2oOld5KE7LnV dQ/Q4V8NVTcVHk/WbVHUy6YchQikpn3V7QIPrCZpfutUNzq/T4t5KYyQxTxeV0/U KDBTprBKePA3p77h2hLZ+EQLjddQpuDyVrpUIoc9XD855la5jSk8L7rbWuK2KGMO Z1con94KDHClUh+oqNz0tyyhzvTWMBFuwlSSWUhWv7wCD6ijHt1akGEC9cPm+sAX HHIfHwFQRMszAAU+XuGMFpdRCxChNSw8UYTixshmwAZvT70bnFkXNm+eELvdFG0D 7g/ARZhjtvyhienJpPmEantyEoM0/XizfHFnJLyserlz+AS2E9S14Gohp0icVVvO 4/KNcFH7Q5Vy9HuNX+i06KO2DBUN9v03GrYmQ6UZS/ZEmeFX9bZzYHcS6g/eYKYd PM+C4O2RfYO7uH7geyBq5p5qXlELc/ZN1LjYWnqHsmWLuLTkCsFBSmj1IwJMIQsl y/pcCN9yC1NYdP7XGtzp3sAboswKflQ8XrWGJChScbIKdhxJrVOB0ObuVYn4/5jG p/RlJDqDi+8u9Mxkk0XJm2PFSJOnmdgjxPQDhjuBr6b3pYOb+mp/UpFAsVKJLFG3 JEIF/JcYqjo1/e9p9WoTEk++kK+mX2O1uVD28a3T8dqyX6Gl+ecrIVFi62YOksN3 P+lfGUzocq50zVLAXsR+MTz0llPQcXuWgQc2ZIblY/t+zKaD4WOd+qUae7BgH35E X5UVPJA8b/tnLqqBT3ZijkULZcpjmFMxFfzOKSBzb4CPyiGAqfvO/18CyAXrIjPY TfTrjOrxHpU6+q/3ZXco0lmO7+KtvIo3+4nNC5n3od++ikiUtG5DDUTYMCsxxd38 xUerUpLD5tURjg== Extension name: 82c52 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3A93EE1D97B5204A

http://decryptor.top/3A93EE1D97B5204A

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\L:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\U:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\X:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\Y:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\D:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\I:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\J:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\M:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\T:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\O:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\P:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\S:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\Z:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\E:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\G:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\H:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\N:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\V:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\W:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\F:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\B:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\K:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\Q:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened (read-only)	\??\R:	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j2h5c73.bmp"	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\SelectMove.temp	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\82c52-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\JoinCopy.mp4	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\82c52-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\CompareDebug.bmp	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\RedoWait.ram	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\ResolveFormat.eps	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\WatchSearch.M2TS	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File created	\??\c:\program files\82c52-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File created	\??\c:\program files (x86)\82c52-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\AssertLock.m4a	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\BackupNew.shtml	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\82c52-readme.txt	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\CopyFind.ttf	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\InvokeConvertFrom.tif	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\NewWait.au3	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
File opened for modification	\??\c:\program files\UndoUnprotect.3g2	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
3028	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3028	2116	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe	29
PID 2116 wrote to memory of 3028	2116	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe	29
PID 2116 wrote to memory of 3028	2116	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe	29
PID 2116 wrote to memory of 3028	2116	d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d09338f3248b7c43b4c58274d453732fca910a0cee2ca50a2b72fe0364fb615cexeexe_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\82c52-readme.txt

Filesize
6KB

MD5
828d1ee2ee01e8722447bb8d9cf498c1

SHA1
9af2ba19d9d6db4ec7498ba22338bf7b12815e5b

SHA256
555144b47ecf74cf7d950f66167d17f3c2c4bbb90953341a9fdcfe3aee41f503

SHA512
a88c7648fa02d5b26afae117f2eb3add3363d1c0018b64a9472527ffe1f50cfd90e997698f76595087cfc7a36d692bc97ae6f20e7f65815dfb9a409217fece50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4fc5b279329f849f20ac19eed9c6cf4

SHA1
fc0a71fbdccccf52eb2d591b9bad478c09ceffe9

SHA256
83b32f73d43e0d2cae9f6a84fc5c81dbcdd0cd86191c326fcfeacc04b8d9d9aa

SHA512
3c3f8be0bf5eab086821d2ca3307ffaccd1fd9ead126726c0dfeeaf49cd27e2d4b2013da26bf1214f968af8eda39af49d9c3fe4c368aecee7add059f4ec394fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBBF1.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD4C.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
f80309fd74edade0fc0423fe1fe48958

SHA1
548beaadac3976843507014824803197088723db

SHA256
b58aeb3b9284120e4602c10f4d94d79ef9049afbc3afcc5ff7d82b3ce20651d5

SHA512
8f2ae3bec42ce77bc8e6645e64013646aac9de085843bd6f92916a121a575b8dc05fbb14c38abd3b7e0ab9102c32e47bba5d45c8464a48a8f6cda72c1089c597

Download Submit
memory/3028-61-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-64-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3028-65-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-63-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3028-62-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/3028-58-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-60-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-59-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads