sodinokibi | 133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de

General

Target

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Size

114KB
MD5

77be32b91561d1ac5e36464766b7b0a7
SHA1

9c72fe9c8e24b5c0bde50c71d74fb2586c4201ce
SHA256

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de
SHA512

c8d0d6d15322172631b184acf5df86851dff7d8f15fde9cee7d0b7e4919433ec5b096f4079b5acba78d27dcfc42bfc2bcd3f184cb0a54c13b71aeb40f8ea4152
SSDEEP

1536:FApx/1k2jbVnO3c+FpR5Q9JzY02pTmZ0ICS4AtebOMZzqFTj5vel1KkK3I:ck2X8M+Fp4vY06A2roFTj5vYc

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Users\q430a17337-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension q430a17337. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F237A879899AA854 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F237A879899AA854 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SyAzL/b291azsu+bGIyRZbl/PJzLqItZWpVlhtq25hFTPRNVkhdDYnwPGnCrNnrg xeow1Q8Xy4CZbezDt2IzPYEg9GJrWRemso4JqOFKqAvxN7Y/ljDKwjPo+gDncj6m Q7VHi0rfJm+pXR7zk/YUiV06SxVaJLXxye16xRpu7z9Ju5NsDTAQAPF7r2lzUrwS 0QLNotvBeyl8fZSYEnxuji2pZVtM4VbtH2e/8gWdkNyS5gk+SKmu5hv7qIQtn2fQ qW3HK5fzb93GkHn08bNQl7MlCPqoKinkCoylTpgSYtaA/i/x8utHhwJ9fFv2TN7T jLcrM51TNajMcXoWyJ1QFTmgqrH8dPfkxQZ24yqAeUeL/O7p4NzRKr6UE5Dvi2vR 4QHj64gE9Fif/5Ua9udi3rU3s7Z5KzrJ8ipg14UYPZ1Rv+pBBkBoe49NpJJzTDdl 9y/mMRgb3u0mIFZS0ADFBmgRwGb/Pg9Vs19dGvwaBIsKS9FKiz2ALZmkmrI0l5Tw TyA+71qm/iSVpEhE+YtDm87nKV5rTKlwqRhKCaMyZWEPoPnQ3rUDEyYG9O59HolS tGr8ucBnxo4qV1XuViV30FV2o2tG0NiZErXUZLU0k8d0kLSeI7WQ7a17rIcdzhby A5QK9Zozlay6qG6PyOQRVDxfddMtqU8h3JjvomBoZrNP7Bok1fSzvQN1RJ7/P+n3 QdqJu40CkOgg6fYzdlqSk/6lWyQ6runLqH50C9RK/IinvxoiXOiiemubqHzNT4zs s2AxD/fTFduvpn4B3/Rv6slzvexN/MTKBIYXozZv1D2D6HjRFAaC3ewSucqgG5W9 WtTqudYN+EJb4HJt5gYDfL4eA2BBMgbLo+J9FbIRMlArvSdymsBjBKlySz5jJKAT jYaEnN4fKsX985GpMU5PxArTqgIrwp3jV1TX7xfLEPFIfotwxMAEzhe5093ugjMw UTAda+ajIm7jBaIfKEo1PqR8qFQPcOERdQtqXDxMwG6Bt1DG0djVc17wXfG6gChg mNWG0Ehs+kRJ5PHK0f8cz2WbttDqdalTumYxAQLZhKs0ENO8FlNw0pviQ/q67reZ VIGBTMXXa+A15Oct9pikFcn8Os7aUwChXCriAit6svPYY2vgXWtgfcVRJX0kVArr U8HJTkIxVNWMNTsoeP4sfNAwXqDWg9lOWfZ6jp2szFBQJIL8rGABPrZQ8aQmztUh fYUr2UGFTox5jEjwahwwmw+n1Pe3NqTgKRI1UNh5VldmSCRzDJmsTXTqUp5sbHVt VmDwSa3rBctbXNHiDDdQNAU6rYdxNhoJc5dHrdpwo+pN2UijphLsE84rIY7EB0bw FgEwztTrnGuzUPEMXjf0QchRjCoOx6g/s1sqURCAtZWzbB1yow8ORw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F237A879899AA854

http://decryptor.cc/F237A879899AA854

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XhJXszhvjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe"	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
File opened (read-only)	\??\A:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\E:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\J:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\W:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\U:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\I:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\K:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\P:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\T:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\D:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\F:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\M:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\B:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\G:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\Q:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\V:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\R:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\Y:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\O:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\S:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\X:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\Z:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\H:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\L:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened (read-only)	\??\N:	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Drops file in System32 directory 1 IoCs

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oc7gn06k7ym4.bmp"	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Drops file in Program Files directory 17 IoCs

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
File opened for modification	\??\c:\program files\SplitUndo.3g2	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\ImportUnlock.asp	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\PushClear.emf	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\RenameFind.wps	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\UnprotectSplit.M2V	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File created	\??\c:\program files (x86)\q430a17337-readme.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\ConvertPublish.7z	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\StartConvertTo.iso	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\q430a17337-readme.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\q430a17337-readme.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\DisconnectInvoke.odt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\PopDebug.pot	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\UnregisterNew.mp3	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\q430a17337-readme.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File created	\??\c:\program files\q430a17337-readme.txt	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\ConvertFromReceive.ps1xml	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
File opened for modification	\??\c:\program files\PublishRepair.php	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exepowershell.exe

pid process

2180 133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
1924 powershell.exe

pid	process
2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
1924	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe

description	pid	process	target process
PID 2180 wrote to memory of 1924	2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe	powershell.exe
PID 2180 wrote to memory of 1924	2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe	powershell.exe
PID 2180 wrote to memory of 1924	2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe	powershell.exe
PID 2180 wrote to memory of 1924	2180	133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
"C:\Users\Admin\AppData\Local\Temp\133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC52.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\q430a17337-readme.txt

Filesize
6KB

MD5
c9e02470076cc9c40acbeaf5ed5c0aa7

SHA1
d1b6736e6d2ec8618205160e1cb8019796697248

SHA256
49c78c9f751a584dec4f7a3f4ea6b3824c922a26ce9f1ae5eb08dba29edafe6f

SHA512
8b4dceb34d8c196b06d6031b359feeb0d3b99aa0835818d95168f98ac94161a5d2609e1fd7840a8235986e0e324b8bb52d6930fe26fe8a2525032c9edd83a307

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
05bc8d170a84503f9687bf822ad8fbe6

SHA1
7cd96ca5d7dbc389b1b25a1ba33be7c9ebdb6215

SHA256
4190c4e228b46ed6ebcee836d82b76267b25f29bc4417306cdde9a2c8693bb7b

SHA512
62bd6aa5290c11b507ca07662eb57de7e9cf0c69ff03bef8af0392baf740dc374de3d07a56187752f42be31872e9403bccbc6b07be5ee03fff42ec808dc1db85

Download Submit
memory/1924-7-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1924-9-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1924-10-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1924-11-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1924-12-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1924-8-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1924-4-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/1924-6-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1924-5-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads